## . ## ## ## == ## ## ## ## === /"""""""""""""""""\___/ === ~~~ {~~ ~~~~ ~~~ ~~~~ ~~~ ~ / ===- ~~~ \______ X __/ \ \ __/ \____\_______/ __ ____/ /__ ___ ____ ________ / __ / _ \/ _ \/ __ \/ ___/ _ \ ENUMERATE / /_/ / __/ __/ /_/ / (__/ __/ ESCALATE \__,_/\___/\___/ .___/\___/\___/ ESCAPE /_/ Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE) by stealthcopter ==========================================( Colors )========================================== [+] Exploit Test ............ Exploitable - Check this out [+] Basic Test .............. Positive Result [+] Another Test ............ Error running check [+] Negative Test ........... No [+] Multi line test ......... Yes Command output spanning multiple lines Tips will look like this and often contains links with additional info. You can usually ctrl+click links in modern terminal to open in a browser window See https://stealthcopter.github.io/deepce ===================================( Enumerating Platform )=================================== [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None [+] User .................... root [+] Groups .................. root [+] Sudoers ................. No [+] Docker Executable ....... Not Found [+] Docker Sock ............. Yes srw-rw---- 1 root 127 0 Dec 28 14:28 /var/run/docker.sock [+] Sock is writable ........ Yes The docker sock is writable, we should be able to enumerate docker, create containers and obtain root privs on the host machine See https://stealthcopter.github.io/deepce/guides/docker-sock.md Could not interact with the docker sock, as curl is not installed curl is required but not installed apt install -y curl [+] Docker Version .......... Version Unknown ==================================( Enumerating Container )=================================== [+] Container ID ............ f85315f0f426 [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2 [+] DNS Server(s) ........... 168.63.129.16 [+] Host IP ................. 172.17.0.1 [+] Operating System ........ GNU/Linux [+] Kernel .................. 6.2.0-1018-azure [+] Arch .................... x86_64 [+] CPU ..................... AMD EPYC 7763 64-Core Processor [+] Useful tools installed .. Yes /usr/bin/hostname [+] Dangerous Capabilities .. capsh not installed, listing raw capabilities libcap2-bin is required but not installed apt install -y libcap2-bin Current capabilities are: CapInh: 0000000000000000 CapPrm: 00000000a80425fb CapEff: 00000000a80425fb CapBnd: 00000000a80425fb CapAmb: 0000000000000000 > This can be decoded with: "capsh --decode=00000000a80425fb" [+] SSHD Service ............ No [+] Privileged Mode ......... Unknown ====================================( Enumerating Mounts )==================================== [+] Docker sock mounted ....... Yes The docker sock is writable, we should be able to enumerate docker, create containers and obtain root privs on the host machine See https://stealthcopter.github.io/deepce/guides/docker-sock.md [+] Other mounts .............. Yes /home/runner/work/deepce/deepce/deepce.sh /root/deepce.sh rw,relatime - ext4 /dev/root rw,discard,errors=remount-ro [+] Possible host usernames ... runner ====================================( Interesting Files )===================================== [+] Interesting environment variables ... No [+] Any common entrypoint files ......... Yes -rwxr-xr-x 1 1001 127 39K Dec 28 14:30 /root/deepce.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No [+] Hashes in shadow file ............... No [+] Searching for app dirs .............. ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the host machine, this can be used to enumerate further TODO Enumerate container using sock ==============================================================================================