Fish
Last updated
Last updated
Starting out we begin using searchsploit to discover know vulnerabilities against the services.
Looks like the of GlassFish running is vulnerable to Directory Traversal. The following exploit examples can be used to read known system files.
ExploitDB: https://www.exploit-db.com/exploits/39441
Using one of the examples in the link with the correct IP and port we are able to build a curl GET request to confirm the directory traversal.
After this I looked up configuration files for GlassFish to see if we can read any sensitive credential files. This StackOverflow link proved to be informative and I was able to read the admin hash for GlassFish with a little bit of guesswork.
Unfortunately however, I was unable to crack the hash and proceed with anything meaningful for now.
Looking through the rest of the open ports manually we come across the page "SynaMan" which we observe is running version 4.0.
Again, with searchsploit we are able to see if the version running is vulnerable.
The SMTP disclosure is interesting to us:
ExploitDB: https://www.exploit-db.com/exploits/45387
We see from the description that as we already have a directory traversal exploit on the system we can likely read the desired AppConfig.xml
From the output we are able to tie together the following credentials:
Being as RDP is open a quick check with Hydra confirms the credentials are valid.
We can then connect via RDP to the target system.
We see on the desktop a shortcut for the AV application TotalAV. Checking appwiz.cpl we see that the installed version is 4.14.31.
searchsploit again shows a vulnerability with the installed version.
This version of TotalAV appears to be vulnerable to Privilege Escalation.
ExploitDB: https://www.exploit-db.com/exploits/47897
