github/PEASS-ng
1
Fork 0
mirror of https://github.com/carlospolop/PEASS-ng synced 2025-02-24 23:15:25 +01:00
Code Releases Activity
PEASS-ng/linPEAS/builder/linpeas_parts/2_container.sh

227 lines
8.8 KiB
Bash
Raw Normal View History

more_checks
2021-12-19 08:31:53 -05:00
###########################################
#---------) Container functions (---------#
###########################################
containerCheck() {
inContainer=""
containerType="$(echo_no)"
# Are we inside docker?
if [ -f "/.dockerenv" ] ||
grep "/docker/" /proc/1/cgroup -qa 2>/dev/null ||
grep -qai docker /proc/self/cgroup 2>/dev/null ||
[ "$(find / -maxdepth 3 -name '*dockerenv*' -exec ls -la {} \; 2>/dev/null)" ] ; then
inContainer="1"
containerType="docker\n"
fi
# Are we inside kubenetes?
if grep "/kubepod" /proc/1/cgroup -qa 2>/dev/null ||
grep -qai kubepods /proc/self/cgroup 2>/dev/null; then
inContainer="1"
if [ "$containerType" ]; then containerType="$containerType (kubernetes)\n"
else containerType="kubernetes\n"
fi
fi
# Are we inside LXC?
if env | grep "container=lxc" -qa 2>/dev/null ||
grep "/lxc/" /proc/1/cgroup -qa 2>/dev/null; then
inContainer="1"
containerType="lxc\n"
fi
# Are we inside podman?
if env | grep -qa "container=podman" 2>/dev/null ||
grep -qa "container=podman" /proc/1/environ 2>/dev/null; then
inContainer="1"
containerType="podman\n"
fi
# Check for other container platforms that report themselves in PID 1 env
if [ -z "$inContainer" ]; then
if grep -a 'container=' /proc/1/environ 2>/dev/null; then
inContainer="1"
containerType="$(grep -a 'container=' /proc/1/environ | cut -d= -f2)\n"
fi
fi
}
inDockerGroup() {
DOCKER_GROUP="No"
if groups 2>/dev/null | grep -q '\bdocker\b'; then
DOCKER_GROUP="Yes"
fi
}
checkDockerRootless() {
DOCKER_ROOTLESS="No"
if docker info 2>/dev/null|grep -q rootless; then
DOCKER_ROOTLESS="Yes ($TIP_DOCKER_ROOTLESS)"
fi
}
enumerateDockerSockets() {
dockerVersion="$(echo_not_found)"
if ! [ "$SEARCHED_DOCKER_SOCKETS" ]; then
SEARCHED_DOCKER_SOCKETS="1"
for dock_sock in $(find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" 2>/dev/null); do
if ! [ "$IAMROOT" ] && [ -w "$dock_sock" ]; then
echo "You have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_RED_YELLOW},g"
echo "Docker enummeration:"
docker_enumerated=""
if [ "$(command -v curl)" ]; then
sockInfoResponse="$(curl -s --unix-socket $dock_sock http://localhost/info)"
dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'ServerVersion' | cut -d'"' -f 4)
echo $sockInfoResponse | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"'
if [ "$sockInfoResponse" ]; then docker_enumerated="1"; fi
fi
if [ "$(command -v docker)" ] && ! [ "$docker_enumerated" ]; then
sockInfoResponse="$(docker info)"
dockerVersion=$(echo "$sockInfoResponse" | tr ',' '\n' | grep 'Server Version' | cut -d' ' -f 4)
printf "$sockInfoResponse" | tr ',' '\n' | grep -E "$GREP_DOCKER_SOCK_INFOS" | grep -v "$GREP_DOCKER_SOCK_INFOS_IGNORE" | tr -d '"'
fi
else
echo "You don't have write permissions over Docker socket $dock_sock" | sed -${E} "s,$dock_sock,${SED_GREEN},g"
fi
done
fi
}
checkDockerVersionExploits() {
if echo "$dockerVersion" | grep -iq "not found"; then
