CDK - Zero Dependency Container Penetration Toolkit

CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs helps you to escape container and takeover K8s cluster easily.

Currently still under development, submit issues or mail [email protected] if you need any help.

Installation

Download latest release in: <https://github.com/cdk-team/CDK/releases/&gt;

Drop executable files into target container and start testing.

Usage

Usage:  
  cdk evaluate [--full]  
  cdk run (--list | <exploit> [<args>...])  
  cdk auto-escape <cmd>  
  cdk <tool> [<args>...]  
  
Evaluate:  
  cdk evaluate                              Gather information to find weakness inside container.  
  cdk evaluate --full                       Enable file scan during information gathering.  
  
Exploit:  
  cdk run --list                            List all available exploits.  
  cdk run <exploit> [<args>...]             Run single exploit, docs in https://github.com/cdk-team/CDK/wiki  
  
Auto Escape:  
  cdk auto-escape <cmd>                     Escape container in different ways then let target execute <cmd>.  
  
Tool:  
  vi <file>                                 Edit files in container like "vi" command.  
  ps                                        Show process information like "ps -ef" command.  
  nc [options]                                 Create TCP tunnel.  
  ifconfig                                  Show network information.  
  kcurl <path> (get|post) <uri> <data>      Make request to K8s api-server.  
  ucurl (get|post) <socket> <uri> <data>    Make request to docker unix socket.  
  probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000  
  
Options:  
  -h --help     Show this help msg.  
  -v --version  Show version.  

Features

CDK have three modules:

1. Evaluate: gather information inside container to find potential weakness.
2. Exploit: for container escaping, persistance and lateral movement
3. Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management.

Evaluate Module

Usage

cdk evaluate [--full]  

This command will run the scripts below without local file scanning, using --full to enable all.

Tactics	Script	Supported	Usage/Example
Information Gathering	OS Basic Info

✔

| link
Information Gathering | Available Capabilities |

✔

| link
Information Gathering | Available Linux Commands |

✔

| link
Information Gathering | Mounts |

✔

| link
Information Gathering | Net Namespace |

✔

| link
Information Gathering | Sensitive ENV |

✔

| link
Information Gathering | Sensitive Process |

✔

| link
Information Gathering | Sensitive Local Files |

✔

| link
Discovery | K8s Api-server Info |

✔

| link
Discovery | K8s Service-account Info |

✔

| link
Discovery | Cloud Provider Metadata API |

✔

| link

Exploit Module

List all available exploits:

cdk run --list  

Run targeted exploit:

cdk run <script-name> [options]  

Tactic	Technique	CDK Exploit Name	Supported	Doc
Escaping	docker-runc CVE-2019-5736	runc-pwn

✔

|
Escaping | docker-cp CVE-2019-14271 | | |
Escaping | containerd-shim CVE-2020-15257 | shim-pwn |

✔

| link
Escaping | dirtycow CVE-2016-5159 | | |
Escaping | docker.sock PoC (DIND attack) | docker-sock-check |

✔

| link
Escaping | docker.sock Backdoor Image Deploy | docker-sock-deploy |

✔

| link
Escaping | Device Mount Escaping | mount-disk |

✔

| link
Escaping | Cgroups Escaping | mount-cgroup |

✔

| link
Escaping | Procfs Escaping | mount-procfs |

✔

| link
Escaping | Ptrace Escaping PoC | check-ptrace |

✔

| link
Discovery | K8s Component Probe | service-probe |

✔

| link
Discovery | Dump Istio Sidecar Meta | istio-check |

✔

| link
Lateral Movement | K8s Service Account Control | | |
Lateral Movement | Attack K8s api-server | | |
Lateral Movement | Attack K8s Kubelet | | |
Lateral Movement | Attack K8s Dashboard | | |
Lateral Movement | Attack K8s Helm | | |
Lateral Movement | Attack K8s Etcd | | |
Lateral Movement | Attack Private Docker Registry | | |
Remote Control | Reverse Shell | reverse-shell |

✔

| link
Credential Access | Access Key Scanning | ak-leakage |

✔

| link
Credential Access | Dump K8s Secrets | k8s-secret-dump |

✔

| link
Credential Access | Dump K8s Config | k8s-configmap-dump |

✔

| link
Persistence | Deploy WebShell | | |
Persistence | Deploy Backdoor Pod | k8s-backdoor-daemonset |

✔

| link
Persistence | Deploy Shadow K8s api-server | k8s-shadow-apiserver |

✔

| link
Persistence | K8s MITM Attack (CVE-2020-8554) | k8s-mitm-clusterip |

✔

| link
Persistence | Deploy K8s CronJob | | |
Defense Evasion | Disable K8s Audit | | |

Tool Module

Running commands like in Linux, little different in input-args, see the usage link.

cdk nc [options]  
cdk ps  

Command	Description	Supported	Usage/Example
nc	TCP Tunnel

✔

| link
ps | Process Information |

✔

| link
ifconfig | Network Information |

✔

| link
vi | Edit Files |

✔

| link
kcurl | Request to K8s api-server |

✔

| link
dcurl | Request to Docker HTTP API | |
ucurl | Request to Docker Unix Socket |

✔

| link
rcurl | Request to Docker Registry API | |
probe | IP/Port Scanning |

✔

| link

Developer Docs

• run test in container.

TODO

1. Echo loader for delivering CDK into target container via Web RCE.
2. EDR defense evasion.
3. Compile optimization.
4. Dev docs

Download CDK