diff --git a/results/docker-alpine-cve-2019-5021.html b/results/docker-alpine-cve-2019-5021.html index b707bac..5c12d66 100644 --- a/results/docker-alpine-cve-2019-5021.html +++ b/results/docker-alpine-cve-2019-5021.html @@ -44,13 +44,14 @@ [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None -[+] User .................... root +[+] User .................... root [+] Groups .................. root bin daemon sys adm disk wheel floppy dialout tape video +[+] Sudoers ................. No [+] Docker Executable ....... Not Found [+] Docker Sock ............. Not Found [+] Docker Version .......... Version Unknown ==================================( Enumerating Container )=================================== -[+] Container ID ............ 560ddc86d918 +[+] Container ID ............ cb772eb18451 [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2 @@ -91,16 +92,16 @@ ====================================( Interesting Files )===================================== [+] Interesting environment variables ... No HOME=/root -HOSTNAME=560ddc86d918 +HOSTNAME=cb772eb18451 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/ SHLVL=1 [+] Any common entrypoint files ......... Yes --rwxr-xr-x 1 1001 127 38.0K Dec 18 18:26 /root/deepce.sh +-rwxr-xr-x 1 1001 127 38.5K Dec 28 14:30 /root/deepce.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No -[+] Hashes in shadow file ............... No permissions +[+] Hashes in shadow file ............... No [+] Searching for app dirs .............. ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the diff --git a/results/docker-alpine-cve-2019-5021.log b/results/docker-alpine-cve-2019-5021.log index 58d311e..d0328a5 100644 --- a/results/docker-alpine-cve-2019-5021.log +++ b/results/docker-alpine-cve-2019-5021.log @@ -34,13 +34,14 @@ See https://stealthcopter.github.io/deepce [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None -[+] User .................... root +[+] User .................... root [+] Groups .................. root bin daemon sys adm disk wheel floppy dialout tape video +[+] Sudoers ................. No [+] Docker Executable ....... Not Found [+] Docker Sock ............. Not Found [+] Docker Version .......... Version Unknown ==================================( Enumerating Container )=================================== -[+] Container ID ............ 560ddc86d918 +[+] Container ID ............ cb772eb18451 [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2 @@ -81,16 +82,16 @@ password, if we have command execution in the container we can become root using ====================================( Interesting Files )===================================== [+] Interesting environment variables ... No HOME=/root -HOSTNAME=560ddc86d918 +HOSTNAME=cb772eb18451 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/ SHLVL=1 [+] Any common entrypoint files ......... Yes --rwxr-xr-x 1 1001 127 38.0K Dec 18 18:26 /root/deepce.sh +-rwxr-xr-x 1 1001 127 38.5K Dec 28 14:30 /root/deepce.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No -[+] Hashes in shadow file ............... No permissions +[+] Hashes in shadow file ............... No [+] Searching for app dirs ..............  ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the diff --git a/results/docker-alpine-payload-command.html b/results/docker-alpine-payload-command.html index 8bd6c71..5c0ed6a 100644 --- a/results/docker-alpine-payload-command.html +++ b/results/docker-alpine-payload-command.html @@ -72,7 +72,7 @@ (27/32) Installing libgcc (13.2.1_git20231014-r0) (28/32) Installing libpcap (1.10.4-r1) (29/32) Installing pcre (8.45-r3) -(30/32) Installing libssh2 (1.11.0-r0) +(30/32) Installing libssh2 (1.11.0-r1) (31/32) Installing libstdc++ (13.2.1_git20231014-r0) (32/32) Installing nmap (7.94-r0) Executing busybox-1.36.1-r15.trigger @@ -82,11 +82,12 @@ [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None -[+] User .................... root +[+] User .................... root [+] Groups .................. root bin daemon sys adm disk wheel floppy dialout tape video +[+] Sudoers ................. No [+] Docker Executable ....... Not Found [+] Docker Sock ............. Yes -srw-rw---- 1 root 127 0 Dec 18 18:24 /var/run/docker.sock +srw-rw---- 1 root 127 0 Dec 28 14:28 /var/run/docker.sock [+] Sock is writable ........ Yes The docker sock is writable, we should be able to enumerate docker, create containers and obtain root privs on the host machine @@ -102,13 +103,13 @@ Architecture:x86_64 NCPU:4 DockerRootDir:/var/lib/docker -Name:fv-az801-899 +Name:fv-az1019-229 ServerVersion:24.0.7 [+] Docker Version .......... 24.0.7 [+] CVE–2019–13139 .......... No [+] CVE–2019–5736 ........... No ==================================( Enumerating Container )=================================== -[+] Container ID ............ 3925b0930f60 +[+] Container ID ............ a99df58c18c6 [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2 @@ -147,16 +148,16 @@ ====================================( Interesting Files )===================================== [+] Interesting environment variables ... No HOME=/root -HOSTNAME=3925b0930f60 +HOSTNAME=a99df58c18c6 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/ SHLVL=1 [+] Any common entrypoint files ......... Yes --rwxr-xr-x 1 1001 127 38.0K Dec 18 18:26 /root/deepce.sh +-rwxr-xr-x 1 1001 127 38.5K Dec 28 14:30 /root/deepce.