VULN_CVE_2019_13139="$(echo_not_found)"
VULN_CVE_2019_5736="$(echo_not_found)"
return
fi
VULN_CVE_2019_13139="$(echo_no)"
if [ "$(echo $dockerVersion | sed 's,\.,,g')" -lt "1895" ]; then
VULN_CVE_2019_13139="Yes"
fi
VULN_CVE_2019_5736="$(echo_no)"
if [ "$(echo $dockerVersion | sed 's,\.,,g')" -lt "1893" ]; then
VULN_CVE_2019_5736="Yes"
fi
}
checkContainerExploits() {
VULN_CVE_2019_5021="$(echo_no)"
if [ -f "/etc/alpine-release" ]; then
alpineVersion=$(cat /etc/alpine-release)
if [ "$(echo $alpineVersion | sed 's,\.,,g')" -ge "330" ] && [ "$(echo $alpineVersion | sed 's,\.,,g')" -le "360" ]; then
VULN_CVE_2019_5021="Yes"
fi
fi
}
separated linpeas
2021-12-18 14:48:01 -05:00
##############################################
#---------------) Containers (---------------#
##############################################
containerCheck
print_2title "Container related tools present"
more checks
2021-12-19 10:41:39 -05:00
command -v docker
command -v lxc
command -v rkt
command -v kubectl
command -v podman
command -v runc
separated linpeas
2021-12-18 14:48:01 -05:00
print_2title "Container details"
print_list "Is this a container? ...........$NC $containerType"
print_list "Any running containers? ........ "$NC
# Get counts of running containers for each platform
dockercontainers=$(docker ps --format "{{.Names}}" 2>/dev/null | wc -l)
podmancontainers=$(podman ps --format "{{.Names}}" 2>/dev/null | wc -l)
lxccontainers=$(lxc list -c n --format csv 2>/dev/null | wc -l)
rktcontainers=$(rkt list 2>/dev/null | tail -n +2 | wc -l)
if [ "$dockercontainers" -eq "0" ] && [ "$lxccontainers" -eq "0" ] && [ "$rktcontainers" -eq "0" ] && [ "$podmancontainers" -eq "0" ]; then
fix
2021-12-18 16:58:56 -05:00
echo_no
separated linpeas
2021-12-18 14:48:01 -05:00
else
fix
2021-12-18 16:58:56 -05:00
containerCounts=""
if [ "$dockercontainers" -ne "0" ]; then containerCounts="${containerCounts}docker($dockercontainers) "; fi
if [ "$podmancontainers" -ne "0" ]; then containerCounts="${containerCounts}podman($podmancontainers) "; fi
if [ "$lxccontainers" -ne "0" ]; then containerCounts="${containerCounts}lxc($lxccontainers) "; fi
if [ "$rktcontainers" -ne "0" ]; then containerCounts="${containerCounts}rkt($rktcontainers) "; fi
echo "Yes $containerCounts" | sed -${E} "s,.*,${SED_RED},"
# List any running containers
if [ "$dockercontainers" -ne "0" ]; then echo "Running Docker Containers" | sed -${E} "s,.*,${SED_RED},"; docker ps | tail -n +2 2>/dev/null; echo ""; fi
if [ "$podmancontainers" -ne "0" ]; then echo "Running Podman Containers" | sed -${E} "s,.*,${SED_RED},"; podman ps | tail -n +2 2>/dev/null; echo ""; fi
if [ "$lxccontainers" -ne "0" ]; then echo "Running LXC Containers" | sed -${E} "s,.*,${SED_RED},"; lxc list 2>/dev/null; echo ""; fi
if [ "$rktcontainers" -ne "0" ]; then echo "Running RKT Containers" | sed -${E} "s,.*,${SED_RED},"; rkt list 2>/dev/null; echo ""; fi
separated linpeas
2021-12-18 14:48:01 -05:00
fi
#If docker
if echo "$containerType" | grep -qi "docker"; then
fix
2021-12-18 16:58:56 -05:00
print_2title "Docker Container details"
inDockerGroup
