9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.2 High
AI Score
Confidence
High
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.021 Low
EPSS
Percentile
89.0%
CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs helps you to escape container and takeover K8s cluster easily.
Currently still under development, submit issues or mail [email protected] if you need any help.
Installation
Download latest release in: <https://github.com/cdk-team/CDK/releases/>
Drop executable files into target container and start testing.
Usage
Usage:
cdk evaluate [--full]
cdk run (--list | <exploit> [<args>...])
cdk auto-escape <cmd>
cdk <tool> [<args>...]
Evaluate:
cdk evaluate Gather information to find weakness inside container.
cdk evaluate --full Enable file scan during information gathering.
Exploit:
cdk run --list List all available exploits.
cdk run <exploit> [<args>...] Run single exploit, docs in https://github.com/cdk-team/CDK/wiki
Auto Escape:
cdk auto-escape <cmd> Escape container in different ways then let target execute <cmd>.
Tool:
vi <file> Edit files in container like "vi" command.
ps Show process information like "ps -ef" command.
nc [options] Create TCP tunnel.
ifconfig Show network information.
kcurl <path> (get|post) <uri> <data> Make request to K8s api-server.
ucurl (get|post) <socket> <uri> <data> Make request to docker unix socket.
probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000
Options:
-h --help Show this help msg.
-v --version Show version.
Features
CDK have three modules:
Evaluate Module
Usage
cdk evaluate [--full]
This command will run the scripts below without local file scanning, using --full
to enable all.
Tactics | Script | Supported | Usage/Example |
---|---|---|---|
Information Gathering | OS Basic Info |
✔
| link
Information Gathering | Available Capabilities |
✔
| link
Information Gathering | Available Linux Commands |
✔
| link
Information Gathering | Mounts |
✔
| link
Information Gathering | Net Namespace |
✔
| link
Information Gathering | Sensitive ENV |
✔
| link
Information Gathering | Sensitive Process |
✔
| link
Information Gathering | Sensitive Local Files |
✔
| link
Discovery | K8s Api-server Info |
✔
| link
Discovery | K8s Service-account Info |
✔
| link
Discovery | Cloud Provider Metadata API |
✔
| link
Exploit Module
List all available exploits:
cdk run --list
Run targeted exploit:
cdk run <script-name> [options]
Tactic | Technique | CDK Exploit Name | Supported | Doc |
---|---|---|---|---|
Escaping | docker-runc CVE-2019-5736 | runc-pwn |
✔
|
Escaping | docker-cp CVE-2019-14271 | | |
Escaping | containerd-shim CVE-2020-15257 | shim-pwn |
✔
| link
Escaping | dirtycow CVE-2016-5159 | | |
Escaping | docker.sock PoC (DIND attack) | docker-sock-check |
✔
| link
Escaping | docker.sock Backdoor Image Deploy | docker-sock-deploy |
✔
| link
Escaping | Device Mount Escaping | mount-disk |
✔
| link
Escaping | Cgroups Escaping | mount-cgroup |
✔
| link
Escaping | Procfs Escaping | mount-procfs |
✔
| link
Escaping | Ptrace Escaping PoC | check-ptrace |
✔
| link
Discovery | K8s Component Probe | service-probe |
✔
| link
Discovery | Dump Istio Sidecar Meta | istio-check |
✔
| link
Lateral Movement | K8s Service Account Control | | |
Lateral Movement | Attack K8s api-server | | |
Lateral Movement | Attack K8s Kubelet | | |
Lateral Movement | Attack K8s Dashboard | | |
Lateral Movement | Attack K8s Helm | | |
Lateral Movement | Attack K8s Etcd | | |
Lateral Movement | Attack Private Docker Registry | | |
Remote Control | Reverse Shell | reverse-shell |
✔
| link
Credential Access | Access Key Scanning | ak-leakage |
✔
| link
Credential Access | Dump K8s Secrets | k8s-secret-dump |
✔
| link
Credential Access | Dump K8s Config | k8s-configmap-dump |
✔
| link
Persistence | Deploy WebShell | | |
Persistence | Deploy Backdoor Pod | k8s-backdoor-daemonset |
✔
| link
Persistence | Deploy Shadow K8s api-server | k8s-shadow-apiserver |
✔
| link
Persistence | K8s MITM Attack (CVE-2020-8554) | k8s-mitm-clusterip |
✔
| link
Persistence | Deploy K8s CronJob | | |
Defense Evasion | Disable K8s Audit | | |
Tool Module
Running commands like in Linux, little different in input-args, see the usage link.
