## . ## ## ## == ## ## ## ## === /"""""""""""""""""\___/ === ~~~ {~~ ~~~~ ~~~ ~~~~ ~~~ ~ / ===- ~~~ \______ X __/ \ \ __/ \____\_______/ __ ____/ /__ ___ ____ ________ / __ / _ \/ _ \/ __ \/ ___/ _ \ ENUMERATE / /_/ / __/ __/ /_/ / (__/ __/ ESCALATE \__,_/\___/\___/ .___/\___/\___/ ESCAPE /_/ Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE) by stealthcopter ==========================================( Colors )========================================== [+] Exploit Test ............ Exploitable - Check this out [+] Basic Test .............. Positive Result [+] Another Test ............ Error running check [+] Negative Test ........... No [+] Multi line test ......... Yes Command output spanning multiple lines Tips will look like this and often contains links with additional info. You can usually ctrl+click links in modern terminal to open in a browser window See https://stealthcopter.github.io/deepce ===================================( Enumerating Platform )=================================== [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None [+] User .................... root [+] Groups .................. root bin daemon sys adm disk wheel floppy dialout tape video [+] Sudoers ................. No [+] Docker Executable ....... Not Found [+] Docker Sock ............. Not Found [+] Docker Version .......... Version Unknown ==================================( Enumerating Container )=================================== [+] Container ID ............ 2eed50673b37 [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2 [+] DNS Server(s) ........... 168.63.129.16 [+] Host IP ................. 172.17.0.1 [+] Operating System ........ Linux [+] Kernel .................. 6.2.0-1018-azure [+] Arch .................... x86_64 [+] CPU ..................... AMD EPYC 7763 64-Core Processor [+] Useful tools installed .. Yes /usr/bin/wget /usr/bin/nc /usr/bin/nslookup /bin/hostname [+] Dangerous Capabilities .. capsh not installed, listing raw capabilities libcap2-bin is required but not installed apk add libcap2-bin Current capabilities are: CapInh: 0000000000000000 CapPrm: 00000000a80425fb CapEff: 00000000a80425fb CapBnd: 00000000a80425fb CapAmb: 0000000000000000 > This can be decoded with: "capsh --decode=00000000a80425fb" [+] SSHD Service ............ No [+] Privileged Mode ......... No [+] Alpine Linux Version .... 3.19.0 [+] └── CVE-2019-5021 ....... No ====================================( Enumerating Mounts )==================================== [+] Docker sock mounted ....... No [+] Other mounts .............. Yes /home/runner/work/deepce/deepce/deepce.sh /root/deepce.sh rw,relatime - ext4 /dev/root rw,discard,errors=remount-ro [+] Possible host usernames ... runner ====================================( Interesting Files )===================================== [+] Interesting environment variables ... Yes MYSQL_PASSWORD=S00perS3rect HOME=/root HOSTNAME=2eed50673b37 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/ SHLVL=1 [+] Any common entrypoint files ......... Yes -rwxr-xr-x 1 1001 127 38.5K Dec 28 14:30 /root/deepce.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No [+] Hashes in shadow file ............... No [+] Searching for app dirs .............. ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the host machine, this can be used to enumerate further ==============================================================================================