New modules and new modifications, check the description info.

CODE_OF_CONDUCT.md

@@ -0,0 +1,66 @@
+# CyberArk Community Code of Conduct
+
+CyberArk is a leader in Privileged Access Management, thanks to its customers and community. We listen to our community and wish to provide additional relevant tools.  We believe that our mission is best served in an environment that is friendly, safe, and accepting; free from intimidation or harassment.
+Towards this end, CyberArk’s developers have created this Community Code of Conduct for the CyberArk open source community.  Our Code of Conduct sets the standard for how developers, and community members can work together in a respectful and collaborative manner.  Those who do not abide by this Code of Conduct will not be permitted to remain part of our community.
+
+
+## Summary of Key Principles
+
+- Be respectful to others in the community at all times.
+- Report harassing or abusive behavior that you experience or witness at ReportAbuse@cyberark.com
+- The CyberArk community will not tolerate abusive or disrespectful behavior towards its members; anyone engaging in such behavior will be suspended from the CyberArk community.
+
+
+## Scope
+
+This Code of Conduct applies to all members of the CyberArk community, including paid and unpaid agents, administrators, users, and customers of CyberArk.  It applies in all CyberArk community venues, online and in person, including CyberArk Open Source project communities (such as public GitHub repositories, chat channels, social media, mailing lists, and public events) and in one-on-one communications pertaining to CyberArk affairs.
+This policy covers the usage of CyberArk hosted services, as well as the CyberArk website, CyberArk related events, and any other services offered by or on behalf of CyberArk (collectively, the "Service"). 
+This Code of Conduct is in addition to, and does not in any way nullify or invalidate, any other terms or conditions related to use of the Service.
+
+
+## Maintaining a Friendly, Harassment-Free Space
+
+We are committed to providing a friendly, safe and welcoming environment for all, regardless of gender identity, sexual orientation, ability, ethnicity, religion, age, physical appearance, body size, race, or similar personal characteristics.
+We ask that you please respect that people have differences of opinion regarding technical choices, and that every design or implementation choice carries a trade-off and numerous costs. There is seldom a single right answer. A difference of technology preferences is not a license to be rude.
+Harassing other users of the Service for any reason is never tolerated, whether via public or private media. Any spamming, trolling, flaming, baiting, or other attention-stealing behavior is not welcome, and will not be tolerated.
+Even if your intent is not to harass or offend others, be mindful of how your comments might be perceived by others in the community.
+
+
+## Unacceptable Behavior
+
+The following behaviors are considered harassment under this Code of Conduct and are unacceptable within our community:
+- Violence, threats of violence, or violent language directed against another person or group of people.
+- Sexist, racist, homophobic, transphobic, ableist, or otherwise discriminatory jokes and language.
+- Posting or displaying sexually explicit or violent material.
+- Posting or threatening to post other people’s personally identifying information ("doxing").
+- Personal insults, particularly those related to related to gender identity, sexual orientation, ability, ethnicity, religion, age, physical appearance, body size, race, or similar personal characteristics.
+- Using offensive or harassing nicknames or other identifiers.
+- Inappropriate photography or recording.
+- Inappropriate physical contact. You should have someone’s consent before touching them.
+- Unwelcome sexual attention. This includes: sexualized comments or jokes; inappropriate touching, groping, and unwelcome sexual advances.
+- Deliberate intimidation, stalking, or following (online or in person).
+- Sustained disruption of community events, including talks and presentations.
+- Advocating for, or encouraging, any of the above behavior.
+
+## Reporting Violations 
+
+If you witness or experience unacceptable behavior in the CyberArk community, please promptly report it to our team at ReportAbuse@cyberark.com.  If this is the initial report of a problem, please include as much detail as possible. It is easiest for us to address issues when we have more context.
+The CyberArk Community Team will look into any reported issues in a confidential manner and take any necessary actions to address and resolve the problem.
+We will not tolerate any form of retaliation towards users who report these issues to us.
+If you feel that you have been falsely or unfairly accused of violating this Code of Conduct by others in the community, you should notify the ReportAbuse@cyberark.com team so that we can address and resolve the accusation.
+As always, if you have an urgent security issue, contact product_security@cyberark.com and if you have concerns about a potential copyright violation, contact legal@cyberark.com.
+
+## Consequences
+
+All content published to the Service, including user account credentials, is hosted at the sole discretion of the CyberArk administrators.  If a community member engages in unacceptable behavior, the CyberArk administrators may take any action they deem appropriate, up to and including a temporary ban or permanent expulsion from the community without warning. In general, we will choose the course of action that we judge as being most in the interest of fostering a safe and friendly community.
+
+## Contact Info
+Please contact ReportAbuse@cyberark.com if you need to report a problem or address a grievance related to an abuse report.
+You are also encouraged to contact us if you have questions about what constitutes appropriate and inappropriate content. We are happy to provide guidance to help you be a successful part of our community. Our technical community is available [here](https://cyberark-customers.force.com/s/).
+
+## Credit and License
+
+This Code of Conduct borrows from the [npm Code of Conduct](https://www.npmjs.com/policies/conduct), Stumptown Syndicate [Citizen's Code of Conduct](http://citizencodeofconduct.org/), and the [Rust Project Code of Conduct](https://www.rust-lang.org/conduct.html).
+This document may be reused under a [Creative Commons Attribution-ShareAlike License](https://creativecommons.org/licenses/by-sa/4.0/).
+
+

