Web
Nmap discovered a Web server on the target port 6060
The running service is unknown at this time
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fish]
└─$ curl -I -X OPTIONS http://$IP:6060/
HTTP/1.1 403
Cache-Control: private
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=FE53612D640B92FAC5CC1473F596603A; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 5028
Date: Sat, 30 Oct 2021 04:06:13 GMT
Server: Synametrics Web Server v7
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fish]
└─$ curl -I http://$IP:6060/
HTTP/1.1 200
Accept-Ranges: bytes
ETag: W/"425-1267803922000"
Last-Modified: Fri, 05 Mar 2010 15:45:22 GMT
Content-Type: text/html
Content-Length: 425
Date: Sat, 30 Oct 2021 04:06:16 GMT
Server: Synametrics Web Server v7Synametrics Web Server v7
/Practice/Fish/2-Enumeration/attachments/{C9858FB5-2285-4711-8DD0-C5B8E8979B07}.png)
Webroot
Redirected to a SynaMan login page at /app
/Practice/Fish/2-Enumeration/attachments/Pasted-image-20250419155216.png)
SynaMan (Synametrics File Manager) is a web-based file management and transfer tool that allows users to access, share, and manage files on a remote system securely via a browser. It supports large file transfers, secure access controls, and remote file management without needing a VPN. Ideal for businesses, it simplifies file sharing across different locations while maintaining data privacy.
Version Information
/Practice/Fish/2-Enumeration/attachments/{412E1A7F-B0DB-481E-801B-F0FF1BBB5F70}.png)
The version information is disclosed at the /app?operation=about endpoint; 5.1 build 1595
Vulnerabilities
/Practice/Fish/2-Enumeration/attachments/{25D1C322-0D72-4AAF-B46F-5419462C29A7}.png)
/Practice/Fish/2-Enumeration/attachments/{1349EAAD-1164-4B55-8FDD-6319A72CC844}.png)
Looking it up online for known vulnerabilities reveals 2 vulnerabilities;
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fish]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP:6060/FUZZ -ic -e .html,.txt -fc 403
________________________________________________
:: Method : GET
:: URL : http://192.168.219.168:6060/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
app [Status: 200, Size: 6487, Words: 365, Lines: 226, Duration: 33ms]
contents [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 37ms]
images [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 34ms]
:: Progress: [61434/61434] :: Job [1/1] :: 1030 req/sec :: Duration: [0:00:58] :: Errors: 0 ::contents
/contents/ Endpoint
/Practice/Fish/2-Enumeration/attachments/{6A89855A-99D1-4115-A3C8-05B208BDEACA}.png)
Interestingly it shows synaman 4.0
The instance might not be 5.1
SynaMan 4.0
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fish]
└─$ searchsploit SynaMan 4.0
------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------ ---------------------------------
SynaMan 4.0 build 1488 - (Authenticated) Cross-Site Scripting | windows/webapps/45386.txt
SynaMan 4.0 build 1488 - SMTP Credential Disclosure | windows/webapps/45387.txt
------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No ResultsSynaMan 4.0 appears to suffer from multiple vulnerabilities, including SMTP credential disclosure; CVE-2018-10814