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No -[+] Hashes in shadow file ............... No permissions +[+] Hashes in shadow file ............... No [+] Searching for app dirs .............. ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the @@ -170,13 +171,13 @@ [+] Custom Command ........... touch /tmp/deepce-docker-alpine-payload-command.hacked [+] Clean up ................. Automatic on container exit -[+] Creating container ..... 30f610d298fe43ac5c56dcb418297ff78cf95aaaae15b5192fe6d382417eb6d7 +[+] Creating container ..... e0d00ef7ae5f90e32d8eb3d740ade04dece5b50ae033a33ffc45e55841a0ab4e [+] If the shell dies you can restart your listener and run the start command to fire it again -Start Command: curl -s -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/30f610d298fe43ac5c56dcb418297ff78cf95aaaae15b5192fe6d382417eb6d7/start -Logs Command: curl -s --unix-socket /var/run/docker.sock "http://localhost/containers/30f610d298fe43ac5c56dcb418297ff78cf95aaaae15b5192fe6d382417eb6d7/logs?stderr=1&stdout=1" --output - +Start Command: curl -s -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/e0d00ef7ae5f90e32d8eb3d740ade04dece5b50ae033a33ffc45e55841a0ab4e/start +Logs Command: curl -s --unix-socket /var/run/docker.sock "http://localhost/containers/e0d00ef7ae5f90e32d8eb3d740ade04dece5b50ae033a33ffc45e55841a0ab4e/logs?stderr=1&stdout=1" --output - [+] Once complete remember to tidy up by stopping and removing your container with following commands -Stop Command: curl -s -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/30f610d298fe43ac5c56dcb418297ff78cf95aaaae15b5192fe6d382417eb6d7/stop -Remove Command: curl -s -XDELETE --unix-socket /var/run/docker.sock http://localhost/containers/30f610d298fe43ac5c56dcb418297ff78cf95aaaae15b5192fe6d382417eb6d7 +Stop Command: curl -s -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/e0d00ef7ae5f90e32d8eb3d740ade04dece5b50ae033a33ffc45e55841a0ab4e/stop +Remove Command: curl -s -XDELETE --unix-socket /var/run/docker.sock http://localhost/containers/e0d00ef7ae5f90e32d8eb3d740ade04dece5b50ae033a33ffc45e55841a0ab4e [+] Starting container ..... Success [+] Sleeping for ........... 2s [+] Fetching logs .......... Success diff --git a/results/docker-alpine-payload-command.log b/results/docker-alpine-payload-command.log index 4ebcd09..3de5e9b 100644 --- a/results/docker-alpine-payload-command.log +++ b/results/docker-alpine-payload-command.log @@ -62,7 +62,7 @@ fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar. (27/32) Installing libgcc (13.2.1_git20231014-r0) (28/32) Installing libpcap (1.10.4-r1) (29/32) Installing pcre (8.45-r3) -(30/32) Installing libssh2 (1.11.0-r0) +(30/32) Installing libssh2 (1.11.0-r1) (31/32) Installing libstdc++ (13.2.1_git20231014-r0) (32/32) Installing nmap (7.94-r0) Executing busybox-1.36.1-r15.trigger @@ -72,11 +72,12 @@ OK: 35 MiB in 47 packages [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None -[+] User .................... root +[+] User .................... root [+] Groups .................. root bin daemon sys adm disk wheel floppy dialout tape video +[+] Sudoers ................. No [+] Docker Executable ....... Not Found [+] Docker Sock ............. Yes -srw-rw---- 1 root 127 0 Dec 18 18:24 /var/run/docker.sock +srw-rw---- 1 root 127 0 Dec 28 14:28 /var/run/docker.sock [+] Sock is writable ........ Yes The docker sock is writable, we should be able to enumerate docker, create containers and obtain root privs on the host machine @@ -92,13 +93,13 @@ OSType:linux Architecture:x86_64 NCPU:4 DockerRootDir:/var/lib/docker -Name:fv-az801-899 +Name:fv-az1019-229 ServerVersion:24.0.7 [+] Docker Version .......... 24.0.7 [+] CVE–2019–13139 .......... No [+] CVE–2019–5736 ........... No ==================================( Enumerating Container )=================================== -[+] Container ID ............ 3925b0930f60 +[+] Container ID ............ a99df58c18c6 [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2 @@ -137,16 +138,16 @@ See https://stealthcopter.github.io/deepce/guides/docker-sock.md ====================================( Interesting Files )===================================== [+] Interesting environment variables ... No HOME=/root -HOSTNAME=3925b0930f60 +HOSTNAME=a99df58c18c6 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/ SHLVL=1 [+] Any common entrypoint files ......... Yes --rwxr-xr-x 1 1001 127 38.0K Dec 18 18:26 /root/deepce.sh +-rwxr-xr-x 1 1001 127 38.5K Dec 28 14:30 /root/deepce.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No -[+] Hashes in shadow file ............... No permissions +[+] Hashes in shadow file ............... No [+] Searching for app dirs ..............  ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the @@ -160,13 +161,13 @@ host machine, this can be used to enumerate further [+] Custom Command ........... touch /tmp/deepce-docker-alpine-payload-command.hacked [+] Clean up ................. Automatic on container exit -[+] Creating container ..... 