Fish
Nmap
Starting out we begin using searchsploit
to discover know vulnerabilities against the services.
Looks like the of GlassFish running is vulnerable to Directory Traversal. The following exploit examples can be used to read known system files.
ExploitDB: https://www.exploit-db.com/exploits/39441
Using one of the examples in the link with the correct IP and port we are able to build a curl
GET request to confirm the directory traversal.
After this I looked up configuration files for GlassFish to see if we can read any sensitive credential files. This StackOverflow link proved to be informative and I was able to read the admin hash for GlassFish with a little bit of guesswork.
Unfortunately however, I was unable to crack the hash and proceed with anything meaningful for now.
Looking through the rest of the open ports manually we come across the page "SynaMan" which we observe is running version 4.0.
Again, with searchsploit
we are able to see if the version running is vulnerable.
The SMTP
disclosure is interesting to us:
ExploitDB: https://www.exploit-db.com/exploits/45387
We see from the description that as we already have a directory traversal exploit on the system we can likely read the desired AppConfig.xml
From the output we are able to tie together the following credentials:
Being as RDP
is open a quick check with Hydra
confirms the credentials are valid.
We can then connect via RDP
to the target system.
We see on the desktop a shortcut for the AV application TotalAV
. Checking appwiz.cpl
we see that the installed version is 4.14.31.
searchsploit
again shows a vulnerability with the installed version.
This version of TotalAV
appears to be vulnerable to Privilege Escalation.
ExploitDB: https://www.exploit-db.com/exploits/47897
Last updated