Merge pull request #103 from cdk-team/main-dev

[Exploit] Many commit from CDK Plus, for a better list of exploit
cdk-team · Aug 26, 2024 · 5a9cda1 · 5a9cda1
2 parents 306f3ce + 519f1d4
commit 5a9cda1
Show file tree

Hide file tree

Showing 51 changed files with 613 additions and 297 deletions.
diff --git a/.gitignore b/.gitignore
@@ -32,3 +32,5 @@ cmd/cdk/cdk
 .vscode/
 .chglog/
 __debug_bin
+
+/pkg/tool/kubectl/assets/
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/cdk-team/CDK
 
-go 1.15
+go 1.16
 
 require (
 	github.com/axgle/mahonia v0.0.0-20180208002826-3358181d7394

diff --git a/pkg/exploit/base/base.go b/pkg/exploit/base/base.go
@@ -0,0 +1,9 @@
+package base
+
+type BaseExploit struct {
+	ExploitType string
+}
+
+func (b BaseExploit) GetExploitType() string {
+	return b.ExploitType
+}
diff --git a/pkg/exploit/etcd_get_k8s_token.go → ...t/credential_access/etcd_get_k8s_token.go b/pkg/exploit/etcd_get_k8s_token.go → ...t/credential_access/etcd_get_k8s_token.go
@@ -17,7 +17,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package exploit
+package credential_access
 
 import (
 	"crypto/tls"
@@ -29,6 +29,8 @@ import (
 	"regexp"
 	"strings"
 
+	"github.com/cdk-team/CDK/pkg/exploit/base"
+
 	"github.com/cdk-team/CDK/pkg/cli"
 	"github.com/cdk-team/CDK/pkg/plugin"
 	"github.com/cdk-team/CDK/pkg/tool/etcdctl"
@@ -46,7 +48,7 @@ const (
 var k8sTokenPath = "/registry/secrets/kube-system/"
 
 // plugin interface
-type EtcdGetToken struct{}
+type EtcdGetToken struct{ base.BaseExploit }
 
 func (p EtcdGetToken) Desc() string {
 	var buffer strings.Builder
@@ -180,5 +182,6 @@ func getPods(token, endpoint string) (string, error) {
 
 func init() {
 	exploit := EtcdGetToken{}
+	exploit.ExploitType = "credential-access"
 	plugin.RegisterExploit("etcd-get-k8s-token", exploit)
 }
diff --git a/pkg/exploit/file_scan.go → pkg/exploit/credential_access/file_scan.go b/pkg/exploit/file_scan.go → pkg/exploit/credential_access/file_scan.go
@@ -1,6 +1,6 @@
+//go:build !no_file_scan
 // +build !no_file_scan
 
-
 /*
 Copyright 2022 The Authors of https://github.com/CDK-TEAM/CDK .
 
@@ -17,19 +17,22 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package exploit
+package credential_access
 
 import (
 	"fmt"
-	"github.com/cdk-team/CDK/conf"
-	"github.com/cdk-team/CDK/pkg/cli"
-	"github.com/cdk-team/CDK/pkg/plugin"
 	"io/ioutil"
 	"log"
 	"os"
 	"path/filepath"
 	"regexp"
 	"strings"
+
+	"github.com/cdk-team/CDK/pkg/exploit/base"
+
+	"github.com/cdk-team/CDK/conf"
+	"github.com/cdk-team/CDK/pkg/cli"
+	"github.com/cdk-team/CDK/pkg/plugin"
 )
 
 func SearchLocalFileText(StartDir string) {
@@ -82,7 +85,7 @@ func SearchLocalFileText(StartDir string) {
 }
 
 // plugin interface
-type FileScanS struct{}
+type FileScanS struct{ base.BaseExploit }
 
 func (p FileScanS) Desc() string {
 	return "search AK/Secrets from input dir, usage: cdk run ak-leakage <dir>"
@@ -101,5 +104,6 @@ func (p FileScanS) Run() bool {
 
 func init() {
 	exploit := FileScanS{}
+	exploit.ExploitType = "credential-access"
 	plugin.RegisterExploit("ak-leakage", exploit)
 }
diff --git a/pkg/exploit/file_scan_test.go → ...ploit/credential_access/file_scan_test.go b/pkg/exploit/file_scan_test.go → ...ploit/credential_access/file_scan_test.go
@@ -1,4 +1,3 @@
-
 /*
 Copyright 2022 The Authors of https://github.com/CDK-TEAM/CDK .
 
