SynaMan
Checking the target SynaMan instance after performing a manual system enumeration
PS C:\SynaMan> ls
Directory: C:\SynaMan
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/29/2021 12:15 AM accessDb
d----- 10/29/2021 12:15 AM accessLogs
d----- 10/28/2021 4:16 AM branding
d----- 4/11/2022 12:29 AM config
d----- 10/28/2021 4:16 AM htdocs
d----- 10/28/2021 4:16 AM jre
d----- 10/29/2021 12:15 AM lib
d----- 10/31/2021 10:12 AM logs
d----- 10/29/2021 8:38 PM patches
d----- 10/29/2021 12:15 AM RecyclingBin
d----- 10/28/2021 4:16 AM tomcat.55222
-a---- 2/10/2014 3:08 PM 276 AdminConsole.htm
-a---- 12/10/2012 5:26 PM 2238 AdminConsole.ico
-a---- 7/30/2003 4:17 PM 28 cpappend.bat
-a---- 12/10/2012 5:26 PM 115712 InstallService.exe
-a---- 2/10/2014 2:59 PM 3262 InstallService.lax
-a---- 12/10/2012 5:26 PM 53795 lax.jar
-a---- 7/30/2003 4:17 PM 4773 log4j.dtd
-a---- 10/15/2009 5:01 PM 2018 logconfig.xml
-a---- 10/28/2021 4:16 AM 923 RET.log
-a---- 8/27/2010 11:05 AM 427 run.bat
-a---- 10/29/2021 8:39 PM 186 sequence.dat
-a---- 2/23/2012 8:01 AM 77312 SynaMan.exe
-a---- 12/20/2012 10:00 AM 61798 SynaMan.ico
-a---- 12/6/2011 1:05 PM 954880 SynaManSM.exe
-a---- 12/10/2012 5:26 PM 2238 SynaManSM.ico
-a---- 10/28/2021 4:16 AM 50644 unins000.dat
-a---- 10/28/2021 4:16 AM 716789 unins000.exehtdocs is the directory for the web application
PS C:\SynaMan> ls .\htdocs\
Directory: C:\SynaMan\htdocs
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/29/2021 12:15 AM conf
d----- 10/28/2021 4:16 AM webapps
PS C:\SynaMan> ls .\htdocs\webapps\
Directory: C:\SynaMan\htdocs\webapps
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/29/2021 10:17 AM ROOT
PS C:\SynaMan> ls .\htdocs\webapps\ROOT\
Directory: C:\SynaMan\htdocs\webapps\ROOT
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/29/2021 12:15 AM ajaxfileexplorer
d----- 10/29/2021 12:15 AM ajaxfileupload
d----- 10/29/2021 12:15 AM ajaxopenfiledlg
d----- 10/29/2021 12:15 AM contents
d----- 10/29/2021 12:15 AM images
d----- 10/28/2021 4:16 AM images_blue
d----- 10/28/2021 4:16 AM WEB-INF
-a---- 1/12/2012 6:30 AM 225 AbortAll.jsp
-a---- 10/29/2021 10:16 AM 149025 About.jsp
-a---- 5/2/2020 3:27 PM 5978 About.jsp.bak
-a---- 7/9/2020 9:24 AM 1801 AccessLogDetails.jsp
-a---- 7/8/2020 12:56 PM 4593 AccessLogs.jsp
-a---- 11/2/2017 5:08 AM 963 Activity.jsp
-a---- 12/12/2019 10:27 AM 6187 ADConfig.jsp
-a---- 8/13/2019 10:41 AM 8472 AdditionalParams.jsp
-a---- 4/16/2021 9:04 AM 1547 AdvancedConfig.jsp
-a---- 2/1/2022 6:42 AM 7422 AntiVirus.jsp
-a---- 12/21/2011 6:56 AM 728 AppletTest.jsp
-a---- 4/2/2021 11:44 AM 1202 AskToEncryptHomeFolder.jsp
-a---- 6/10/2020 7:11 AM 4316 AssociateFolderToUser.jsp
-a---- 1/3/2022 2:57 AM 4366 BasicConfig.jsp
-a---- 11/11/2021 11:33 AM 3043 BlacklistedIPAddresses.jsp
