CDK | Zero Dependency Container Penetration Toolkit

CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs helps you to escape container and takeover K8s cluster easily.

Currently still under development, submit issues or mail i@cdxy.me if you need any help.

Installation

Download latest release in: https://github.com/cdk-team/CDK/releases/ 2

Drop executable files into target container and start testing.

Usage

Usage:  cdk evaluate [--full]  cdk run (--list | <exploit> [<args>...])  cdk auto-escape <cmd>  cdk <tool> [<args>...]Evaluate:  cdk evaluate                              Gather information to find weakness inside container.  cdk evaluate --full                       Enable file scan during information gathering.Exploit:  cdk run --list                            List all available exploits.  cdk run <exploit> [<args>...]             Run single exploit, docs in https://github.com/cdk-team/CDK/wikiAuto Escape:  cdk auto-escape <cmd>                     Escape container in different ways then let target execute <cmd>.Tool:  vi <file>                                 Edit files in container like "vi" command.  ps                                        Show process information like "ps -ef" command.  nc [options]                                 Create TCP tunnel.  ifconfig                                  Show network information.  kcurl <path> (get|post) <uri> <data>      Make request to K8s api-server.  ucurl (get|post) <socket> <uri> <data>    Make request to docker unix socket.  probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000Options:  -h --help     Show this help msg.  -v --version  Show version.

Features

CDK have three modules:

  1. Evaluate: gather information inside container to find potential weakness.
  2. Exploit: for container escaping, persistance and lateral movement
  3. Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management.

Evaluate Module

Usage

cdk evaluate [--full]

This command will run the scripts below without local file scanning, using --full to enable all.

TacticsScriptSupportedUsage/Example
Information GatheringOS Basic Infolink
Information GatheringAvailable Capabilitieslink
Information GatheringAvailable Linux Commandslink
Information GatheringMountslink
Information GatheringNet Namespacelink
Information GatheringSensitive ENVlink
Information GatheringSensitive Processlink
Information GatheringSensitive Local Fileslink
DiscoveryK8s Api-server Infolink
DiscoveryK8s Service-account Infolink
DiscoveryCloud Provider Metadata APIlink

Exploit Module

List all available exploits:

cdk run --list

Run targeted exploit:

cdk run <script-name> [options]
TacticTechniqueCDK Exploit NameSupportedDoc
Escapingdocker-runc CVE-2019-5736runc-pwn
Escapingdocker-cp CVE-2019-14271
Escapingcontainerd-shim CVE-2020-15257shim-pwnlink
Escapingdirtycow CVE-2016-5159
Escapingdocker.sock PoC (DIND attack)docker-sock-checklink
Escapingdocker.sock Backdoor Image Deploydocker-sock-deploylink
EscapingDevice Mount Escapingmount-disklink
EscapingCgroups Escapingmount-cgrouplink
EscapingProcfs Escapingmount-procfslink
EscapingPtrace Escaping PoCcheck-ptracelink
DiscoveryK8s Component Probeservice-probelink
DiscoveryDump Istio Sidecar Metaistio-checklink
Lateral MovementK8s Service Account Control
Lateral MovementAttack K8s api-server
Lateral MovementAttack K8s Kubelet
Lateral MovementAttack K8s Dashboard
Lateral MovementAttack K8s Helm
Lateral MovementAttack K8s Etcd
Lateral MovementAttack Private Docker Registry
Remote ControlReverse Shellreverse-shelllink
Credential AccessAccess Key Scanningak-leakagelink
Credential AccessDump K8s Secretsk8s-secret-dumplink
Credential AccessDump K8s Configk8s-configmap-dumplink
PersistenceDeploy WebShell
PersistenceDeploy Backdoor Podk8s-backdoor-daemonsetlink
PersistenceDeploy Shadow K8s api-serverk8s-shadow-apiserverlink
PersistenceK8s MITM Attack (CVE-2020-8554)k8s-mitm-clusteriplink
PersistenceDeploy K8s CronJob
Defense EvasionDisable K8s Audit

Tool Module

Running commands like in Linux, little different in input-args, see the usage link.

cdk nc [options]cdk ps
CommandDescriptionSupportedUsage/Example
ncTCP Tunnellink
psProcess Informationlink
ifconfigNetwork Informationlink
viEdit Fileslink
kcurlRequest to K8s api-serverlink
dcurlRequest to Docker HTTP API
ucurlRequest to Docker Unix Socketlink
rcurlRequest to Docker Registry API
probeIP/Port Scanninglink

Developer Docs

TODO

  1. Echo loader for delivering CDK into target container via Web RCE.
  2. EDR defense evasion.
  3. Compile optimization.
  4. Dev docs

GitHub:

github.com 3

cdk-team/CDK 3

CDK is an open-sourced container penetration toolkit, offering stable exploitation in different slimmed containers without any OS dependency. It comes with penetration tools and many powerful PoCs/…

Jonny Richards

Templateify is a site where you find unique and professional blogger templates, Improve your blog now for free.

Post a Comment (0)
Previous Post Next Post