Metallus

Writeup for Metallus from offsec Proving Grounds

Information Gathering

sudo ./nmapAutomator.sh 192.168.70.96 all

Service Enumeration

HTTP (Port 40443)

We see that this is running ManageEngine Applications Manager (Build No: 14700).

We try the default credentials admin:admin and we are authenticated.

Exploit

ManageEngine Applications Manager 14700 - Remote Code Execution (Authenticated)Exploit Database

And we're in.