MITIGATION.md

@@ -48,6 +48,45 @@
        2. Preventing authorization to anyone: `authorization: mode:` NOT set with AlwaysAllow. <br>
        </td>
     </tr>	
-
-  </tbody>
-</table>
+      <tr>
+      <td>
+         Pod Escape Using Log Mounts
+      </td>
+      <td align="left">         
+          A pod running as root and with a mount point to the node’s /var/log directory can expose the entire contents of its host filesystem to any user who has access to its logs. <br>
+      </td>
+      <td align="left" ><br> 
+       1. Don't run as root inside the container. Use a different user or user namespaces. The root in the container is the same as on host unless remapped with user namespaces.   <br>
+       2. Don’t deploy pods with a writeable hostPath to /var/log. <br>
+          Another option related to 2: Don’t allow volume mounts from the /var/log path 
+       </td>
+    </tr>	
+      <tr>
+      <td>
+         cGroup breakout
+      </td>
+      <td align="left">         
+          Abusing the Linux cgroup v1 release agent feature to escape container to the host. <br>
+      </td>
+      <td align="left" ><br> 
+       1. Don't run as root inside the container. Use a different user or user namespaces. By default of docker containers, root in the container is the same as on host unless remapped with user namespaces.  <br>
+       2. Adjust seccomp, AppArmor (or SELinux) profiles to restrict the actions and syscalls available for the container to the minimum required. <br>
+       3. Don't mount cGroup v1 virtual file system as read-write. privileged containers mount cGroup v1 as read-write. <br>
+       4. Drop all capabilities (--cap-drop=all) and enable only those that are required (--cap-add=...). In our case dont add cap_sys_admin capabilty.
+       </td>
+    </tr>
+      <tr>
+      <td>
+         Kernel module breakout
+      </td>
+      <td align="left">         
+          Break out of the container by abusing the SYS_MODULE capability, which allow to  Load and unload kernel modules. <br>
+      </td>
+      <td align="left" ><br> 
+       1. Drop all capabilities (--cap-drop=all) and enable only those that are required (--cap-add=...). In our case dont add cap_sys_module capabilty.
+       </td>
+    </tr>	
+
+</tbody>
+</table>
+

