Comment on page

Low-Hanging Fruit

Easy ways to get a shell

Services
Adobe ColdFusion BlazeDS
Ports: 8080
Exploit:
Adobe ColdFusion BlazeDS Java Object Deserialization RCE
Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution
Exploit Database
Apache Flink
Ports: 5000
Exploit:
Apache Flink JAR Upload Java Code Execution
Rapid7
Apache Flink JobManager Traversal
Rapid7
Apache Flink 1.9.x - File Upload RCE (Unauthenticated)
Exploit Database
Apache Hadoop
Ports: 8088
Exploit:
Hadoop YARN ResourceManager Unauthenticated Command Execution
Rapid7
vulhub/exploit.py at master · vulhub/vulhub
GitHub
Apache Solr
Ports: 8983
Exploit:
GitHub - jas502n/solr_rce: Apache Solr RCE via Velocity template
GitHub
GitHub - Imanfeng/Apache-Solr-RCE: Apache Solr Exploits  🌟
GitHub
Apache Spark
Ports: 6066
Exploit:
GitHub - ivanitlearning/CVE-2018-11770: Python RCE exploit for Apache Spark rewritten from Metasploit module
GitHub
Apache Spark Unauthenticated Command Execution
Rapid7
Atlassian Crowd
Ports: 4990
Exploit:
curl -k -H "Content-Type: multipart/mixed" \ --form "[email protected]" http://[HOST]:4990/crowd/admin/uploadplugin.action
Atlassian Crowd pdkinstall Remote Code Execution ≈ Packet Storm
Cisco Smart Install
Ports: 4786
Exploit:
Identify Cisco Smart Install endpoints
Rapid7
GitHub - frostbits-security/SIET: Smart Install Exploitation Tool
GitHub
Cisco Unified Communications Manager
Ports: 6970
Exploit:
curl http://[CUCM IP Address]:6970/ConfigFileCacheList.txt
GitHub - trustedsec/SeeYouCM-Thief
GitHub
Dameware
Ports: 6129
Exploit:
SolarWinds Dameware Mini Remote Control Unauthenticated RCE
Tenable®
poc/dwrcs_dwDrvInst_rce.py at master · tenable/poc
GitHub
Dell iDrac 
Ports: 443
Exploit:
Dell iDRAC Default Login
Rapid7
Docker API
Ports: 2375
Exploit:
docker -H [host]:2375 run --rm -it --privileged --net=host -v /:/mnt alpine
File Access: cat /mnt/etc/shadow
Remote Code Execution: chroot /mnt
GlassFish
Ports: 4848
Exploit:
Path Traversal in Oracle GlassFish Server Open Source Edition
Rapid7
Hashicorp Consul
Ports: 8500
Exploit:
Hashicorp Consul Remote Command Execution via Services API
Rapid7
HP Data Protector
Ports: 5555, 5556
Exploit:
HP Data Protector EXEC_INTEGUTIL Remote Code Execution
Rapid7
HP Data Protector 8.10 Remote Command Execution
Rapid7
HP iLO
Ports: 80, 443
Exploit:
CVE-2017-12542/exploit_1.py at master · skelsec/CVE-2017-12542
GitHub
IBM Websphere
Ports: 8880
Exploit:
IBM WebSphere RCE Java Deserialization Vulnerability
Rapid7
IPMI
Ports: 623
Exploit:
IPMI Information Discovery
Rapid7
IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval
Rapid7
IPMI 2.0 Cipher Zero Authentication Bypass Scanner
Rapid7
Java RMI
Ports: 1090, 1098, 1099, 4444, 11099, 47001, 47002, 10999
Exploit:
Java RMI Server Insecure Default Configuration Java Code Execution
Rapid7
Java RMI for pentesters: structure, recon and communication (non-JMX Registries).
Medium
Java RMI for pentesters part two — reconnaissance & attack against non-JMX registries
Medium
JBoss
Ports: 4444, 4445, 11111
Exploit:
JBoss Vulnerability Scanner
Rapid7
GitHub - joaomatosf/jexboss: JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation Tool
GitHub
JDWP
Ports: 5005 - 5009, 45000, 45001
Exploit:
Java Debug Wire Protocol Remote Code Execution
Rapid7
GitHub - IOActive/jdwp-shellifier
GitHub
JMX
Ports: 8686, 9012, 50500
Exploit:
Java JMX Server Insecure Configuration Java Code Execution
Rapid7
MS17-010: Eternal Blue
Ports 139, 445
Exploit:
nmap -Pn -sV --script smb-vuln-ms17-010 -p139,445 $ip 
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
Rapid7
Portainer
Ports: 9000
Exploit:
GitHub - MauroEldritch/PAZUZU: PAZUZU (Portainer Authentication Zap Using Zero Utilities) is a ruby exploit for vulnerable Portainer instances (--no-auth). Featured @ DevFest Siberia 2018.
GitHub
GitHub - MauroEldritch/lempo: LEMPO (Ldap Exposure on POrtainer) is an exploit for CVE-2018-19466 (LDAP Credentials Disclosure on Portainer). Featured @ DevFest Siberia 2018
GitHub
PrintNightmare
crackmapexec smb $host_file -u $username -p $password -M spooler
GitHub - cube0x0/CVE-2021-1675: C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527
GitHub
Redis
Ports: 6379
Exploit:
Redis Replication Code Execution
Rapid7
Redis Unauthenticated Code Execution
Rapid7
SAP
Ports: 3300
Exploit:
GitHub - chipik/SAP_GW_RCE_exploit: SAP Gateway RCE exploits
GitHub
WebLogic
Ports: 7000-7004, 7070, 7071, 8000-8003, 9000-9003, 9503
Exploit:
Offensive Security’s Exploit Database Archive
Zoho Manageengine Desktop
Ports: 8383
Exploit:
https://srcincite.io/pocs/src-2020-0011.py.txt
References
GitHub - trustedsec/spoonmap
GitHub

Timestomping

Networks

Last modified 9mo ago