Blackhat.az

Loading...

Blackhat.az

Register

Cyber Security - Exploitation - Hacking - Pentest - Hacking tools - 03 September 2021

CDK – Zero Dependency Container Penetration Toolkit

CDK - Zero Dependency Container Penetration Toolkit

 

CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs helps you to escape container and takeover K8s cluster easily.

Currently still under development, submit issues or mail i@cdxy.me if you need any help.

Installation

Download latest release in: https://github.com/cdk-team/CDK/releases/

Drop executable files into target container and start testing.

Usage

Usage:
  cdk evaluate [--full]
  cdk run (--list | <exploit> [<args>...])
  cdk auto-escape <cmd>
  cdk <tool> [<args>...]
Evaluate:
cdk evaluate Gather information to find weakness inside container.
cdk evaluate --full Enable file scan during information gathering.

Exploit:
cdk run --list List all available exploits.
cdk run <exploit> [<args>...] Run single exploit, docs in https://github.com/cdk-team/CDK/wiki
Auto Escape:
cdk auto-escape <cmd> Escape container in different ways then let target execute <cmd>.
Tool:
vi <file> Edit files in container like "vi" command.
ps Show process information like "ps -ef" command.
nc [options] Create TCP tunnel.
ifconfig Show network information.
kcurl <path> (get|post) <uri> <data> Make request to K8s api-server.
ucurl (get|post) <socket> <uri> <data> Make request to docker unix socket.
probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000
Options:
-h --help Show this help msg.
-v --version Show version.

Features

CDK have three modules:

  1. Evaluate: gather information inside container to find potential weakness.
  2. Exploit: for container escaping, persistance and lateral movement
  3. Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management.

Evaluate Module

Usage

cdk evaluate [--full]

This command will run the scripts below without local file scanning, using --full to enable all.

TacticsScriptSupportedUsage/Example
Information GatheringOS Basic Info
link
Information GatheringAvailable Capabilities
link
Information GatheringAvailable Linux Commands
link
Information GatheringMounts
link
Information GatheringNet Namespace
link
Information GatheringSensitive ENV
link
Information GatheringSensitive Process
link
Information GatheringSensitive Local Files
link
DiscoveryK8s Api-server Info
link
DiscoveryK8s Service-account Info
link
DiscoveryCloud Provider Metadata API
link

Exploit Module

List all available exploits:

cdk run --list

Run targeted exploit:

cdk run <script-name> [options]
TacticTechniqueCDK Exploit NameSupportedDoc
Escapingdocker-runc CVE-2019-5736runc-pwn
Escapingdocker-cp CVE-2019-14271
Escapingcontainerd-shim CVE-2020-15257shim-pwn
link
Escapingdirtycow CVE-2016-5159
Escapingdocker.sock PoC (DIND attack)docker-sock-check
link
Escapingdocker.sock Backdoor Image Deploydocker-sock-deploy
link
EscapingDevice Mount Escapingmount-disk
link
EscapingCgroups Escapingmount-cgroup
link
EscapingProcfs Escapingmount-procfs
link
EscapingPtrace Escaping PoCcheck-ptrace
link
DiscoveryK8s Component Probeservice-probe
link
DiscoveryDump Istio Sidecar Metaistio-check
link
Lateral MovementK8s Service Account Control
Lateral MovementAttack K8s api-server
Lateral MovementAttack K8s Kubelet
Lateral MovementAttack K8s Dashboard
Lateral MovementAttack K8s Helm
Lateral MovementAttack K8s Etcd
Lateral MovementAttack Private Docker Registry
Remote ControlReverse Shellreverse-shell
link
Credential AccessAccess Key Scanningak-leakage
link
Credential AccessDump K8s Secretsk8s-secret-dump
link
Credential AccessDump K8s Configk8s-configmap-dump
link
PersistenceDeploy WebShell
PersistenceDeploy Backdoor Podk8s-backdoor-daemonset
link
PersistenceDeploy Shadow K8s api-serverk8s-shadow-apiserver
link
PersistenceK8s MITM Attack (CVE-2020-8554)k8s-mitm-clusterip
link
PersistenceDeploy K8s CronJob
Defense EvasionDisable K8s Audit

Tool Module

Running commands like in Linux, little different in input-args, see the usage link.

cdk nc [options]
cdk ps
CommandDescriptionSupportedUsage/Example
ncTCP Tunnel
link
psProcess Information
link
ifconfigNetwork Information
link
viEdit Files
link
kcurlRequest to K8s api-server
link
dcurlRequest to Docker HTTP API
ucurlRequest to Docker Unix Socket
link
rcurlRequest to Docker Registry API
probeIP/Port Scanning
link

Developer Docs

TODO

  1. Echo loader for delivering CDK into target container via Web RCE.
  2. EDR defense evasion.
  3. Compile optimization.
  4. Dev docs