CDK - Zero Dependency Container Penetration Toolkit

2021-01-21T11:30:06
ID KITPLOIT:1751489026679880812
Type kitploit
Reporter KitPloit
Modified 2021-01-21T11:30:06

Description

CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs helps you to escape container and takeover K8s cluster easily.

Currently still under development, submit issues or mail [email protected] if you need any help.

Installation

Download latest release in: https://github.com/cdk-team/CDK/releases/

Drop executable files into target container and start testing.

Usage

Usage:  
  cdk evaluate [--full]  
  cdk run (--list | <exploit> [<args>...])  
  cdk auto-escape <cmd>  
  cdk <tool> [<args>...]

Evaluate:  
  cdk evaluate                              Gather information to find weakness inside container.  
  cdk evaluate --full                       Enable file scan during information gathering.

Exploit:  
  cdk run --list                            List all available exploits.  
  cdk run <exploit> [<args>...]             Run single exploit, docs in https://github.com/cdk-team/CDK/wiki

Auto Escape:  
  cdk auto-escape <cmd>                     Escape container in different ways then let target execute <cmd>.

Tool:  
  vi <file>                                 Edit files in container like "vi" command.  
  ps                                        Show process information like "ps -ef" command.  
  nc [options]                                 Create TCP tunnel.  
  ifconfig                                  Show network information.  
  kcurl <path> (get|post) <uri> <data>      Make request to K8s api-server.  
  ucurl (get|post) <socket> <uri> <data>    Make request to docker unix socket.  
  probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000

Options:  
  -h --help     Show this help msg.  
  -v --version  Show version.

Features

CDK have three modules:

  1. Evaluate: gather information inside container to find potential weakness.
  2. Exploit: for container escaping, persistance and lateral movement
  3. Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management.

Evaluate Module

Usage

cdk evaluate [--full]

This command will run the scripts below without local file scanning, using --full to enable all.

Tactics | Script | Supported | Usage/Example
---|---|---|---
Information Gathering | OS Basic Info |

| link
Information Gathering | Available Capabilities |

| link
Information Gathering | Available Linux Commands |

| link
Information Gathering | Mounts |

| link
Information Gathering | Net Namespace |

| link
Information Gathering | Sensitive ENV |

| link
Information Gathering | Sensitive Process |

| link
Information Gathering | Sensitive Local Files |

| link
Discovery | K8s Api-server Info |

| link
Discovery | K8s Service-account Info |

| link
Discovery | Cloud Provider Metadata API |

| link

Exploit Module

List all available exploits:

cdk run --list

Run targeted exploit:

cdk run <script-name> [options]

Tactic | Technique | CDK Exploit Name | Supported | Doc
---|---|---|---|---
Escaping | docker-runc CVE-2019-5736 | runc-pwn |

|
Escaping | docker-cp CVE-2019-14271 | | |
Escaping | containerd-shim CVE-2020-15257 | shim-pwn |

| link
Escaping | dirtycow CVE-2016-5159 | | |
Escaping | docker.sock PoC (DIND attack) | docker-sock-check |

| link
Escaping | docker.sock Backdoor Image Deploy | docker-sock-deploy |

| link
Escaping | Device Mount Escaping | mount-disk |

| link
Escaping | Cgroups Escaping | mount-cgroup |

| link
Escaping | Procfs Escaping | mount-procfs |

| link
Escaping | Ptrace Escaping PoC | check-ptrace |

| link
Discovery | K8s Component Probe | service-probe |

| link
Discovery | Dump Istio Sidecar Meta | istio-check |

| link
Lateral Movement | K8s Service Account Control | | |
Lateral Movement | Attack K8s api-server | | |
Lateral Movement | Attack K8s Kubelet | | |
Lateral Movement | Attack K8s Dashboard | | |
Lateral Movement | Attack K8s Helm | | |
Lateral Movement | Attack K8s Etcd | | |
Lateral Movement | Attack Private Docker Registry | | |
Remote Control | Reverse Shell | reverse-shell |

| link
Credential Access | Access Key Scanning | ak-leakage |

| link
Credential Access | Dump K8s Secrets | k8s-secret-dump |

| link
Credential Access | Dump K8s Config | k8s-configmap-dump |

| link
Persistence | Deploy WebShell | | |
Persistence | Deploy Backdoor Pod | k8s-backdoor-daemonset |

| link
Persistence | Deploy Shadow K8s api-server | k8s-shadow-apiserver |

| link
Persistence | K8s MITM Attack (CVE-2020-8554) | k8s-mitm-clusterip |

| link
Persistence | Deploy K8s CronJob | | |
Defense Evasion | Disable K8s Audit | | |

Tool Module

Running commands like in Linux, little different in input-args, see the usage link.

cdk nc [options]  
cdk ps

Command | Description | Supported | Usage/Example
---|---|---|---
nc | TCP Tunnel |

| link
ps | Process Information |

| link
ifconfig | Network Information |

| link
vi | Edit Files |

| link
kcurl | Request to K8s api-server |

| link
dcurl | Request to Docker HTTP API | |
ucurl | Request to Docker Unix Socket |

| link
rcurl | Request to Docker Registry API | |
probe | IP/Port Scanning |

| link

Developer Docs

TODO

  1. Echo loader for delivering CDK into target container via Web RCE.
  2. EDR defense evasion.
  3. Compile optimization.
  4. Dev docs

Download CDK