CDK – Zero Dependency Container Penetration Toolkit

CDK – Zero Dependency Container Penetration Toolkit

CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs helps you to escape container and takeover K8s cluster easily.

Currently still under development, submit issues or mail i@cdxy.me if you need any help.

Installation

Download latest release in: https://github.com/cdk-team/CDK/releases/

Drop executable files into target container and start testing.

Usage

Usage:
cdk evaluate [--full]
cdk run (--list | <exploit> [<args>...])
cdk auto-escape <cmd>
cdk <tool> [<args>...]

Evaluate:
cdk evaluate Gather information to find weakness inside container.
cdk evaluate --full Enable file scan during information gathering.

Exploit:
cdk run --list List all available exploits.
cdk run <exploit> [<args>...] Run single exploit, docs in https://github.com/cdk-team/CDK/wiki

Auto Escape:
cdk auto-escape <cmd> Escape container in different ways then let target execute <cmd>.

Tool:
vi <file> Edit files in container like "vi" command.
ps Show process information like "ps -ef" command.
nc [options] Create TCP tunnel.
ifconfig Show network information.
kcurl <path> (get|post) <uri> <data> Make request to K8s api-server.
ucurl (get|post) <socket> <uri> <data> Make request to docker unix socket.
probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000

Options:
-h --help Show this help msg.
-v --version Show version.

Features

CDK have three modules:

  1. Evaluate: gather information inside container to find potential weakness.
  2. Exploit: for container escaping, persistance and lateral movement
  3. Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management.

Evaluate Module

Usage

cdk evaluate [--full]

This command will run the scripts below without local file scanning, using --full to enable all.

Tactics Script Supported Usage/Example
Information Gathering OS Basic Info
âś”
link
Information Gathering Available Capabilities
âś”
link
Information Gathering Available Linux Commands
âś”
link
Information Gathering Mounts
âś”
link
Information Gathering Net Namespace
âś”
link
Information Gathering Sensitive ENV
âś”
link
Information Gathering Sensitive Process
âś”
link
Information Gathering Sensitive Local Files
âś”
link
Discovery K8s Api-server Info
âś”
link
Discovery K8s Service-account Info
âś”
link
Discovery Cloud Provider Metadata API
âś”
link

Exploit Module

List all available exploits:

cdk run --list

Run targeted exploit:

cdk run <script-name> [options]
Tactic Technique CDK Exploit Name Supported Doc
Escaping docker-runc CVE-2019-5736 runc-pwn
âś”
Escaping docker-cp CVE-2019-14271
Escaping containerd-shim CVE-2020-15257 shim-pwn
âś”
link
Escaping dirtycow CVE-2016-5159
Escaping docker.sock PoC (DIND attack) docker-sock-check
âś”
link
Escaping docker.sock Backdoor Image Deploy docker-sock-deploy
âś”
link
Escaping Device Mount Escaping mount-disk
âś”
link
Escaping Cgroups Escaping mount-cgroup
âś”
link
Escaping Procfs Escaping mount-procfs
âś”
link
Escaping Ptrace Escaping PoC check-ptrace
âś”
link
Discovery K8s Component Probe service-probe
âś”
link
Discovery Dump Istio Sidecar Meta istio-check
âś”
link
Lateral Movement K8s Service Account Control
Lateral Movement Attack K8s api-server
Lateral Movement Attack K8s Kubelet
Lateral Movement Attack K8s Dashboard
Lateral Movement Attack K8s Helm
Lateral Movement Attack K8s Etcd
Lateral Movement Attack Private Docker Registry
Remote Control Reverse Shell reverse-shell
âś”
link
Credential Access Access Key Scanning ak-leakage
âś”
link
Credential Access Dump K8s Secrets k8s-secret-dump
âś”
link
Credential Access Dump K8s Config k8s-configmap-dump
âś”
link
Persistence Deploy WebShell
Persistence Deploy Backdoor Pod k8s-backdoor-daemonset
âś”
link
Persistence Deploy Shadow K8s api-server k8s-shadow-apiserver
âś”
link
Persistence K8s MITM Attack (CVE-2020-8554) k8s-mitm-clusterip
âś”
link
Persistence Deploy K8s CronJob
Defense Evasion Disable K8s Audit

Tool Module

Running commands like in Linux, little different in input-args, see the usage link.

cdk nc [options]
cdk ps
Command Description Supported Usage/Example
nc TCP Tunnel
âś”
link
ps Process Information
âś”
link
ifconfig Network Information
âś”
link
vi Edit Files
âś”
link
kcurl Request to K8s api-server
âś”
link
dcurl Request to Docker HTTP API
ucurl Request to Docker Unix Socket
âś”
link
rcurl Request to Docker Registry API
probe IP/Port Scanning
âś”
link

Developer Docs

TODO

  1. Echo loader for delivering CDK into target container via Web RCE.
  2. EDR defense evasion.
  3. Compile optimization.
  4. Dev docs

ghyncCO0qqs

Click here for image source link and to read full Article

Read More on Pentesting Tools

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: