Better eva - feat(evaluate): support check setuid files in path (#67)

* perf(capabilities): red color for add caps

* perf(eva): a nice head 2 of title

* feat(evaluate): support check setuid files in path

* perf(eva): move call function from cli/parse to evaluate/evaluate

Co-authored-by: neargle <[email protected]>

Author: neargle

conf/evaluate_conf.go

@@ -61,6 +61,18 @@ var LinuxCommandChecklist = []string{
 	"ruby",
 }
 
+var DefaultPathEnv = []string{
+	"/usr/local/sbin",
+	"/usr/local/bin",
+	"/usr/sbin",
+	"/usr/bin",
+	"/sbin",
+	"/bin",
+	"/usr/games",
+	"/usr/local/games",
+	"/snap/bin",
+}
+
 // match ENV to find useful service
 var SensitiveEnvRegex = "(?i)\\bssh_|k8s|kubernetes|docker|gopath"
 

pkg/cli/banner.go

@@ -34,7 +34,7 @@ var BannerVersion = fmt.Sprintf("%s %s", "CDK Version(GitCommit):", GitCommit)
 var BannerHeader = fmt.Sprintf(`%s
 %s
 Zero-dependency cloudnative k8s/docker/serverless penetration toolkit by cdxy & neargle
-Find tutorial, configuration and use-case in https://github.com/cdk-team/CDK/wiki
+Find tutorial, configuration and use-case in https://github.com/cdk-team/CDK/
 `, util.GreenBold.Sprint(BannerTitle), BannerVersion)
 
 var BannerContainerTpl = BannerHeader + `

pkg/cli/parse.go

@@ -19,7 +19,6 @@ package cli
 import (
 	"fmt"
 
-	"github.com/cdk-team/CDK/conf"
 	"github.com/cdk-team/CDK/pkg/evaluate"
 	"github.com/cdk-team/CDK/pkg/plugin"
 	"github.com/cdk-team/CDK/pkg/tool/dockerd_api"
@@ -72,49 +71,11 @@ func ParseCDKMain() bool {
 	// fix #37 https://github.com/cdk-team/CDK/issues/37
 	if ok.(bool) || fok.(bool) {
 
-		fmt.Printf("\n[Information Gathering - System Info]\n")
-		evaluate.BasicSysInfo()
-
-		fmt.Printf("\n[Information Gathering - Services]\n")
-		evaluate.SearchSensitiveEnv()
-		evaluate.SearchSensitiveService()
-
-		fmt.Printf("\n[Information Gathering - Commands and Capabilities]\n")
-		evaluate.SearchAvailableCommands()
-		evaluate.GetProcCapabilities()
-
-		fmt.Printf("\n[Information Gathering - Mounts]\n")
-		evaluate.MountEscape()
-
-		fmt.Printf("\n[Information Gathering - Net Namespace]\n")
-		evaluate.CheckNetNamespace()
-
-		fmt.Printf("\n[Information Gathering - Sysctl Variables]\n")
-		evaluate.CheckRouteLocalNetworkValue()
-
-		fmt.Printf("\n[Discovery - K8s API Server]\n")
-		evaluate.CheckK8sAnonymousLogin()
-
-		fmt.Printf("\n[Discovery - K8s Service Account]\n")
-		evaluate.CheckPrivilegedK8sServiceAccount(conf.K8sSATokenDefaultPath)
-
-		fmt.Printf("\n[Discovery - Cloud Provider Metadata API]\n")
-		evaluate.CheckCloudMetadataAPI()
-
-		fmt.Printf("\n[Information Gathering - DNS-Based Service Discovery]\n")
-		evaluate.DNSBasedServiceDiscovery()
+		fmt.Printf(BannerHeader)
+		evaluate.CallBasics()
 
 		if Args["--full"].(bool) {
-
-			fmt.Printf("\n[Information Gathering - Sensitive Files]\n")
-			evaluate.SearchLocalFilePath()
-
-			fmt.Printf("\n[Information Gathering - ASLR]\n")
-			evaluate.ASLR()
-
-			fmt.Printf("\n[Information Gathering - Cgroups]\n")
-			evaluate.DumpCgroup()
-
+			evaluate.CallAddedFunc()
 		}
 		return true
 	}

pkg/evaluate/available_linux_capabilities.go

@@ -59,7 +59,11 @@ func GetProcCapabilities() bool {
 			caps, err := capability.CapHexParser(capStr)
 
 			fmt.Printf("\tCap decode: 0x%s = %s\n", capStr, capability.CapListToString(caps))
-			fmt.Printf("\tAdd capability list: %s\n", capability.CapListToString(getAddCaps(caps)))
+
+			addCaps := getAddCaps(caps)
+			if len(addCaps) > 0 {
+				util.RedBold.Printf("\tAdded capability list: %s\n", capability.CapListToString(addCaps))
+			}
 
 			if err != nil {
 				log.Printf("[-] capability.CapHexParser: %v\n", err)

