refactor(eva): registry and expose profile selection

.gitignore

@@ -36,3 +36,4 @@ __debug_bin
 /pkg/tool/kubectl/assets/
 
 /cdk
+.cache/

README.md

@@ -75,9 +75,6 @@ Exploit:
   cdk run --list                            List all available exploits.
   cdk run <exploit> [<args>...]             Run single exploit, docs in https://github.com/cdk-team/CDK/wiki
 
-Auto Escape:
-  cdk auto-escape <cmd>                     Escape container in different ways then let target execute <cmd>.
-
 Tool:
   vi <file>                                 Edit files in container like "vi" command.
   ps                                        Show process information like "ps -ef" command.
@@ -91,6 +88,7 @@ Tool:
 Options:
   -h --help     Show this help msg.
   -v --version  Show version.
+  --profile=<name> Select evaluation profile.
 ```
 
 ## Features
@@ -107,7 +105,6 @@ Usage
 ```
 cdk evaluate [--full]
 ```
-This command will run the scripts below without local file scanning, using `--full` to enable all.
 
 |Tactics|Script|Supported|Usage/Example|
 |---|---|---|---|
@@ -264,4 +261,3 @@ Project CDK is now included in 404Team [Starlink Project 2.0](https://github.com
 ### Kubernetes community Days 2021 
 
 - [https://community.cncf.io/events/details/cncf-kcd-china-presents-kubernetes-community-days-china/](https://community.cncf.io/events/details/cncf-kcd-china-presents-kubernetes-community-days-china/)
-

conf/evaluate_conf.go

@@ -115,6 +115,12 @@ type cloudAPIS struct {
 }
 
 var CloudAPI = []cloudAPIS{
+	{
+		CloudProvider: "Volcano Engine (Volcengine)",
+		API:           "http://100.96.0.96/latest",
+		ResponseMatch: "instance",
+		DocURL:        "https://www.volcengine.com/docs/6396/113780",
+	},
 	{
 		CloudProvider: "Alibaba Cloud",
 		API:           "http://100.100.100.200/latest/meta-data/",

pkg/cli/banner.go

@@ -39,10 +39,10 @@ Find tutorial, configuration and use-case in https://github.com/cdk-team/CDK/
 
 var BannerContainerTpl = BannerHeader + `
 %s
+  cdk eva
+  cdk eva --full
   cdk evaluate [--full]
-  cdk eva [--full]
   cdk run (--list | <exploit> [<args>...])
-  cdk auto-escape <cmd>
   cdk <tool> [<args>...]
 
 %s
@@ -54,7 +54,6 @@ var BannerContainerTpl = BannerHeader + `
 %s
   cdk run --list                            List all available exploits.
   cdk run <exploit> [<args>...]             Run single exploit, docs in https://github.com/cdk-team/CDK/wiki
-  cdk auto-escape <cmd>                     Escape container in different ways then let target execute <cmd>.
 
 %s
   vi <file>                                 Edit files in container like "vi" command.
@@ -70,6 +69,7 @@ var BannerContainerTpl = BannerHeader + `
 %s
   -h --help     Show this help msg.
   -v --version  Show version.
+  --profile=<name> Select evaluation profile (basic, extended, additional).
 `
 
 // BannerContainer is the banner of CDK command line with colorful.

pkg/cli/parse.go

@@ -59,10 +59,12 @@ func ParseCDKMain() bool {
 	// docopt argparse start
 	parseDocopt()
 
-	if Args["auto-escape"].(bool) {
-		plugin.RunSingleTask("auto-escape")
-		return true
-	}
+	// delete auto-escape
+
+	// if Args["auto-escape"].(bool) {
+	// 	plugin.RunSingleTask("auto-escape")
+	// 	return true
+	// }
 
 	// support for cdk eva(Evangelion) and cdk evaluate
 	fok := Args["evaluate"]
@@ -73,10 +75,17 @@ func ParseCDKMain() bool {
 	if ok.(bool) || fok.(bool) {
 
 		fmt.Printf(BannerHeader)
-		evaluate.CallBasics()
-
-		if Args["--full"].(bool) {
-			evaluate.CallAddedFunc()
+		profileID := evaluate.ProfileBasic
+		if rawProfile, ok := Args["--profile"]; ok {
+			if v, ok := rawProfile.(string); ok && v != "" {
+				profileID = v
+			}
+		}
+		if profileID == evaluate.ProfileBasic && Args["--full"].(bool) {
+			profileID = evaluate.ProfileExtended
+		}
+		if err := evaluate.NewEvaluator().RunProfile(profileID, nil); err != nil {
+			log.Printf("evaluate profile %q failed: %v", profileID, err)
 		}
 		return true
 	}

pkg/cli/parse_test.go

@@ -34,6 +34,8 @@ type testArgsCase struct {
 	successStr string
 }
 
+const parseTimeout = 5 * time.Second
+
 func doParseCDKMainWithTimeout() {
 
 	result := make(chan bool, 1)
@@ -43,8 +45,8 @@ func doParseCDKMainWithTimeout() {
 	}()
 
 	select {
-	case <-time.After(time.Second * 2):
-		log.Println("check run ok, timeout in 2s, and return.")
+	case <-time.After(parseTimeout):
+		log.Printf("check run ok, timeout reached in %s, and return.", parseTimeout)
 		return
 	case <-result:
 		return
@@ -64,6 +66,11 @@ func TestParseCDKMain(t *testing.T) {
 			args:       []string{"./cdk_cli_path", "eva"},
 			successStr: "current user",
 		},
+		// {
+		// 	name:       "./cdk eva --profile=additional",