30f610d298fe43ac5c56dcb418297ff78cf95aaaae15b5192fe6d382417eb6d7 +[+] Creating container ..... e0d00ef7ae5f90e32d8eb3d740ade04dece5b50ae033a33ffc45e55841a0ab4e [+] If the shell dies you can restart your listener and run the start command to fire it again  -Start Command: curl -s -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/30f610d298fe43ac5c56dcb418297ff78cf95aaaae15b5192fe6d382417eb6d7/start -Logs Command: curl -s --unix-socket /var/run/docker.sock "http://localhost/containers/30f610d298fe43ac5c56dcb418297ff78cf95aaaae15b5192fe6d382417eb6d7/logs?stderr=1&stdout=1" --output - +Start Command: curl -s -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/e0d00ef7ae5f90e32d8eb3d740ade04dece5b50ae033a33ffc45e55841a0ab4e/start +Logs Command: curl -s --unix-socket /var/run/docker.sock "http://localhost/containers/e0d00ef7ae5f90e32d8eb3d740ade04dece5b50ae033a33ffc45e55841a0ab4e/logs?stderr=1&stdout=1" --output - [+] Once complete remember to tidy up by stopping and removing your container with following commands  -Stop Command: curl -s -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/30f610d298fe43ac5c56dcb418297ff78cf95aaaae15b5192fe6d382417eb6d7/stop -Remove Command: curl -s -XDELETE --unix-socket /var/run/docker.sock http://localhost/containers/30f610d298fe43ac5c56dcb418297ff78cf95aaaae15b5192fe6d382417eb6d7 +Stop Command: curl -s -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/e0d00ef7ae5f90e32d8eb3d740ade04dece5b50ae033a33ffc45e55841a0ab4e/stop +Remove Command: curl -s -XDELETE --unix-socket /var/run/docker.sock http://localhost/containers/e0d00ef7ae5f90e32d8eb3d740ade04dece5b50ae033a33ffc45e55841a0ab4e [+] Starting container ..... Success [+] Sleeping for ........... 2s [+] Fetching logs .......... Success diff --git a/results/docker-alpine-privileged.html b/results/docker-alpine-privileged.html index 706e039..a622baa 100644 --- a/results/docker-alpine-privileged.html +++ b/results/docker-alpine-privileged.html @@ -44,13 +44,14 @@ [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None -[+] User .................... root +[+] User .................... root [+] Groups .................. root bin daemon sys adm disk wheel floppy dialout tape video +[+] Sudoers ................. No [+] Docker Executable ....... Not Found [+] Docker Sock ............. Not Found [+] Docker Version .......... Version Unknown ==================================( Enumerating Container )=================================== -[+] Container ID ............ bd8cd0eb6e1c +[+] Container ID ............ fc03ae1b2fd7 [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2 @@ -92,16 +93,16 @@ ====================================( Interesting Files )===================================== [+] Interesting environment variables ... No HOME=/root -HOSTNAME=bd8cd0eb6e1c +HOSTNAME=fc03ae1b2fd7 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/ SHLVL=1 [+] Any common entrypoint files ......... Yes --rwxr-xr-x 1 1001 127 38.0K Dec 18 18:26 /root/deepce.sh +-rwxr-xr-x 1 1001 127 38.5K Dec 28 14:30 /root/deepce.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No -[+] Hashes in shadow file ............... No permissions +[+] Hashes in shadow file ............... No [+] Searching for app dirs .............. ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the diff --git a/results/docker-alpine-privileged.log b/results/docker-alpine-privileged.log index 4d5215d..24a4b2a 100644 --- a/results/docker-alpine-privileged.log +++ b/results/docker-alpine-privileged.log @@ -34,13 +34,14 @@ See https://stealthcopter.github.io/deepce [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None -[+] User .................... root +[+] User .................... root [+] Groups .................. root bin daemon sys adm disk wheel floppy dialout tape video +[+] Sudoers ................. No [+] Docker Executable ....... Not Found [+] Docker Sock ............. Not Found [+] Docker Version .......... Version Unknown ==================================( Enumerating Container )=================================== -[+] Container ID ............ bd8cd0eb6e1c +[+] Container ID ............ fc03ae1b2fd7 [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2 @@ -82,16 +83,16 @@ See https://stealthcopter.github.io/deepce/guides/docker-privileged.md[ ====================================( Interesting Files )===================================== [+] Interesting environment variables ... No HOME=/root -HOSTNAME=bd8cd0eb6e1c +HOSTNAME=fc03ae1b2fd7 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/ SHLVL=1 [+] Any common entrypoint files ......... Yes --rwxr-xr-x 1 1001 127 38.0K Dec 18 18:26 /root/deepce.sh +-rwxr-xr-x 1 1001 127 38.5K Dec 28 14:30 /root/deepce.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No -[+] Hashes in shadow file ............... No permissions +[+] Hashes in shadow file ............... No [+] Searching for app dirs ..............  ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the diff --git a/results/docker-alpine-secrets.html b/results/docker-alpine-secrets.html index 093ee75..76282b4 100644 --- a/results/docker-alpine-secrets.html +++ b/results/docker-alpine-secrets.html @@ -44,13 +44,14 @@ [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None -[+] User .................... root +[+] User .................... root [+] Groups .................. root bin daemon sys adm disk wheel floppy dialout tape video +[+] Sudoers ................. No [+] Docker Executable ....... Not Found [+] Docker Sock ............. Not Found [+] Docker Version .......... Version Unknown ==================================( Enumerating Container )=================================== -[+] Container ID ............ a8e75c89b167 +[+] Container ID ............ c6ed9f93d675 [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2 @@ -89,16 +90,16 @@ [+] Interesting environment variables ... Yes MYSQL_PASSWORD=S00perS3rect HOME=/root -HOSTNAME=a8e75c89b167 +HOSTNAME=c6ed9f93d675 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/ SHLVL=1 [+] Any common entrypoint files ......... Yes --rwxr-xr-x 1 1001 127 38.0K Dec 18 18:26 /root/deepce.sh +-rwxr-xr-x 1 1001 127 38.5K Dec 28 14:30 /root/deepce.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No -[+] Hashes in shadow file ............... No permissions +[+] Hashes in shadow file ............... No [+] Searching for app dirs .............. ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the diff --git a/results/docker-alpine-secrets.log b/results/docker-alpine-secrets.log index a8c7090..1340f33 100644 --- a/results/docker-alpine-secrets.log +++ b/results/docker-alpine-secrets.log @@ -34,13 +34,14 @@ See https://stealthcopter.github.io/deepce [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None -[+] User .................... root +[+] User .................... root [+] Groups .................. root bin daemon sys adm disk wheel floppy dialout tape video +[+] Sudoers ................. No [+] Docker Executable ....... Not Found [+] Docker Sock ............. Not Found [+] Docker Version .......... Version Unknown ==================================( Enumerating Container )=================================== -[+] Container ID ............ a8e75c89b167 +[+] Container ID ............ c6ed9f93d675 [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2 @@ -79,16 +80,16 @@ CapAmb: 0000000000000000 [+] Interesting environment variables ... Yes MYSQL_PASSWORD=S00perS3rect HOME=/root -HOSTNAME=a8e75c89b167 +HOSTNAME=c6ed9f93d675 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/ SHLVL=1 [+] Any common entrypoint files ......... Yes --rwxr-xr-x 1 1001 127 38.0K Dec 18 18:26 /root/deepce.sh +-rwxr-xr-x 1 1001 127 38.5K Dec 28 14:30 /root/deepce.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No -[+] Hashes in shadow file ............... No permissions +[+] Hashes in shadow file ............... No [+] Searching for app dirs ..............  ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the diff --git a/results/docker-alpine.html b/results/docker-alpine.html index 0d91812..ed58b4d 100644 --- a/results/docker-alpine.html +++ b/results/docker-alpine.html @@ -44,13 +44,14 @@ [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None -[+] User .................... root +[+] User .................... root [+] Groups .................. root bin daemon sys adm disk wheel floppy dialout tape video +[+] Sudoers ................. No [+] Docker Executable ....... Not Found [+] Docker Sock ............. Not Found [+] Docker Version .......... Version Unknown ==================================( Enumerating Container )=================================== -[+] Container ID ............ 70d996fdb4bf +[+] Container ID ............ 27624f5bfae6 [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2 @@ -88,16 +89,16 @@ ====================================( Interesting Files )===================================== [+] Interesting environment variables ... No HOME=/root -HOSTNAME=70d996fdb4bf +HOSTNAME=27624f5bfae6 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/ SHLVL=1 [+] Any common entrypoint files ......... Yes --rwxr-xr-x 1 1001 127 38.0K Dec 18 18:26 /root/deepce.sh +-rwxr-xr-x 1 1001 127 38.5K Dec 28 14:30 /root/deepce.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No -[+] Hashes in shadow file ............... No permissions +[+] Hashes in shadow file ............... No [+] Searching for app dirs .............. ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the diff --git a/results/docker-alpine.log b/results/docker-alpine.log index 35ee0b1..fa5198e 100644 --- a/results/docker-alpine.log +++ b/results/docker-alpine.log @@ -34,13 +34,14 @@ See https://stealthcopter.github.io/deepce [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None -[+] User .................... root +[+] User .................... root [+] Groups .................. root bin daemon sys adm disk wheel floppy dialout tape video +[+] Sudoers ................. No [+] Docker Executable ....... Not Found [+] Docker Sock ............. Not Found [+] Docker Version .......... Version Unknown ==================================( Enumerating Container )=================================== -[+] Container ID ............ 70d996fdb4bf +[+] Container ID ............ 