pkg/evaluate/evaluate.go

@@ -0,0 +1,69 @@
+/*
+Copyright 2022 The Authors of https://github.com/CDK-TEAM/CDK .
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package evaluate
+
+import (
+	"github.com/cdk-team/CDK/pkg/util"
+	"github.com/cdk-team/CDK/conf"
+)
+
+// CallBasics is a function to call basic functions
+func CallBasics() {
+	util.PrintH2("Information Gathering - System Info")
+	BasicSysInfo()
+	FindSidFiles()
+
+	util.PrintH2("Information Gathering - Services")
+	SearchSensitiveEnv()
+	SearchSensitiveService()
+
+	util.PrintH2("Information Gathering - Commands and Capabilities")
+	SearchAvailableCommands()
+	GetProcCapabilities()
+
+	util.PrintH2("Information Gathering - Mounts")
+	MountEscape()
+
+	util.PrintH2("Information Gathering - Net Namespace")
+	CheckNetNamespace()
+
+	util.PrintH2("Information Gathering - Sysctl Variables")
+	CheckRouteLocalNetworkValue()
+
+	util.PrintH2("Discovery - K8s API Server")
+	CheckK8sAnonymousLogin()
+
+	util.PrintH2("Discovery - K8s Service Account")
+	CheckPrivilegedK8sServiceAccount(conf.K8sSATokenDefaultPath)
+
+	util.PrintH2("Discovery - Cloud Provider Metadata API")
+	CheckCloudMetadataAPI()
+
+	util.PrintH2("Information Gathering - DNS-Based Service Discovery")
+	DNSBasedServiceDiscovery()
+}
+
+func CallAddedFunc() {
+	util.PrintH2("Information Gathering - Sensitive Files")
+	SearchLocalFilePath()
+
+	util.PrintH2("Information Gathering - ASLR")
+	ASLR()
+
+	util.PrintH2("Information Gathering - Cgroups")
+	DumpCgroup()
+}

pkg/evaluate/evaluate_test.go

@@ -26,3 +26,8 @@ func TestDumpCgroup(t *testing.T) {
 	fmt.Printf("\n[Information Gathering - Cgroups]\n")
 	DumpCgroup()
 }
+
+func TestFindSidFiles(t *testing.T) {
+	fmt.Printf("\n[Information Gathering - SIDs]\n")
+	FindSidFiles()
+}

pkg/evaluate/system_info.go

@@ -1,4 +1,3 @@
-
 /*
 Copyright 2022 The Authors of https://github.com/CDK-TEAM/CDK .
 
@@ -18,11 +17,14 @@ limitations under the License.
 package evaluate
 
 import (
-	"github.com/shirou/gopsutil/v3/host"
+	"io/ioutil"
 	"log"
 	"os"
 	"os/user"
-	"io/ioutil"
+
+	"github.com/cdk-team/CDK/conf"
+	"github.com/cdk-team/CDK/pkg/util"
+	"github.com/shirou/gopsutil/v3/host"
 )
 
 func BasicSysInfo() {
@@ -57,6 +59,40 @@ func BasicSysInfo() {
 
 }
 
+// FindSidFiles such as run `find /bin/. -perm -4000 -type f `
+func FindSidFiles() {
+
+	var setuidfiles []string
+
+	for _, dir := range conf.DefaultPathEnv {
+		files, err := ioutil.ReadDir(dir)
+		if err != nil {
+			continue
+		}
+	
+		for _, file := range files {
+			// check setuid bit
+			if file.Mode() & os.ModeSetuid != 0 {
+				setuidfiles = append(setuidfiles, dir + "/" + file.Name())
+			}
+
+			// check capabilites, like getcap -r /bin
+			// TODO: check capabilites
+		}
+	}
+
+	if len(setuidfiles) > 0 {
+		util.PrintItemKey("Setuid files found:", false)
+		for _, file := range setuidfiles {
+			util.PrintItemValue(file, true)
+		}
+	}
+}
+
+// CommandAllow check command allow to run
+func CommandAllow() {
+}
+
 func ASLR() {
 	// ASLR off: /proc/sys/kernel/randomize_va_space = 0 
 	var ASLRSetting = "/proc/sys/kernel/randomize_va_space"
@@ -75,3 +111,4 @@ func ASLR() {
 	}
 
 }
+

pkg/util/output.go

@@ -0,0 +1,48 @@
+/*
+Copyright 2022 The Authors of https://github.com/CDK-TEAM/CDK .
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"fmt"
+	"log"
+)
+
+const Colorful = true
+
+// fmt.Printf(util.GreenBold.Sprint("\n[Information Gathering - System Info]\n"))
+func PrintH2(title string) {
+	fmt.Printf(BlueBold.Sprint("\n[  ") + GreenBold.Sprint(title) + BlueBold.Sprint("  ]\n"))
+}
+
+func PrintItemKey(key string, color bool) {
+	key = key + "\n"
+	if color {
+		log.Printf(YellowBold.Sprint(key))
+	} else {
+		log.Printf(key)
+	}
+}
+
+func PrintItemValue(value string, color bool) {
+	value = "\t" + value + "\n"
+	if color {
+		fmt.Printf(RedBold.Sprint(value))
+	} else {
+		fmt.Printf(value)
+	}
+}
+