refactor(eva): registry and expose profile selection

Author: neargle

README.md

@@ -63,21 +63,19 @@ chmod a+x cdk
 ## Usage
 ```
 Usage:
-  cdk evaluate [--full]
+  cdk evaluate [--full] [--profile=<name>]
   cdk run (--list | <exploit> [<args>...])
   cdk <tool> [<args>...]
 
 Evaluate:
   cdk evaluate                              Gather information to find weakness inside container.
   cdk evaluate --full                       Enable file scan during information gathering.
+  cdk evaluate --profile=<name>             Run a specific evaluation profile (basic, extended, additional).
 
 Exploit:
   cdk run --list                            List all available exploits.
   cdk run <exploit> [<args>...]             Run single exploit, docs in https://github.com/cdk-team/CDK/wiki
 
-Auto Escape:
-  cdk auto-escape <cmd>                     Escape container in different ways then let target execute <cmd>.
-
 Tool:
   vi <file>                                 Edit files in container like "vi" command.
   ps                                        Show process information like "ps -ef" command.
@@ -91,6 +89,7 @@ Tool:
 Options:
   -h --help     Show this help msg.
   -v --version  Show version.
+  --profile=<name> Select evaluation profile.
 ```
 
 ## Features
@@ -105,9 +104,9 @@ CDK has three modules:
 
 Usage
 ```
-cdk evaluate [--full]
+cdk evaluate [--full] [--profile=<name>]
 ```
-This command will run the scripts below without local file scanning, using `--full` to enable all.
+This command runs the baseline profile by default. Use `--full` (alias for `--profile=extended`) to include file-system checks, or pick a specific profile with `--profile=basic`, `--profile=additional`, or `--profile=extended`.
 
 |Tactics|Script|Supported|Usage/Example|
 |---|---|---|---|
@@ -264,4 +263,3 @@ Project CDK is now included in 404Team [Starlink Project 2.0](https://github.com
 ### Kubernetes community Days 2021 
 
 - [https://community.cncf.io/events/details/cncf-kcd-china-presents-kubernetes-community-days-china/](https://community.cncf.io/events/details/cncf-kcd-china-presents-kubernetes-community-days-china/)
-

pkg/cli/banner.go

@@ -39,10 +39,10 @@ Find tutorial, configuration and use-case in https://github.com/cdk-team/CDK/
 
 var BannerContainerTpl = BannerHeader + `
 %s
-  cdk evaluate [--full]
-  cdk eva [--full]
+  cdk eva
+  cdk eva --full
+  cdk evaluate [--full] [--profile=<name>]
   cdk run (--list | <exploit> [<args>...])
-  cdk auto-escape <cmd>
   cdk <tool> [<args>...]
 
 %s
@@ -54,7 +54,6 @@ var BannerContainerTpl = BannerHeader + `
 %s
   cdk run --list                            List all available exploits.
   cdk run <exploit> [<args>...]             Run single exploit, docs in https://github.com/cdk-team/CDK/wiki
-  cdk auto-escape <cmd>                     Escape container in different ways then let target execute <cmd>.
 
 %s
   vi <file>                                 Edit files in container like "vi" command.
@@ -70,6 +69,7 @@ var BannerContainerTpl = BannerHeader + `
 %s
   -h --help     Show this help msg.
   -v --version  Show version.
+  --profile=<name> Select evaluation profile (basic, extended, additional).
 `
 
 // BannerContainer is the banner of CDK command line with colorful.

pkg/cli/parse.go

@@ -59,10 +59,12 @@ func ParseCDKMain() bool {
 	// docopt argparse start
 	parseDocopt()
 
-	if Args["auto-escape"].(bool) {
-		plugin.RunSingleTask("auto-escape")
-		return true
-	}
+	// delete auto-escape
+
+	// if Args["auto-escape"].(bool) {
+	// 	plugin.RunSingleTask("auto-escape")
+	// 	return true
+	// }
 
 	// support for cdk eva(Evangelion) and cdk evaluate
 	fok := Args["evaluate"]
@@ -73,10 +75,17 @@ func ParseCDKMain() bool {
 	if ok.(bool) || fok.(bool) {
 
 		fmt.Printf(BannerHeader)
-		evaluate.CallBasics()
-
-		if Args["--full"].(bool) {
-			evaluate.CallAddedFunc()
+		profileID := evaluate.ProfileBasic
+		if rawProfile, ok := Args["--profile"]; ok {
+			if v, ok := rawProfile.(string); ok && v != "" {
+				profileID = v
+			}
+		}
+		if profileID == evaluate.ProfileBasic && Args["--full"].(bool) {
+			profileID = evaluate.ProfileExtended
+		}
+		if err := evaluate.NewEvaluator().RunProfile(profileID, nil); err != nil {
+			log.Printf("evaluate profile %q failed: %v", profileID, err)
 		}
 		return true
 	}

