Want to Practice These Techniques?

Try Hackviser's interactive cyber security upskilling platform - Learn by doing!

HashiCorp Vault

Default Port: 8200

HashiCorp Vault stores and brokers access to secrets, credentials, certificates, and encryption keys. In pentests, exposed Vault APIs, leaked tokens, weak policies, and unsafe auth methods can lead to large-scale credential exposure.

Connect

HTTP API

Unauthenticated endpoints reveal health, seal, and initialization state.

curl http://target.com:8200/v1/sys/health
curl http://target.com:8200/v1/sys/seal-status
curl -k https://target.com:8200/v1/sys/health

Vault CLI

The CLI validates token scope and normal operator workflows.

export VAULT_ADDR=http://target.com:8200
vault status
export VAULT_TOKEN=TOKEN
vault token lookup

Token Header

Use X-Vault-Token to test leaked or provided tokens.

curl -H "X-Vault-Token: TOKEN" http://target.com:8200/v1/auth/token/lookup-self
curl -H "X-Vault-Token: TOKEN" http://target.com:8200/v1/sys/mounts

Recon

Service Detection with Nmap

Scan the Vault API port and TLS settings.

nmap -p 8200 -sV target.com
nmap -p 8200 --script http-title,http-headers target.com
nmap -p 8200 --script ssl-cert,ssl-enum-ciphers target.com

UI Discovery

The UI reveals login methods and operational state.

curl -i http://target.com:8200/ui/
httpx -u http://target.com:8200 -title -tech-detect -status-code
curl -I http://target.com:8200

Health Review

Health status shows whether Vault is active, standby, sealed, or uninitialized.

curl -s http://target.com:8200/v1/sys/health | jq
curl -s http://target.com:8200/v1/sys/seal-status | jq

Auth Method Discovery

Auth methods show how users, apps, and machines authenticate.

curl -H "X-Vault-Token: TOKEN" http://target.com:8200/v1/sys/auth | jq
vault auth list

Enumeration

Token Lookup

Token lookup reveals identity, policies, TTL, and orphan status.

vault token lookup
curl -H "X-Vault-Token: TOKEN" http://target.com:8200/v1/auth/token/lookup-self | jq

Secret Engine Enumeration

Mounted engines reveal where secrets, PKI, SSH, cloud, and database creds may exist.

vault secrets list
curl -H "X-Vault-Token: TOKEN" http://target.com:8200/v1/sys/mounts | jq

Policy Enumeration

Policies define what a token can read, write, or administer.

vault policy list
vault policy read policy-name
curl -H "X-Vault-Token: TOKEN" http://target.com:8200/v1/sys/policies/acl | jq

KV Enumeration

KV engines often store static secrets and application configs.

vault kv list secret/
vault kv get secret/app/config
curl -H "X-Vault-Token: TOKEN" http://target.com:8200/v1/secret/metadata/?list=true

Audit Enumeration

Audit devices show whether secret access is logged.

vault audit list
curl -H "X-Vault-Token: TOKEN" http://target.com:8200/v1/sys/audit | jq

Attack Vectors

Leaked Vault Token

Vault tokens are commonly found in env files, CI configs, and app configs.

rg -n 'VAULT_TOKEN|X-Vault-Token|vault token|vault_addr|VAULT_ADDR' .
vault token lookup

Overbroad Policy

Policies with broad read, list, sudo, or wildcard paths expose secrets.

vault token capabilities secret/
vault token capabilities secret/app/config
vault policy read policy-name

KV Secret Exposure

KV paths may contain API keys, database passwords, and cloud credentials.

vault kv list secret/
vault kv get secret/app/config
vault kv get -format=json secret/app/config | jq

AppRole Abuse

Leaked RoleID and SecretID can authenticate machines or CI jobs.

vault write auth/approle/login role_id=ROLE_ID secret_id=SECRET_ID
curl -X POST -d '{"role_id":"ROLE_ID","secret_id":"SECRET_ID"}' http://target.com:8200/v1/auth/approle/login

Cloud Secret Abuse

Cloud secret engines may generate valid cloud credentials.

vault read aws/creds/role-name
vault read database/creds/role-name

PKI Abuse

PKI engines may issue certificates for sensitive names.

vault write pki/issue/role-name common_name=admin.internal ttl=1h

Post-Exploitation

Secret Inventory

Document accessible mounts, policies, and paths.

vault secrets list > vault-mounts.txt
vault policy list > vault-policies.txt
vault token lookup > vault-token.txt

Credential Review

Review only scoped secrets and request rotation for exposed credentials.

vault kv get -format=json secret/app/config > vault-secret-sample.json
grep -Ei 'password|secret|token|apikey|aws|jdbc|private' vault-secret-sample.json

Audit Check

Generate controlled reads and confirm they are logged.

vault kv get secret/pentest-log-check
vault audit list

Useful Tools

Tool	Purpose
`vault`	Native CLI
`curl`	API testing
`jq`	JSON parsing
`nmap`	Port and TLS checks
`httpx`	UI fingerprinting
`rg`	Token searching

Security Misconfigurations

Misconfiguration	Risk
Vault exposed broadly	Secret management attack surface
Leaked token	Direct secret access
Overbroad policies	Excessive secret read/write
Weak auth methods	Token issuance abuse
KV secrets unmanaged	Static credential exposure
PKI roles too broad	Unauthorized certificate issuance
Audit disabled	Secret access blind spots
Plain HTTP	Token capture risk

Want to Practice These Techniques?

HashiCorp Vault

Connect​

HTTP API​

Vault CLI​

Token Header​

Recon​

Service Detection with Nmap​

UI Discovery​

Health Review​

Auth Method Discovery​

Enumeration​

Token Lookup​

Secret Engine Enumeration​

Policy Enumeration​

KV Enumeration​

Audit Enumeration​

Attack Vectors​

Leaked Vault Token​

Overbroad Policy​

KV Secret Exposure​

AppRole Abuse​

Cloud Secret Abuse​

PKI Abuse​

Post-Exploitation​

Secret Inventory​

Credential Review​

Audit Check​

Useful Tools​

Security Misconfigurations​