print_list "Am I inside Docker group .......$NC $DOCKER_GROUP\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
print_list "Looking and enumerating Docker Sockets\n"$NC
enumerateDockerSockets
print_list "Docker version .................$NC$dockerVersion"
checkDockerVersionExploits
print_list "Vulnerable to CVE-2019-5736 ....$NC$VULN_CVE_2019_5736"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
print_list "Vulnerable to CVE-2019-13139 ...$NC$VULN_CVE_2019_13139"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
if [ "$inContainer" ]; then
checkDockerRootless
print_list "Rootless Docker? ................ $DOCKER_ROOTLESS\n"$NC | sed -${E} "s,No,${SED_RED}," | sed -${E} "s,Yes,${SED_GREEN},"
fi
if df -h | grep docker; then
print_2title "Docker Overlays"
df -h | grep docker
fi
separated linpeas
2021-12-18 14:48:01 -05:00
fi
if [ "$inContainer" ]; then
fix
2021-12-18 16:58:56 -05:00
echo ""
print_2title "Container & breakout enumeration"
print_info "https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout"
more_checks
2021-12-19 08:31:53 -05:00
print_list "Container ID ...................$NC $(cat /etc/hostname && echo '')"
fix
2021-12-18 16:58:56 -05:00
if echo "$containerType" | grep -qi "docker"; then
print_list "Container Full ID ..............$NC $(basename $(cat /proc/1/cpuset))\n"
fi
if echo "$containerType" | grep -qi "kubernetes"; then
print_list "Kubernetes namespace ...........$NC $(cat /run/secrets/kubernetes.io/serviceaccount/namespace /secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null)\n"
print_list "Kubernetes token ...............$NC $(cat /run/secrets/kubernetes.io/serviceaccount/token /secrets/kubernetes.io/serviceaccount/token 2>/dev/null)\n"
fi
separated linpeas
2021-12-18 14:48:01 -05:00
fix
2021-12-18 16:58:56 -05:00
checkContainerExploits
print_list "Vulnerable to CVE-2019-5021 .. $VULN_CVE_2019_5021\n"$NC | sed -${E} "s,Yes,${SED_RED_YELLOW},"
echo ""
separated linpeas
2021-12-18 14:48:01 -05:00
fix
2021-12-18 16:58:56 -05:00
print_2title "Container Capabilities"
capsh --print 2>/dev/null | sed -${E} "s,$containercapsB,${SED_RED},g"
echo ""
separated linpeas
2021-12-18 14:48:01 -05:00
fix
2021-12-18 16:58:56 -05:00
print_2title "Privilege Mode"
if [ -x "$(command -v fdisk)" ]; then
if [ "$(fdisk -l 2>/dev/null | wc -l)" -gt 0 ]; then
echo "Privilege Mode is enabled"| sed -${E} "s,enabled,${SED_RED_YELLOW},"
else
echo "Privilege Mode is disabled"| sed -${E} "s,disabled,${SED_GREEN},"
fi
separated linpeas
2021-12-18 14:48:01 -05:00
else
fix
2021-12-18 16:58:56 -05:00
echo_not_found
separated linpeas
2021-12-18 14:48:01 -05:00
fi
fix
2021-12-18 16:58:56 -05:00
echo ""
separated linpeas
2021-12-18 14:48:01 -05:00
fix
2021-12-18 16:58:56 -05:00
print_2title "Interesting Files Mounted"
(mount -l || cat /proc/self/mountinfo || cat /proc/1/mountinfo || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts )2>/dev/null | grep -Ev "$GREP_IGNORE_MOUNTS"
echo ""
separated linpeas
2021-12-18 14:48:01 -05:00
fix
2021-12-18 16:58:56 -05:00
print_2title "Possible Entrypoints"
ls -lah /*.sh /*entrypoint* /**/entrypoint* /**/*.sh /deploy* 2>/dev/null | sort | uniq
echo ""
fi
Copy Permalink