@@ -15,14 +14,15 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package exploit
+package credential_access
 
 import (
-	"github.com/stretchr/testify/assert"
 	"io/ioutil"
 	"os"
 	"regexp"
 	"testing"
+
+	"github.com/stretchr/testify/assert"
 )
 
 func captureStdout(f func()) string {

diff --git a/pkg/exploit/image_registry_brute.go → ...credential_access/image_registry_brute.go b/pkg/exploit/image_registry_brute.go → ...credential_access/image_registry_brute.go
@@ -1,6 +1,6 @@
+//go:build !no_image_registry_brute
 // +build !no_image_registry_brute
 
-
 /*
 Copyright 2022 The Authors of https://github.com/CDK-TEAM/CDK .
 
@@ -17,14 +17,16 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package exploit
+package credential_access
 
 import (
 	"fmt"
 	"log"
 	"net/http"
 	"strings"
 
+	"github.com/cdk-team/CDK/pkg/exploit/base"
+
 	b64 "encoding/base64"
 
 	"github.com/cdk-team/CDK/pkg/cli"
@@ -33,7 +35,7 @@ import (
 )
 
 // plugin interface
-type RegistryBruteS struct{}
+type RegistryBruteS struct{ base.BaseExploit }
 
 func (p RegistryBruteS) Desc() string {
 	return "To container image registry, brute force the accounts and passwords cracking. Usage: ./cdk registry-brute <registry-url> <username|file> <password|file>. Example: ./cdk registry-brute https://index.docker.io/ root,admin /tmp/passwordfile."
@@ -121,5 +123,6 @@ func (p RegistryBruteS) Run() bool {
 
 func init() {
 	exploit := RegistryBruteS{}
+	exploit.ExploitType = "credential-access"
 	plugin.RegisterExploit("registry-brute", exploit)
 }
diff --git a/pkg/exploit/image_registry_brute_test.go → ...ntial_access/image_registry_brute_test.go b/pkg/exploit/image_registry_brute_test.go → ...ntial_access/image_registry_brute_test.go
@@ -1,6 +1,6 @@
+//go:build !no_image_registry_brute
 // +build !no_image_registry_brute
 
-
 /*
 Copyright 2022 The Authors of https://github.com/CDK-TEAM/CDK .
 
@@ -17,7 +17,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package exploit
+package credential_access
 
 import (
 	"fmt"

diff --git a/pkg/exploit/k8s_configmap_dump.go → ...t/credential_access/k8s_configmap_dump.go b/pkg/exploit/k8s_configmap_dump.go → ...t/credential_access/k8s_configmap_dump.go
@@ -1,6 +1,6 @@
+//go:build !no_k8s_configmap_dump
 // +build !no_k8s_configmap_dump
 
-
 /*
 Copyright 2022 The Authors of https://github.com/CDK-TEAM/CDK .
 
@@ -17,17 +17,20 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package exploit
+package credential_access
 
 import (
 	"fmt"
+	"io/ioutil"
+	"log"
+	"strings"
+
+	"github.com/cdk-team/CDK/pkg/exploit/base"
+
 	"github.com/cdk-team/CDK/conf"
 	"github.com/cdk-team/CDK/pkg/cli"
 	"github.com/cdk-team/CDK/pkg/plugin"
 	"github.com/cdk-team/CDK/pkg/tool/kubectl"
-	"io/ioutil"
-	"log"
-	"strings"
 )
 
 var configmapApi = "/api/v1/configmaps"
@@ -72,7 +75,7 @@ func dumpK8sConfigmapAnonymous(serverAddr string) string {
 }
 
 // plugin interface
-type dumpK8sConfigmapS struct{}
+type dumpK8sConfigmapS struct{ base.BaseExploit }
 
 func (p dumpK8sConfigmapS) Desc() string {
 	return "try to dump K8s configmap in multiple ways, usage: cdk run k8s-configmap-dump (auto|<service-account-token-path>)"
@@ -135,5 +138,6 @@ func (p dumpK8sConfigmapS) Run() bool {
 
 func init() {
 	exploit := dumpK8sConfigmapS{}
+	exploit.ExploitType = "credential-access"
 	plugin.RegisterExploit("k8s-configmap-dump", exploit)
 }
diff --git a/pkg/exploit/k8s_secret_dump.go → ...loit/credential_access/k8s_secret_dump.go b/pkg/exploit/k8s_secret_dump.go → ...loit/credential_access/k8s_secret_dump.go
@@ -1,6 +1,6 @@
+//go:build !no_k8s_secret_dump
 // +build !no_k8s_secret_dump
 
-
 /*
 Copyright 2022 The Authors of https://github.com/CDK-TEAM/CDK .
 
