CDK | Zero Dependency Container Penetration Toolkit

CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs helps you to escape container and takeover K8s cluster easily.

Currently still under development, submit issues or mail if you need any help.


Download latest release in: 2

Drop executable files into target container and start testing.


Usage:  cdk evaluate [--full]  cdk run (--list | <exploit> [<args>...])  cdk auto-escape <cmd>  cdk <tool> [<args>...]Evaluate:  cdk evaluate                              Gather information to find weakness inside container.  cdk evaluate --full                       Enable file scan during information gathering.Exploit:  cdk run --list                            List all available exploits.  cdk run <exploit> [<args>...]             Run single exploit, docs in Escape:  cdk auto-escape <cmd>                     Escape container in different ways then let target execute <cmd>.Tool:  vi <file>                                 Edit files in container like "vi" command.  ps                                        Show process information like "ps -ef" command.  nc [options]                                 Create TCP tunnel.  ifconfig                                  Show network information.  kcurl <path> (get|post) <uri> <data>      Make request to K8s api-server.  ucurl (get|post) <socket> <uri> <data>    Make request to docker unix socket.  probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 80,8080-9443 50 1000Options:  -h --help     Show this help msg.  -v --version  Show version.


CDK have three modules:

  1. Evaluate: gather information inside container to find potential weakness.
  2. Exploit: for container escaping, persistance and lateral movement
  3. Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management.

Evaluate Module


cdk evaluate [--full]

This command will run the scripts below without local file scanning, using --full to enable all.

Information GatheringOS Basic Infolink
Information GatheringAvailable Capabilitieslink
Information GatheringAvailable Linux Commandslink
Information GatheringMountslink
Information GatheringNet Namespacelink
Information GatheringSensitive ENVlink
Information GatheringSensitive Processlink
Information GatheringSensitive Local Fileslink
DiscoveryK8s Api-server Infolink
DiscoveryK8s Service-account Infolink
DiscoveryCloud Provider Metadata APIlink

Exploit Module

List all available exploits:

cdk run --list

Run targeted exploit:

cdk run <script-name> [options]
TacticTechniqueCDK Exploit NameSupportedDoc
Escapingdocker-runc CVE-2019-5736runc-pwn
Escapingdocker-cp CVE-2019-14271
Escapingcontainerd-shim CVE-2020-15257shim-pwnlink
Escapingdirtycow CVE-2016-5159
Escapingdocker.sock PoC (DIND attack)docker-sock-checklink
Escapingdocker.sock Backdoor Image Deploydocker-sock-deploylink
EscapingDevice Mount Escapingmount-disklink
EscapingCgroups Escapingmount-cgrouplink
EscapingProcfs Escapingmount-procfslink
EscapingPtrace Escaping PoCcheck-ptracelink
DiscoveryK8s Component Probeservice-probelink
DiscoveryDump Istio Sidecar Metaistio-checklink
Lateral MovementK8s Service Account Control
Lateral MovementAttack K8s api-server
Lateral MovementAttack K8s Kubelet
Lateral MovementAttack K8s Dashboard
Lateral MovementAttack K8s Helm
Lateral MovementAttack K8s Etcd
Lateral MovementAttack Private Docker Registry
Remote ControlReverse Shellreverse-shelllink
Credential AccessAccess Key Scanningak-leakagelink
Credential AccessDump K8s Secretsk8s-secret-dumplink
Credential AccessDump K8s Configk8s-configmap-dumplink
PersistenceDeploy WebShell
PersistenceDeploy Backdoor Podk8s-backdoor-daemonsetlink
PersistenceDeploy Shadow K8s api-serverk8s-shadow-apiserverlink
PersistenceK8s MITM Attack (CVE-2020-8554)k8s-mitm-clusteriplink
PersistenceDeploy K8s CronJob
Defense EvasionDisable K8s Audit

Tool Module

Running commands like in Linux, little different in input-args, see the usage link.

cdk nc [options]cdk ps
ncTCP Tunnellink
psProcess Informationlink
ifconfigNetwork Informationlink
viEdit Fileslink
kcurlRequest to K8s api-serverlink
dcurlRequest to Docker HTTP API
ucurlRequest to Docker Unix Socketlink
rcurlRequest to Docker Registry API
probeIP/Port Scanninglink

Developer Docs


  1. Echo loader for delivering CDK into target container via Web RCE.
  2. EDR defense evasion.
  3. Compile optimization.
  4. Dev docs

GitHub: 3

cdk-team/CDK 3

CDK is an open-sourced container penetration toolkit, offering stable exploitation in different slimmed containers without any OS dependency. It comes with penetration tools and many powerful PoCs/…

Jonny Richards

Templateify is a site where you find unique and professional blogger templates, Improve your blog now for free.

Post a Comment (0)
Previous Post Next Post