pkg/cli/parse_test.go

@@ -64,6 +64,11 @@ func TestParseCDKMain(t *testing.T) {
 			args:       []string{"./cdk_cli_path", "eva"},
 			successStr: "current user",
 		},
+		{
+			name:       "./cdk eva --profile=additional",
+			args:       []string{"./cdk_cli_path", "eva", "--profile=additional"},
+			successStr: "randomize_va_space",
+		},
 		{
 			name:       "./cdk run test-poc",
 			args:       []string{"./cdk_cli_path", "run", "test-poc"},

pkg/evaluate/available_linux_capabilities.go

@@ -100,3 +100,14 @@ func getAddCaps(currentCaps []string) []string {
 	}
 	return addCaps
 }
+
+func init() {
+	RegisterSimpleCheck(
+		CategoryCommands,
+		"commands.capabilities",
+		"Inspect process capabilities",
+		func() {
+			GetProcCapabilities()
+		},
+	)
+}

pkg/evaluate/available_linux_commands.go

@@ -33,3 +33,7 @@ func SearchAvailableCommands() {
 	}
 	log.Printf("available commands:\n\t%s\n", strings.Join(ans, ","))
 }
+
+func init() {
+	RegisterSimpleCheck(CategoryCommands, "commands.available", "Enumerate available commands", SearchAvailableCommands)
+}

pkg/evaluate/categories.go

@@ -0,0 +1,88 @@
+package evaluate
+
+var (
+	CategorySystemInfo = CategorySpec{
+		ID:              "information.system",
+		Title:           "Information Gathering - System Info",
+		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
+		Order:           100,
+	}
+	CategoryServices = CategorySpec{
+		ID:              "information.services",
+		Title:           "Information Gathering - Services",
+		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
+		Order:           200,
+	}
+	CategoryCommands = CategorySpec{
+		ID:              "information.commands",
+		Title:           "Information Gathering - Commands and Capabilities",
+		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
+		Order:           300,
+	}
+	CategoryMounts = CategorySpec{
+		ID:              "information.mounts",
+		Title:           "Information Gathering - Mounts",
+		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
+		Order:           400,
+	}
+	CategoryNetNamespace = CategorySpec{
+		ID:              "information.netns",
+		Title:           "Information Gathering - Net Namespace",
+		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
+		Order:           500,
+	}
+	CategorySysctl = CategorySpec{
+		ID:              "information.sysctl",
+		Title:           "Information Gathering - Sysctl Variables",
+		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
+		Order:           600,
+	}
+	CategoryDNS = CategorySpec{
+		ID:              "information.dns",
+		Title:           "Information Gathering - DNS-Based Service Discovery",
+		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
+		Order:           700,
+	}
+	CategoryK8sAPIServer = CategorySpec{
+		ID:              "discovery.k8s_api",
+		Title:           "Discovery - K8s API Server",
+		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
+		Order:           800,
+	}
+	CategoryK8sServiceAccount = CategorySpec{
+		ID:              "discovery.k8s_sa",
+		Title:           "Discovery - K8s Service Account",
+		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
+		Order:           900,
+	}
+	CategoryCloudMetadata = CategorySpec{
+		ID:              "discovery.cloud_metadata",
+		Title:           "Discovery - Cloud Provider Metadata API",
+		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
+		Order:           1000,
+	}
+	CategoryKernel = CategorySpec{
+		ID:              "exploit.kernel",
+		Title:           "Exploit Pre - Kernel Exploits",
+		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
+		Order:           1100,
+	}
+	CategorySensitiveFiles = CategorySpec{
+		ID:              "information.sensitive_files",
+		Title:           "Information Gathering - Sensitive Files",
+		DefaultProfiles: []string{ProfileExtended, ProfileAdditional},
+		Order:           1200,
+	}
+	CategoryASLR = CategorySpec{
+		ID:              "information.aslr",
+		Title:           "Information Gathering - ASLR",
+		DefaultProfiles: []string{ProfileExtended, ProfileAdditional},
+		Order:           1300,
+	}
+	CategoryCgroups = CategorySpec{
+		ID:              "information.cgroups",
+		Title:           "Information Gathering - Cgroups",
+		DefaultProfiles: []string{ProfileExtended, ProfileAdditional},
+		Order:           1400,
+	}
+)

pkg/evaluate/cgroups.go

@@ -53,3 +53,7 @@ func DumpCgroup() {
 	}
 
 }
+
+func init() {
+	RegisterSimpleCheck(CategoryCgroups, "cgroups.dump", "Dump cgroup configuration", DumpCgroup)
+}

pkg/evaluate/check_mount_escape.go

@@ -67,3 +67,7 @@ func MountEscape() {
 
 	}
 }
+
+func init() {
+	RegisterSimpleCheck(CategoryMounts, "mounts.escape", "Inspect mount escape opportunities", MountEscape)
+}

pkg/evaluate/cloud_metadata_api.go

@@ -43,3 +43,7 @@ func CheckCloudMetadataAPI() {
 		}
 	}
 }
+
+func init() {
+	RegisterSimpleCheck(CategoryCloudMetadata, "cloud.metadata_api", "Probe cloud metadata API endpoints", CheckCloudMetadataAPI)
+}