27624f5bfae6 [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2 @@ -78,16 +79,16 @@ CapAmb: 0000000000000000 ====================================( Interesting Files )===================================== [+] Interesting environment variables ... No HOME=/root -HOSTNAME=70d996fdb4bf +HOSTNAME=27624f5bfae6 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/ SHLVL=1 [+] Any common entrypoint files ......... Yes --rwxr-xr-x 1 1001 127 38.0K Dec 18 18:26 /root/deepce.sh +-rwxr-xr-x 1 1001 127 38.5K Dec 28 14:30 /root/deepce.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No -[+] Hashes in shadow file ............... No permissions +[+] Hashes in shadow file ............... No [+] Searching for app dirs ..............  ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the diff --git a/results/docker-arch.html b/results/docker-arch.html index ac7960b..4762cfd 100644 --- a/results/docker-arch.html +++ b/results/docker-arch.html @@ -44,13 +44,14 @@ [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None -[+] User .................... root +[+] User .................... root [+] Groups .................. root +[+] Sudoers ................. No [+] Docker Executable ....... Not Found [+] Docker Sock ............. Not Found [+] Docker Version .......... Version Unknown ==================================( Enumerating Container )=================================== -[+] Container ID ............ 7753381e7605 +[+] Container ID ............ 708fb84abbf5 [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2 @@ -77,12 +78,12 @@ [+] Interesting environment variables ... No [+] Any common entrypoint files ......... Yes -rwxr-xr-x 1 root root 5.1K Oct 5 05:33 /bin/gettext.sh --rwxr-xr-x 1 1001 127 38K Dec 18 18:26 /root/deepce.sh +-rwxr-xr-x 1 1001 127 39K Dec 28 14:30 /root/deepce.sh -rwxr-xr-x 1 root root 5.1K Oct 5 05:33 /sbin/gettext.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No -[+] Hashes in shadow file ............... No permissions +[+] Hashes in shadow file ............... No [+] Searching for app dirs .............. ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the diff --git a/results/docker-arch.log b/results/docker-arch.log index 17d6707..3c3971d 100644 --- a/results/docker-arch.log +++ b/results/docker-arch.log @@ -34,13 +34,14 @@ See https://stealthcopter.github.io/deepce [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None -[+] User .................... root +[+] User .................... root [+] Groups .................. root +[+] Sudoers ................. No [+] Docker Executable ....... Not Found [+] Docker Sock ............. Not Found [+] Docker Version .......... Version Unknown ==================================( Enumerating Container )=================================== -[+] Container ID ............ 7753381e7605 +[+] Container ID ............ 708fb84abbf5 [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2 @@ -67,12 +68,12 @@ Current IAB: !cap_dac_read_search,!cap_linux_immutabl [+] Interesting environment variables ... No [+] Any common entrypoint files ......... Yes -rwxr-xr-x 1 root root 5.1K Oct 5 05:33 /bin/gettext.sh --rwxr-xr-x 1 1001 127 38K Dec 18 18:26 /root/deepce.sh +-rwxr-xr-x 1 1001 127 39K Dec 28 14:30 /root/deepce.sh -rwxr-xr-x 1 root root 5.1K Oct 5 05:33 /sbin/gettext.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No -[+] Hashes in shadow file ............... No permissions +[+] Hashes in shadow file ............... No [+] Searching for app dirs ..............  ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the diff --git a/results/docker-busybox.html b/results/docker-busybox.html index c6edc68..a2373a3 100644 --- a/results/docker-busybox.html +++ b/results/docker-busybox.html @@ -44,13 +44,14 @@ [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None -[+] User .................... root +[+] User .................... root [+] Groups .................. root wheel +[+] Sudoers ................. No [+] Docker Executable ....... Not Found [+] Docker Sock ............. Not Found [+] Docker Version .......... Version Unknown ==================================( Enumerating Container )=================================== -[+] Container ID ............ 39b93a9d8a28 +[+] Container ID ............ 5236ea118fd3 [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2 @@ -85,16 +86,16 @@ ====================================( Interesting Files )===================================== [+] Interesting environment variables ... No HOME=/root -HOSTNAME=39b93a9d8a28 +HOSTNAME=5236ea118fd3 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/ SHLVL=1 [+] Any common entrypoint files ......... Yes --rwxr-xr-x 1 1001 127 38.0K Dec 18 18:26 /root/deepce.sh +-rwxr-xr-x 1 1001 127 38.5K Dec 28 14:30 /root/deepce.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No -[+] Hashes in shadow file ............... No permissions +[+] Hashes in shadow file ............... No [+] Searching for app dirs .............. ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the diff --git a/results/docker-busybox.log b/results/docker-busybox.log index d66d6d7..24a3aff 100644 --- a/results/docker-busybox.log +++ b/results/docker-busybox.log @@ -34,13 +34,14 @@ See https://stealthcopter.github.io/deepce [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None -[+] User .................... root +[+] User .................... root [+] Groups .................. root wheel +[+] Sudoers ................. No [+] Docker Executable ....... Not Found [+] Docker Sock ............. Not Found [+] Docker Version .......... Version Unknown ==================================( Enumerating Container )=================================== -[+] Container ID ............ 39b93a9d8a28 +[+] Container ID ............ 5236ea118fd3 [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2 @@ -75,16 +76,16 @@ CapAmb: 0000000000000000 ====================================( Interesting Files )===================================== [+] Interesting environment variables ... No HOME=/root -HOSTNAME=39b93a9d8a28 +HOSTNAME=5236ea118fd3 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/ SHLVL=1 [+] Any common entrypoint files ......... Yes --rwxr-xr-x 1 1001 127 38.0K Dec 18 18:26 /root/deepce.sh +-rwxr-xr-x 1 1001 127 38.5K Dec 28 14:30 /root/deepce.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No -[+] Hashes in shadow file ............... No permissions +[+] Hashes in shadow file ............... No [+] Searching for app dirs ..............  ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the diff --git a/results/docker-fedora.html b/results/docker-fedora.html index 21f9f8d..6d7d095 100644 --- a/results/docker-fedora.html +++ b/results/docker-fedora.html @@ -44,13 +44,16 @@ [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None -[+] User .................... root +[+] User .................... root [+] Groups .................. root +[+] Sudoers ................. Yes +root ALL=(ALL) ALL +%wheel ALL=(ALL) ALL [+] Docker Executable ....... Not Found [+] Docker Sock ............. Not Found [+] Docker Version .......... Version Unknown ==================================( Enumerating Container )=================================== -[+] Container ID ............ db4b5b6d0896 +[+] Container ID ............ 30b83908fb29 [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ Could not find IP @@ -77,11 +80,11 @@ ====================================( Interesting Files )===================================== [+] Interesting environment variables ... No [+] Any common entrypoint files ......... Yes --rwxr-xr-x 1 1001 127 38K Dec 18 18:26 /root/deepce.sh +-rwxr-xr-x 1 1001 127 39K Dec 28 14:30 /root/deepce.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No -[+] Hashes in shadow file ............... No permissions +[+] Hashes in shadow file ............... No [+] Searching for app dirs .............. ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the diff --git a/results/docker-fedora.log b/results/docker-fedora.log index e935374..3084c78 100644 --- a/results/docker-fedora.log +++ b/results/docker-fedora.log @@ -34,13 +34,16 @@ See https://stealthcopter.github.io/deepce [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None -[+] User .................... root +[+] User .................... root [+] Groups .................. root +[+] Sudoers ................. Yes +root ALL=(ALL) ALL +%wheel ALL=(ALL) ALL [+] Docker Executable ....... Not Found [+] Docker Sock ............. Not Found [+] Docker Version .......... Version Unknown ==================================( Enumerating Container )=================================== -[+] Container ID ............ db4b5b6d0896 +[+] Container ID ............ 30b83908fb29 [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ Could not find IP @@ -67,11 +70,11 @@ Current IAB: !cap_dac_read_search,!cap_linux_immutabl ====================================( Interesting Files )===================================== [+] Interesting environment variables ... No [+] Any common entrypoint files ......... Yes --rwxr-xr-x 1 1001 127 38K Dec 18 18:26 /root/deepce.sh +-rwxr-xr-x 1 1001 127 39K Dec 28 14:30 /root/deepce.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No -[+] Hashes in shadow file ............... No permissions +[+] Hashes in shadow file ............... No [+] Searching for app dirs ..............  ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the diff --git a/results/docker-ubuntu-install-tools.html b/results/docker-ubuntu-install-tools.html index 0c78505..32cf073 100644 --- a/results/docker-ubuntu-install-tools.html +++ b/results/docker-ubuntu-install-tools.html @@ -46,13 +46,14 @@ [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None -[+] User .................... root +[+] User .................... root [+] Groups .................. root +[+] Sudoers ................. No [+] Docker Executable ....... Not Found [+] Docker Sock ............. Not Found [+] Docker Version .......... Version Unknown ==================================( Enumerating Container )=================================== -[+] Container ID ............ 9761ed1ebad8 +[+] Container ID ............ ff2542cae68b [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2 @@ -83,11 +84,11 @@ ====================================( Interesting Files )===================================== [+] Interesting environment variables ... No [+] Any common entrypoint files ......... Yes --rwxr-xr-x 1 1001 127 38K Dec 18 18:26 /root/deepce.sh +-rwxr-xr-x 1 1001 127 39K Dec 28 14:30 /root/deepce.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No -[+] Hashes in shadow file ............... No permissions +[+] Hashes in shadow file ............... No [+] Searching for app dirs .............. ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the @@ -95,18 +96,18 @@ [+] Attempting ping sweep of 172.17.0.0/24 (nmap) Host: 172.17.0.1 () Status: Up -Host: 172.17.0.2 (9761ed1ebad8) Status: Up +Host: 172.17.0.2 (ff2542cae68b) Status: Up ======================================( Scanning Host )======================================= -[+] Scanning host 172.17.0.1 (nmap) Starting Nmap 7.80 ( https://nmap.org ) at 2023-12-18 18:27 UTC +[+] Scanning host 172.17.0.1 (nmap) Starting Nmap 7.80 ( https://nmap.org ) at 2023-12-28 14:31 UTC Nmap scan report for 172.17.0.1 Host is up (0.0000090s latency). Not shown: 65533 closed ports PORT STATE SERVICE 22/tcp open ssh 8084/tcp open unknown -MAC Address: 02:42:CE:88:A0:8B (Unknown) +MAC Address: 02:42:B6:A2:67:EA (Unknown) -Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds +Nmap done: 1 IP address (1 host up) scanned in 1.08 seconds ============================================================================================== diff --git a/results/docker-ubuntu-install-tools.log b/results/docker-ubuntu-install-tools.log index 1b1dd4e..f7c1366 100644 --- a/results/docker-ubuntu-install-tools.log +++ b/results/docker-ubuntu-install-tools.log @@ -36,13 +36,14 @@ See https://stealthcopter.github.io/deepce [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None -[+] User .................... root +[+] User .................... root [+] Groups .................. root +[+] Sudoers ................. No [+] Docker Executable ....... Not Found [+] Docker Sock ............. Not Found [+] Docker Version .......... Version Unknown ==================================( Enumerating Container )=================================== -[+] Container ID ............ 9761ed1ebad8 +[+] Container ID ............ ff2542cae68b [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2  @@ -73,11 +74,11 @@ Current IAB: !cap_dac_read_search,!cap_linux_immutabl ====================================( Interesting Files )===================================== [+] Interesting environment variables ... No [+] Any common entrypoint files ......... Yes --rwxr-xr-x 1 1001 127 38K Dec 18 18:26 /root/deepce.sh +-rwxr-xr-x 1 1001 127 39K Dec 28 14:30 /root/deepce.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No -[+] Hashes in shadow file ............... No permissions +[+] Hashes in shadow file ............... No [+] Searching for app dirs ..............  ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the @@ -85,16 +86,16 @@ host machine, this can be used to enumerate further [+] Attempting ping sweep of 172.17.0.0/24 (nmap)  Host: 172.17.0.1 () Status: Up -Host: 172.17.0.2 (9761ed1ebad8) Status: Up +Host: 172.17.0.2 (ff2542cae68b) Status: Up ======================================( Scanning Host )======================================= -[+] Scanning host 172.17.0.1 (nmap) Starting Nmap 7.80 ( https://nmap.org ) at 2023-12-18 18:27 UTC +[+] Scanning host 172.17.0.1 (nmap) Starting Nmap 7.80 ( https://nmap.org ) at 2023-12-28 14:31 UTC Nmap scan report for 172.17.0.1 Host is up (0.0000090s latency). Not shown: 65533 closed ports PORT STATE SERVICE 22/tcp open ssh 8084/tcp open unknown -MAC Address: 02:42:CE:88:A0:8B (Unknown) +MAC Address: 02:42:B6:A2:67:EA (Unknown) -Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds +Nmap done: 1 IP address (1 host up) scanned in 1.08 seconds ============================================================================================== diff --git a/results/docker-ubuntu-sock.html b/results/docker-ubuntu-sock.html index b8860d0..3f3b09f 100644 --- a/results/docker-ubuntu-sock.html +++ b/results/docker-ubuntu-sock.html @@ -44,11 +44,12 @@ [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None -[+] User .................... root +[+] User .................... root [+] Groups .................. root +[+] Sudoers ................. No [+] Docker Executable ....... Not Found [+] Docker Sock ............. Yes -srw-rw---- 1 root 127 0 Dec 18 18:24 /var/run/docker.sock +srw-rw---- 1 root 127 0 Dec 28 14:28 /var/run/docker.sock [+] Sock is writable ........ Yes The docker sock is writable, we should be able to enumerate docker, create containers and obtain root privs on the host machine @@ -60,7 +61,7 @@ [+] Docker Version .......... Version Unknown ==================================( Enumerating Container )=================================== -[+] Container ID ............ b97eb4eaaf95 +[+] Container ID ............ 8fedb46fc5fb [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2 @@ -97,11 +98,11 @@ ====================================( Interesting Files )===================================== [+] Interesting environment variables ... No [+] Any common entrypoint files ......... Yes --rwxr-xr-x 1 1001 127 38K Dec 18 18:26 /root/deepce.sh +-rwxr-xr-x 1 1001 127 39K Dec 28 14:30 /root/deepce.