+		// 	args:       []string{"./cdk_cli_path", "eva", "--profile=additional"},
+		// 	successStr: "randomize_va_space",
+		// },
 		{
 			name:       "./cdk run test-poc",
 			args:       []string{"./cdk_cli_path", "run", "test-poc"},

pkg/evaluate/available_linux_capabilities.go

@@ -100,3 +100,14 @@ func getAddCaps(currentCaps []string) []string {
 	}
 	return addCaps
 }
+
+func init() {
+	RegisterSimpleCheck(
+		CategoryCommands,
+		"commands.capabilities",
+		"Inspect process capabilities",
+		func() {
+			GetProcCapabilities()
+		},
+	)
+}

pkg/evaluate/available_linux_commands.go

@@ -33,3 +33,7 @@ func SearchAvailableCommands() {
 	}
 	log.Printf("available commands:\n\t%s\n", strings.Join(ans, ","))
 }
+
+func init() {
+	RegisterSimpleCheck(CategoryCommands, "commands.available", "Enumerate available commands", SearchAvailableCommands)
+}

pkg/evaluate/categories.go

@@ -0,0 +1,88 @@
+package evaluate
+
+var (
+	CategorySystemInfo = CategorySpec{
+		ID:              "information.system",
+		Title:           "Information Gathering - System Info",
+		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
+		Order:           100,
+	}
+	CategoryServices = CategorySpec{
+		ID:              "information.services",
+		Title:           "Information Gathering - Services",
+		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
+		Order:           200,
+	}
+	CategoryCommands = CategorySpec{
+		ID:              "information.commands",
+		Title:           "Information Gathering - Commands and Capabilities",
+		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
+		Order:           300,
+	}
+	CategoryMounts = CategorySpec{
+		ID:              "information.mounts",
+		Title:           "Information Gathering - Mounts",
+		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
+		Order:           400,
+	}
+	CategoryNetNamespace = CategorySpec{
+		ID:              "information.netns",
+		Title:           "Information Gathering - Net Namespace",
+		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
+		Order:           500,
+	}
+	CategorySysctl = CategorySpec{
+		ID:              "information.sysctl",
+		Title:           "Information Gathering - Sysctl Variables",
+		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
+		Order:           600,
+	}
+	CategoryDNS = CategorySpec{
+		ID:              "information.dns",
+		Title:           "Information Gathering - DNS-Based Service Discovery",
+		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
+		Order:           700,
+	}
+	CategoryK8sAPIServer = CategorySpec{
+		ID:              "discovery.k8s_api",
+		Title:           "Discovery - K8s API Server",
+		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
+		Order:           800,
+	}
+	CategoryK8sServiceAccount = CategorySpec{
+		ID:              "discovery.k8s_sa",
+		Title:           "Discovery - K8s Service Account",
+		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
+		Order:           900,
+	}
+	CategoryCloudMetadata = CategorySpec{
+		ID:              "discovery.cloud_metadata",
+		Title:           "Discovery - Cloud Provider Metadata API",
+		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
+		Order:           1000,
+	}
+	CategoryKernel = CategorySpec{
+		ID:              "exploit.kernel",
+		Title:           "Exploit Pre - Kernel Exploits",
+		DefaultProfiles: []string{ProfileBasic, ProfileExtended},
+		Order:           1100,
+	}
+	CategorySensitiveFiles = CategorySpec{
+		ID:              "information.sensitive_files",
+		Title:           "Information Gathering - Sensitive Files",
+		DefaultProfiles: []string{ProfileExtended, ProfileAdditional},
+		Order:           1200,
+	}
+	CategoryASLR = CategorySpec{
+		ID:              "information.aslr",
+		Title:           "Information Gathering - ASLR",
+		DefaultProfiles: []string{ProfileExtended, ProfileAdditional},
+		Order:           1300,
+	}
+	CategoryCgroups = CategorySpec{
+		ID:              "information.cgroups",
+		Title:           "Information Gathering - Cgroups",
+		DefaultProfiles: []string{ProfileExtended, ProfileAdditional},
+		Order:           1400,
+	}
+)

pkg/evaluate/cgroups.go

@@ -53,3 +53,7 @@ func DumpCgroup() {
 	}
 
 }
+
+func init() {
+	RegisterSimpleCheck(CategoryCgroups, "cgroups.dump", "Dump cgroup configuration", DumpCgroup)
+}

pkg/evaluate/check_mount_escape.go

@@ -67,3 +67,7 @@ func MountEscape() {
 
 	}
 }
+
+func init() {
+	RegisterSimpleCheck(CategoryMounts, "mounts.escape", "Inspect mount escape opportunities", MountEscape)
+}

pkg/evaluate/cloud_metadata_api.go

@@ -43,3 +43,7 @@ func CheckCloudMetadataAPI() {
 		}
 	}
 }
+
+func init() {
+	RegisterSimpleCheck(CategoryCloudMetadata, "cloud.metadata_api", "Probe cloud metadata API endpoints", CheckCloudMetadataAPI)
+}