NOTICES.txt

@@ -22,7 +22,9 @@ Section 1: GPL-3.0
 
 Section 2: Apache 2.0
 ---------------------
-
+>>> https://github.com/stealthcopter/deepce
+    Copyright 2020 Matthew Rollings (@stealthcopter)	
+
 >>> github.com/go-jose/go-jose (forked from: github.com/square/go-jose)
     Copyright (C) 2018 Square
 

README.MD

@@ -36,17 +36,35 @@ It is an ongoing project, and we are planning to add more modules related to Doc
 
 The currently available modules are:  
 - Container breakout using mounting
+
 - Container breakout using docker.sock
+
 - Container breakout using CVE-2019-5736 exploit
+
 - Scan for Kubernetes cluster known CVEs
+
 - Port scanning with focus on Kubernetes services
+
 - Kubernetes service scan from within the container
+
 - Light [kubeletctl](https://github.com/cyberark/kubeletctl) containing the following options:
   - Scan for containers with RCE
   - Scan for Pods and containers
   - Scan for tokens from all available containers
   - Run command with multiple options
-
+
+- cGroup breakout
+
+- Kernel module breakout
+
+- Var log escape
+
+- Deepce: Docker enumeration (Open-Source project integrated as a module)
+
+- Vulnerability test: check which of kubesploit exploits your container is vulnerable to  
+
+  **For detailed information about the modules, check the WiKi page**
+
 
 ## Quick Start
 We created a dedicated [Kubernetes environment in Katacoda](https://www.katacoda.com/cyberarkcommons/scenarios/kubesploit) for you to experiment with Kubesploit.   

data/modules/go/kubelet/main.go

@@ -567,7 +567,7 @@ func PrintDecodedToken(tokenString string) {
 	if !strings.HasSuffix(newDec, "}"){
 		newDec += "}"
 	}
-	
+
 	var jwtToken JWTToken
 	err := json.Unmarshal([]byte(newDec), &jwtToken)
 	if err != nil {

data/modules/linux/go/clusterCVEScan.json

@@ -19,7 +19,7 @@
     ],
     "description": "Scans Kubernetes cluster for known CVEs",
     "commands": [
-      "data/modules/go/scan/clusterCVEs/main.go",
+      "data/modules/sourcecode/go/scan/clusterCVEs/main.go",
       "mainfunc(\"{{url}}\")"
     ]
   }

data/modules/linux/go/cve2019_5736.json

@@ -19,7 +19,7 @@
     ],
     "description": "Exploit for the runc vulnerability (CVE-2019-5736) that allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: \n\t(1) a new container with an attacker-controlled image \n\t(2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. \nThis occurs because of file-descriptor mishandling, related to /proc/self/exe",
     "commands": [
-      "data/modules/go/CVE-2019-5736/main.go",
+      "data/modules/sourcecode/go/CVE-2019-5736/main.go",
       "mainfunc(\"{{Payload}}\")"
     ]
   }

data/modules/linux/go/dockerBreakout.json

@@ -20,7 +20,7 @@
     ],
     "description": "Services scanning (/data/modules/go/services/mainfunc.go)",
     "commands": [
-      "data/modules/go/dockerSockBreakout/main.go",
+      "data/modules/sourcecode/go/dockerSockBreakout/main.go",
       "mainfunc(\"{{IP}}\", \"{{Port}}\")"
     ]
   }

data/modules/linux/go/kubeletAttack.json

@@ -20,7 +20,7 @@
     ],
     "description": "\nUrl - The address of the node with the open kubelet API\nCommand - there are number of options:\n\t1. run - run command on container\n\t   examples:\n\t     1.a. run \\\"whoami\\\" -n default -c alpine -p alpine\n\t     1.b. run -a\n\t     1.c. run -as\n\t2. rce - search for containers with RCE\n\t3. pods \n\t     3.a. pods -r\n\t4. token\n\n\tExamples:\n\t  run \\\"whoami\\\" -n default -c alpine -p alpine\n\t  run -a\n\t  run -as\n\t  token\n\t  pods\n\t  rce\n\n\tswitches:\n\t  \"-n\"  - namespace\n\t  \"-p\"  - pods name\n\t  \"-c\"  - container name\n\t  \"-a\"  - run command on all pods synchronically\n\t  \"-as\" - run command on all pods asynchronic\n\t  \"-r\" - print in raw (use with pods commands)",
     "commands": [
-      "data/modules/go/kubelet/main.go",
+      "data/modules/sourcecode/go/kubelet/main.go",
       "mainfunc(\"{{Url}}\", \"{{Command}}\")"
     ]
   }