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No -[+] Hashes in shadow file ............... No permissions +[+] Hashes in shadow file ............... No [+] Searching for app dirs .............. ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the diff --git a/results/docker-ubuntu-sock.log b/results/docker-ubuntu-sock.log index 85d57b7..e56f5a3 100644 --- a/results/docker-ubuntu-sock.log +++ b/results/docker-ubuntu-sock.log @@ -34,11 +34,12 @@ See https://stealthcopter.github.io/deepce [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None -[+] User .................... root +[+] User .................... root [+] Groups .................. root +[+] Sudoers ................. No [+] Docker Executable ....... Not Found [+] Docker Sock ............. Yes -srw-rw---- 1 root 127 0 Dec 18 18:24 /var/run/docker.sock +srw-rw---- 1 root 127 0 Dec 28 14:28 /var/run/docker.sock [+] Sock is writable ........ Yes The docker sock is writable, we should be able to enumerate docker, create containers and obtain root privs on the host machine @@ -50,7 +51,7 @@ See https://stealthcopter.github.io/deepce/guides/docker-sock.md [+] Docker Version .......... Version Unknown ==================================( Enumerating Container )=================================== -[+] Container ID ............ b97eb4eaaf95 +[+] Container ID ............ 8fedb46fc5fb [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2  @@ -87,11 +88,11 @@ See https://stealthcopter.github.io/deepce/guides/docker-sock.md ====================================( Interesting Files )===================================== [+] Interesting environment variables ... No [+] Any common entrypoint files ......... Yes --rwxr-xr-x 1 1001 127 38K Dec 18 18:26 /root/deepce.sh +-rwxr-xr-x 1 1001 127 39K Dec 28 14:30 /root/deepce.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No -[+] Hashes in shadow file ............... No permissions +[+] Hashes in shadow file ............... No [+] Searching for app dirs ..............  ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the diff --git a/results/docker-ubuntu.html b/results/docker-ubuntu.html index d527ecb..4be8519 100644 --- a/results/docker-ubuntu.html +++ b/results/docker-ubuntu.html @@ -44,13 +44,14 @@ [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None -[+] User .................... root +[+] User .................... root [+] Groups .................. root +[+] Sudoers ................. No [+] Docker Executable ....... Not Found [+] Docker Sock ............. Not Found [+] Docker Version .......... Version Unknown ==================================( Enumerating Container )=================================== -[+] Container ID ............ df1c82c5219b +[+] Container ID ............ b5df5a04e05d [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2 @@ -83,11 +84,11 @@ ====================================( Interesting Files )===================================== [+] Interesting environment variables ... No [+] Any common entrypoint files ......... Yes --rwxr-xr-x 1 1001 127 38K Dec 18 18:26 /root/deepce.sh +-rwxr-xr-x 1 1001 127 39K Dec 28 14:30 /root/deepce.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No -[+] Hashes in shadow file ............... No permissions +[+] Hashes in shadow file ............... No [+] Searching for app dirs .............. ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the diff --git a/results/docker-ubuntu.log b/results/docker-ubuntu.log index 717d8a7..415080e 100644 --- a/results/docker-ubuntu.log +++ b/results/docker-ubuntu.log @@ -34,13 +34,14 @@ See https://stealthcopter.github.io/deepce [+] Inside Container ........ Yes [+] Container Platform ...... docker [+] Container tools ......... None -[+] User .................... root +[+] User .................... root [+] Groups .................. root +[+] Sudoers ................. No [+] Docker Executable ....... Not Found [+] Docker Sock ............. Not Found [+] Docker Version .......... Version Unknown ==================================( Enumerating Container )=================================== -[+] Container ID ............ df1c82c5219b +[+] Container ID ............ b5df5a04e05d [+] Container Full ID ....... / [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2  @@ -73,11 +74,11 @@ CapAmb: 0000000000000000 ====================================( Interesting Files )===================================== [+] Interesting environment variables ... No [+] Any common entrypoint files ......... Yes --rwxr-xr-x 1 1001 127 38K Dec 18 18:26 /root/deepce.sh +-rwxr-xr-x 1 1001 127 39K Dec 28 14:30 /root/deepce.sh [+] Interesting files in root ........... No [+] Passwords in common files ........... No [+] Home directories .................... No -[+] Hashes in shadow file ............... No permissions +[+] Hashes in shadow file ............... No [+] Searching for app dirs ..............  ==================================( Enumerating Containers )================================== By default containers can communicate with other containers on the same network and the