cdk nc [options]
cdk ps
Command | Description | Supported | Usage/Example |
---|---|---|---|
nc | TCP Tunnel |
✔
| link
ps | Process Information |
✔
| link
ifconfig | Network Information |
✔
| link
vi | Edit Files |
✔
| link
kcurl | Request to K8s api-server |
✔
| link
dcurl | Request to Docker HTTP API | |
ucurl | Request to Docker Unix Socket |
✔
| link
rcurl | Request to Docker Registry API | |
probe | IP/Port Scanning |
✔
| link
Developer Docs
TODO
github.com/cdk-team/CDK
github.com/cdk-team/CDK/issues
github.com/cdk-team/CDK/releases/
github.com/cdk-team/CDK/wiki/Evaluate:-Cloud-Provider-Metadata-API
github.com/cdk-team/CDK/wiki/Evaluate:-Commands-and-Capabilities
github.com/cdk-team/CDK/wiki/Evaluate:-K8s-API-Server
github.com/cdk-team/CDK/wiki/Evaluate:-k8s-mitm-clusterip
github.com/cdk-team/CDK/wiki/Evaluate:-K8s-Service-Account
github.com/cdk-team/CDK/wiki/Evaluate:-Mounts
github.com/cdk-team/CDK/wiki/Evaluate:-Net-Namespace
github.com/cdk-team/CDK/wiki/Evaluate:-Sensitive-Files
github.com/cdk-team/CDK/wiki/Evaluate:-Services
github.com/cdk-team/CDK/wiki/Evaluate:-System-Info
github.com/cdk-team/CDK/wiki/Exploit:-ak-leakage
github.com/cdk-team/CDK/wiki/Exploit:-check-istio
github.com/cdk-team/CDK/wiki/Exploit:-check-ptrace
github.com/cdk-team/CDK/wiki/Exploit:-docker-sock-check
github.com/cdk-team/CDK/wiki/Exploit:-docker-sock-deploy
github.com/cdk-team/CDK/wiki/Exploit:-k8s-backdoor-daemonset
github.com/cdk-team/CDK/wiki/Exploit:-k8s-configmap-dump
github.com/cdk-team/CDK/wiki/Exploit:-k8s-secret-dump
github.com/cdk-team/CDK/wiki/Exploit:-k8s-shadow-apiserver
github.com/cdk-team/CDK/wiki/Exploit:-mount-cgroup
github.com/cdk-team/CDK/wiki/Exploit:-mount-disk
github.com/cdk-team/CDK/wiki/Exploit:-mount-procfs
github.com/cdk-team/CDK/wiki/Exploit:-reverse-shell
github.com/cdk-team/CDK/wiki/Exploit:-service-probe
github.com/cdk-team/CDK/wiki/Exploit:-shim-pwn
github.com/cdk-team/CDK/wiki/Run-Test
github.com/cdk-team/CDK/wiki/Tool:-ifconfig
github.com/cdk-team/CDK/wiki/Tool:-kcurl
github.com/cdk-team/CDK/wiki/Tool:-nc
github.com/cdk-team/CDK/wiki/Tool:-probe
github.com/cdk-team/CDK/wiki/Tool:-ps
github.com/cdk-team/CDK/wiki/Tool:-ucurl
github.com/cdk-team/CDK/wiki/Tool:-vi
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.2 High
AI Score
Confidence
High
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.021 Low
EPSS
Percentile
89.0%