@@ -17,17 +17,20 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package exploit
+package credential_access
 
 import (
 	"fmt"
+	"io/ioutil"
+	"log"
+	"strings"
+
+	"github.com/cdk-team/CDK/pkg/exploit/base"
+
 	"github.com/cdk-team/CDK/conf"
 	"github.com/cdk-team/CDK/pkg/cli"
 	"github.com/cdk-team/CDK/pkg/plugin"
 	"github.com/cdk-team/CDK/pkg/tool/kubectl"
-	"io/ioutil"
-	"log"
-	"strings"
 )
 
 var secretApi = "/api/v1/secrets"
@@ -67,7 +70,7 @@ func dumpK8sSecretsAnonymous(serverAddr string) string {
 }
 
 // plugin interface
-type K8sSecretsDumpS struct{}
+type K8sSecretsDumpS struct{ base.BaseExploit }
 
 func (p K8sSecretsDumpS) Desc() string {
 	return "try to dump K8s secret in multiple ways, usage: cdk run k8s-secret-dump (auto|<service-account-token-path>)"
@@ -129,5 +132,6 @@ func (p K8sSecretsDumpS) Run() bool {
 
 func init() {
 	exploit := K8sSecretsDumpS{}
+	exploit.ExploitType = "credential-access"
 	plugin.RegisterExploit("k8s-secret-dump", exploit)
 }
diff --git a/pkg/exploit/istio_check.go → pkg/exploit/discovery/istio_check.go b/pkg/exploit/istio_check.go → pkg/exploit/discovery/istio_check.go
@@ -1,6 +1,6 @@
+//go:build !no_istio_check
 // +build !no_istio_check
 
-
 /*
 Copyright 2022 The Authors of https://github.com/CDK-TEAM/CDK .
 
@@ -17,7 +17,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package exploit
+package discovery
 
 import (
 	"encoding/json"
@@ -26,11 +26,13 @@ import (
 	"net/http"
 	"strings"
 
+	"github.com/cdk-team/CDK/pkg/exploit/base"
+
 	"github.com/cdk-team/CDK/pkg/plugin"
 )
 
 // plugin interface
-type istioCheckS struct{}
+type istioCheckS struct{ base.BaseExploit }
 
 func (p istioCheckS) Desc() string {
 	return "Check was the shell in a istio(service mesh) network, please note that this feature will request http://httpbin.org/get. Usage: cdk run istio-check."
@@ -82,5 +84,6 @@ func (p istioCheckS) Run() bool {
 
 func init() {
 	exploit := istioCheckS{}
+	exploit.ExploitType = "discovery"
 	plugin.RegisterExploit("istio-check", exploit)
 }
diff --git a/pkg/exploit/k8s_cluster_info.go → pkg/exploit/discovery/k8s_cluster_info.go b/pkg/exploit/k8s_cluster_info.go → pkg/exploit/discovery/k8s_cluster_info.go
@@ -1,4 +1,3 @@
-
 /*
 Copyright 2022 The Authors of https://github.com/CDK-TEAM/CDK .
 
@@ -15,14 +14,16 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package exploit
+package discovery
 
 import (
 	"fmt"
-	"github.com/cdk-team/CDK/pkg/tool/kubectl"
 	"log"
+
+	"github.com/cdk-team/CDK/pkg/tool/kubectl"
 )
 
+var configmapApi = "/api/v1/configmaps"
 
 func GetNamespaces(serverAddr string) string {
 	log.Println("requesting ", configmapApi)
@@ -58,4 +59,4 @@ func GetNodes(serverAddr string) string {
 	}
 
 	return resp
-}
+}
diff --git a/pkg/exploit/k8s_psp_dump.go → pkg/exploit/discovery/k8s_psp_dump.go b/pkg/exploit/k8s_psp_dump.go → pkg/exploit/discovery/k8s_psp_dump.go
@@ -1,4 +1,3 @@
-
 /*
 Copyright 2022 The Authors of https://github.com/CDK-TEAM/CDK .
 
@@ -15,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package exploit
+package discovery
 
 import (
 	"fmt"
@@ -24,6 +23,8 @@ import (
 	"regexp"
 	"strings"
 
+	"github.com/cdk-team/CDK/pkg/exploit/base"
+
 	"github.com/cdk-team/CDK/conf"
 	"github.com/cdk-team/CDK/pkg/cli"
 	"github.com/cdk-team/CDK/pkg/plugin"
@@ -281,7 +282,7 @@ var podData = `{
 }`
 
 // plugin interface
-type K8SPodSecurityPolicy struct{}
+type K8SPodSecurityPolicy struct{ base.BaseExploit }
 
 func (p K8SPodSecurityPolicy) Desc() string {
 	return "Dump K8S Pod Security Policies and try, usage: cdk run k8s-psp-dump (auto|<service-account-token-path>)"
@@ -399,5 +400,6 @@ func (p K8SPodSecurityPolicy) Run() bool {
 
 func init() {
 	exploit := K8SPodSecurityPolicy{}
+	exploit.ExploitType = "discovery"
 	plugin.RegisterExploit("k8s-psp-dump", exploit)
 }