CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs helps you to escape container and takeover K8s cluster easily.
Currently still under development, submit issues or mail [email protected] if you need any help.
Installation
Download latest release in: https://github.com/cdk-team/CDK/releases/ 2
Drop executable files into target container and start testing.
Usage
Usage: cdk evaluate [--full] cdk run (--list | <exploit> [<args>...]) cdk auto-escape <cmd> cdk <tool> [<args>...]Evaluate: cdk evaluate Gather information to find weakness inside container. cdk evaluate --full Enable file scan during information gathering.Exploit: cdk run --list List all available exploits. cdk run <exploit> [<args>...] Run single exploit, docs in https://github.com/cdk-team/CDK/wikiAuto Escape: cdk auto-escape <cmd> Escape container in different ways then let target execute <cmd>.Tool: vi <file> Edit files in container like "vi" command. ps Show process information like "ps -ef" command. nc [options] Create TCP tunnel. ifconfig Show network information. kcurl <path> (get|post) <uri> <data> Make request to K8s api-server. ucurl (get|post) <socket> <uri> <data> Make request to docker unix socket. probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000Options: -h --help Show this help msg. -v --version Show version. Features
CDK have three modules:
- Evaluate: gather information inside container to find potential weakness.
- Exploit: for container escaping, persistance and lateral movement
- Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management.
Evaluate Module
Usage
cdk evaluate [--full] This command will run the scripts below without local file scanning, using --full to enable all.
| Tactics | Script | Supported | Usage/Example |
|---|---|---|---|
| Information Gathering | OS Basic Info | link | |
| Information Gathering | Available Capabilities | link | |
| Information Gathering | Available Linux Commands | link | |
| Information Gathering | Mounts | link | |
| Information Gathering | Net Namespace | link | |
| Information Gathering | Sensitive ENV | link | |
| Information Gathering | Sensitive Process | link | |
| Information Gathering | Sensitive Local Files | link | |
| Discovery | K8s Api-server Info | link | |
| Discovery | K8s Service-account Info | link | |
| Discovery | Cloud Provider Metadata API | link |
Exploit Module
List all available exploits:
cdk run --list Run targeted exploit:
cdk run <script-name> [options] | Tactic | Technique | CDK Exploit Name | Supported | Doc |
|---|---|---|---|---|
| Escaping | docker-runc CVE-2019-5736 | runc-pwn | ||
| Escaping | docker-cp CVE-2019-14271 | |||
| Escaping | containerd-shim CVE-2020-15257 | shim-pwn | link | |
| Escaping | dirtycow CVE-2016-5159 | |||
| Escaping | docker.sock PoC (DIND attack) | docker-sock-check | link | |
| Escaping | docker.sock Backdoor Image Deploy | docker-sock-deploy | link | |
| Escaping | Device Mount Escaping | mount-disk | link | |
| Escaping | Cgroups Escaping | mount-cgroup | link | |
| Escaping | Procfs Escaping | mount-procfs | link | |
| Escaping | Ptrace Escaping PoC | check-ptrace | link | |
| Discovery | K8s Component Probe | service-probe | link | |
| Discovery | Dump Istio Sidecar Meta | istio-check | link | |
| Lateral Movement | K8s Service Account Control | |||
| Lateral Movement | Attack K8s api-server | |||
| Lateral Movement | Attack K8s Kubelet | |||
| Lateral Movement | Attack K8s Dashboard | |||
| Lateral Movement | Attack K8s Helm | |||
| Lateral Movement | Attack K8s Etcd | |||
| Lateral Movement | Attack Private Docker Registry | |||
| Remote Control | Reverse Shell | reverse-shell | link | |
| Credential Access | Access Key Scanning | ak-leakage | link | |
| Credential Access | Dump K8s Secrets | k8s-secret-dump | link | |
| Credential Access | Dump K8s Config | k8s-configmap-dump | link | |
| Persistence | Deploy WebShell | |||
| Persistence | Deploy Backdoor Pod | k8s-backdoor-daemonset | link | |
| Persistence | Deploy Shadow K8s api-server | k8s-shadow-apiserver | link | |
| Persistence | K8s MITM Attack (CVE-2020-8554) | k8s-mitm-clusterip | link | |
| Persistence | Deploy K8s CronJob | |||
| Defense Evasion | Disable K8s Audit |
Tool Module
Running commands like in Linux, little different in input-args, see the usage link.
cdk nc [options]cdk ps | Command | Description | Supported | Usage/Example |
|---|---|---|---|
| nc | TCP Tunnel | link | |
| ps | Process Information | link | |
| ifconfig | Network Information | link | |
| vi | Edit Files | link | |
| kcurl | Request to K8s api-server | link | |
| dcurl | Request to Docker HTTP API | ||
| ucurl | Request to Docker Unix Socket | link | |
| rcurl | Request to Docker Registry API | ||
| probe | IP/Port Scanning | link |
Developer Docs
TODO
- Echo loader for delivering CDK into target container via Web RCE.
- EDR defense evasion.
- Compile optimization.
- Dev docs
GitHub:
cdk-team/CDK 3
CDK is an open-sourced container penetration toolkit, offering stable exploitation in different slimmed containers without any OS dependency. It comes with penetration tools and many powerful PoCs/…
