This is a Metasploitable 3 Tutorial for exploiting one of the installed software on the Metasploitable 3 vulnerable host, ManageEngine Desktop Central 9.
Haven’t setup Metasploitable 3 yet? This is by far the easiest way to get started, How to Install Metasploitable 3.
Table of Contents
Setup New Kali Workspace
Start the PostgreSQL service for underlying database connectivity.
systemctl start postgresqlCreate the database so we can store results if need to.
msfdb initLaunch msfconsole.
msfconsoleFinally create a new workspace so we can be organized.
msf > workspace -a m3Then switch to the new workspace.
msf > workspace m3
msfconsole started now
External Recon – First Enumeration
I start with an Nmap scan of the metasploitable3 target host.
nmap -sV -p- -oA nmap/m3-manageeng 192.168.56.101
Now that we see a list of all the open ports and some basic information about the services running I run a more intensive scan.
Check AutoRecon results. If you don’t have it already do a git clone for GitHub.com/Tib3rius/AutoRecon as it is very useful for this type of enumeration.
[*] ftp found on tcp/21.
[*] ssh found on tcp/22.
[*] http found on tcp/80.
[*] ssl/appserv-http found on tcp/4848.
[*] http found on tcp/8022.
[*] http found on tcp/8080.
[*] ssl/http found on tcp/8383.
[*] wap-wsp found on tcp/9200.
[*] msrpc found on tcp/49153.
[*] msrpc found on tcp/49154.
[*] java-rmi found on tcp/1617.
[*] http found on tcp/5985.
[*] http found on tcp/8020.
[*] unknown found on tcp/8027.
[*] http found on tcp/8282.
[*] http found on tcp/8484.
[*] http found on tcp/8585.
[*] java-rmi found on tcp/49180.
[*] tcpwrapped found on tcp/49181.
[*] ftp found on tcp/21.
[*] ssh found on tcp/22.
[*] http found on tcp/80.
[*] ssl/appserv-http found on tcp/4848.
[*] http found on tcp/8022.
[*] http found on tcp/8080.
[*] ssl/http found on tcp/8383.
[*] wap-wsp found on tcp/9200.
[*] msrpc found on tcp/49153.
[*] msrpc found on tcp/49154.
[*] java-rmi found on tcp/1617.
[*] http found on tcp/5985.
[*] http found on tcp/8020.
[*] unknown found on tcp/8027.
[*] http found on tcp/8282.
[*] http found on tcp/8484.
[*] http found on tcp/8585.
[*] java-rmi found on tcp/49180.
[*] tcpwrapped found on tcp/49181.
We can also use netcat for banner grabbing as a running service may give away version information when it receives a TCP connection. No luck!
Exploiting a Vulnerability
TCP-8383 is the secured port ManageEngine Desktop Central 9 agents use to connect to the DC 9 server. TCP-8020 is the insecure HTTP port these agents use as well.
Some googling returns some results from exploit-db for ME DC 9, exploit 38982. As this exploit is EDB verified it looks like the best option at this point.
The vulnerability allows an unauthenticated user upload and execute a .jsp file with no restrictions. This is indeed a very bad vulnerability.
Exploit & Privilege Escalation
With msfconsole open, doing a search ManageEngine 9 command returns the available Metasploit modules for ManageEngine Desktop Central 9.
The exploit completes and the privilege of my meterpreter session is now NT AUTHORITY which means I have root level access.