data/modules/linux/go/mountContainerBreakout.json

@@ -21,7 +21,7 @@
     ],
     "description": "Break out from the container to the host using mounting. It will create a mounted host folder named /mnt<number>",
     "commands": [
-      "data/modules/go/mountBreakout/main.go",
+      "data/modules/sourcecode/go/mountBreakout/main.go",
       "mainfunc(\"{{Device}}\", \"{{UseBruteforce}}\", \"{{DeviceType}}\")"
     ]
   }

data/modules/linux/go/portScan.json

@@ -19,7 +19,7 @@
     ],
     "description": "Port scanning",
     "commands": [
-      "data/modules/go/scan/portScan/main.go",
+      "data/modules/sourcecode/go/scan/portScan/main.go",
       "mainfunc(\"{{Urls}}\")"
     ]
   }

data/modules/linux/go/servicesScan.json

@@ -21,7 +21,7 @@
     ],
     "description": "Services scanning (/data/modules/go/services/mainfunc.go)",
     "commands": [
-      "data/modules/go/scan/services/main.go",
+      "data/modules/sourcecode/go/scan/services/main.go",
       "mainfunc(\"{{CIDR}}\", \"{{Threads}}\", \"{{Interval}}\")"
     ]
   }

data/modules/linux/go/var-log-escape.json

@@ -20,7 +20,7 @@
       ],
       "description": "\n 1. [lsh|cath] <parameter> \n lsh - as ls command on the host \n cath - as cat command on the host file system \n parameter - the path you wish to query\n 2. scan [key|token] - scan for keys/token in the host\n The result of the scan is stored in a file at /exploit/host-data/\n. The file includes path for each corresponded match \n You can access the file through the bash module of the agent  ",
       "commands": [
-        "data/modules/go/var-log-escape/main.go",
+        "data/modules/sourcecode/go/var-log-escape/main.go",
         "mainfunc(\"{{Command}}\", \"{{Parameter}}\")"
       ]
     }

data/modules/linux/go/vulnerabilityTest.json

@@ -0,0 +1,26 @@
+{
+  "base": {
+    "name": "vulnerabilityTest",
+    "type": "standard",
+    "author": ["Yaniv Yakobovich(@yanivyakobovich)"],
+    "credits": [],
+    "path": ["linux", "go", "vulnerabilityTest.json"],
+    "platform": "linux",
+    "arch": "x64",
+    "lang": "Go",
+    "privilege": false,
+    "GoInterpreter": true,
+    "GoInterpreterProgress": false,
+    "notes": "Commands are run with /bin/bash -c . Use quotes if you want to run multiple commands or shell features such as redirection or pipeline",
+    "remote": "",
+    "local": [],
+    "options": [
+      {"name": "NodeIp", "value": "127.0.0.1", "required": true, "flag": "", "description": ""}
+    ],
+    "description": "",
+    "commands": [
+      "data/modules/sourcecode/go/vulnerabilityTest/main.go",
+      "mainfunc(\"{{NodeIp}}\")"
+    ]
+  }
+}

data/modules/linux/x64/sh/cGroupBreakout.json

@@ -0,0 +1,30 @@
+{
+  "base": {
+    "name": "cGroupBreakout",
+    "type": "standard",
+    "author": ["Yaniv Yakobovich"],
+    "credits": ["Felix Wilhelm - https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/"],
+    "path": ["linux", "shell", "cGroupBreakout.json"],
+    "platform": "linux",
+    "arch": "x64",
+    "lang": "Shell",
+    "privilege": false,
+    "GoInterpreter": false,
+    "GoInterpreterProgress": false,
+    "LoadScriptFromPath": true,
+    "notes": "Commands are run with /bin/bash -c . Use quotes if you want to run multiple commands or shell features such as redirection or pipeline",
+    "remote": "",
+    "local": [],
+    "options": [
+      {"name": "cmd", "value": "cat /etc/shadow", "required": true, "flag": "", "description": "cmd which will be execute on the host"}
+    ],
+    "description": "Abusing the Linux cgroup v1 notification on release to run code on the host",
+    "commands": [
+      "data/modules/sourcecode/sh/cGroupBreakout/cGroupBreakout.sh",
+      "sh",
+      "-c",
+      "\"{{cmd}}\""
+    ]
+  }
+}
+

data/modules/linux/x64/sh/deepce.json

@@ -0,0 +1,30 @@
+{
+  "base": {
+    "name": "deepce",
+    "type": "standard",
+    "author": ["Matthew Rollings,Integration to kubesploit Yaniv Yakobovich(@yanivyakobovich)"],
+    "credits": ["Matthew Rollings @stealthcopter"],
+    "path": ["linux", "shell", "deepce.json"],
+    "platform": "linux",
+    "arch": "x64",
+    "lang": "Shell",
+    "privilege": false,
+    "GoInterpreter": false,
+    "GoInterpreterProgress": false,
+    "LoadScriptFromPath": true,
+    "notes": "Commands are run with /bin/bash -c . Use quotes if you want to run multiple commands or shell features such as redirection or pipeline",
+    "remote": "",
+    "local": [],
+    "options": [
+      {"name": "Parameter", "value": "", "required": false, "flag": "", "description": "Parameters to add for the script \n With no Parameter when Parameter is set to \"\" the script scan will take place \n set Parameter to --help and see all the possibilities"}
+    ],
+    "description": "Docker Enumeration (DEEPCE) visit https://github.com/stealthcopter/deepce for full details",
+    "commands": [
+      "data/modules/sourcecode/sh/deepce/deepce.sh",
+      "sh",
+      "-c",
+      "\"{{Parameter}}\""
+    ]
+  }
+}
+

data/modules/linux/x64/sh/kernelModuleBreakout.json

@@ -0,0 +1,31 @@
+{
+  "base": {
+    "name": "kernelModuleBreakout",
+    "type": "standard",
+    "author": ["Will Roberts @willrushi"],
+    "credits": ["Will Roberts @willrushi , Nishant Sharma - https://blog.pentesteracademy.com/abusing-sys-module-capability-to-perform-docker-container-breakout-cf5c29956edd "],
+    "path": ["linux", "shell", "kernelModuleBreakout.json"],
+    "platform": "linux",
+    "arch": "x64",
+    "lang": "Shell",
+    "privilege": false,
+    "GoInterpreter": false,
+    "GoInterpreterProgress": false,
+    "LoadScriptFromPath": true,
+    "notes": "Commands are run with /bin/bash -c . Use quotes if you want to run multiple commands or shell features such as redirection or pipeline",
+    "remote": "",
+    "local": [],
+    "options": [
+      {"name": "ip", "value": "127.0.0.1", "required": true, "flag": "", "description": "ip for the reverse shell"},
+      {"name": "port", "value": "8000", "required": true, "flag": "", "description": "port for the reverse shell"}
+    ],
+    "description": "Abusing SYS_MODULE Capability to create reverse shell with the host",
+    "commands": [
+      "data/modules/sourcecode/sh/kernelModuleBreakout/kernelModuleBreakout.sh",
+      "sh",
+      "-c",
+      "\"{{ip}} {{port}}\""
+    ]
+  }
+}
+