-a---- 11/16/2017 9:31 AM 120 CFooter.jsp
-a---- 1/10/2019 1:23 PM 444 ChangePassword.jsp
-a---- 8/28/2021 11:27 PM 2208 ChangePasswordHolder.jsp
-a---- 1/10/2019 11:51 AM 2819 CHeader.jsp
-a---- 8/29/2021 2:05 AM 1345 CheckVersionResults.jsp
-a---- 8/29/2021 1:08 AM 3118 ConfigMain.jsp
-a---- 4/16/2021 9:01 AM 3577 Configuration.jsp
-a---- 11/14/2017 1:01 AM 1049 DiscoverySignup.jsp
-a---- 4/13/2015 11:28 AM 897 DiscoverySummary.jsp
-a---- 4/16/2021 9:06 AM 339 DiscoveryWizardBottom.jsp
-a---- 11/14/2017 12:57 AM 930 DiscoveryWizardPage1.jsp
-a---- 11/14/2017 12:58 AM 1498 DiscoveryWizardPage2.jsp
-a---- 11/21/2017 7:15 AM 487 DiscoveryWizardTop.jsp
-a---- 11/12/2009 7:49 PM 269 DisplayExpiredPublicLink.jsp
-a---- 10/2/2015 6:07 AM 2089 DownloadStatus.jsp
-a---- 10/15/2009 7:13 AM 164 DownloadUpdates.jsp
-a---- 8/18/2006 7:01 AM 623 DumpSessionInfo.jsp
-a---- 4/25/2019 6:46 AM 6743 emailTemp.jsp
-a---- 4/16/2021 9:06 AM 2318 ExistingPublicLinks.jsp
-a---- 11/27/2019 12:45 PM 407 Explore.jsp
-a---- 6/2/2021 8:21 AM 1148 ExploreHolder.jsp
-a---- 11/1/2017 5:24 AM 653 FAQLinks.jsp
-a---- 11/29/2017 6:16 AM 482 FeatureNA.jsp
-a---- 5/26/2021 1:31 PM 1527 Footer.jsp
-a---- 11/29/2017 10:54 AM 1362 Footer4Users.jsp
-a---- 4/13/2015 12:47 PM 533 Forbidden.jsp
-a---- 4/13/2015 12:47 PM 533 ForbiddenAccess.jsp
-a---- 7/19/2006 1:13 PM 165 GenericError.jsp
-a---- 11/1/2017 5:38 AM 1089 GlobalNotifications.jsp
-a---- 11/1/2017 5:41 AM 56 GreyTableBottom.jsp
-a---- 7/19/2006 1:13 PM 116 GreyTableMiddle.jsp
-a---- 11/1/2017 5:40 AM 290 GreyTableTemplate.jsp
-a---- 7/19/2006 1:13 PM 163 GreyTableTop.jsp
-a---- 12/31/2019 4:51 AM 1986 HarmfulExtensions.jsp
-a---- 1/25/2022 6:16 AM 7929 Header.jsp
-a---- 11/14/2017 2:16 AM 2577 HttpProxyConfig.jsp
-a---- 4/16/2021 9:03 AM 1977 ImportCert.jsp
-a---- 4/16/2021 9:03 AM 830 ImportCertSuccess.jsp
-a---- 11/29/2017 8:04 AM 8593 InboundSmtpConfig.jsp
-a---- 3/5/2010 7:45 AM 425 index.htm
-a---- 1/26/2022 10:33 AM 647 InternalServerError.jsp
-a---- 11/21/2017 7:17 AM 881 InvitationConfirmation.jsp
-a---- 11/21/2017 7:18 AM 3675 InvitationRequest.jsp
-a---- 11/21/2017 7:18 AM 1518 InvitePrompt4Pwd.jsp
-a---- 6/23/2012 8:04 AM 412 ipConfMessage.jsp
-a---- 11/14/2017 3:32 AM 1806 ipFileOptions.jsp
-a---- 10/22/2012 10:00 AM 835 ipFilesFolder.jsp
-a---- 11/14/2017 3:33 AM 1165 ipLogin.jsp
-a---- 8/21/2017 1:45 AM 1135 ipLogin2FA.jsp
-a---- 4/13/2015 10:06 AM 1727 ipPromptForPublicLink.jsp
-a---- 5/10/2021 7:00 AM 679 ipUploadForm.jsp
-a---- 6/21/2012 5:25 AM 94840 jquery-min.js
-a---- 5/1/2012 1:54 AM 90946 jquery.mobile-min.js
-a---- 5/1/2012 1:54 AM 60702 jquery.mobile.min.css
-a---- 5/3/2019 12:37 PM 1518 LetsEncryptDNS.jsp
-a---- 1/3/2022 2:54 AM 8293 LetsEncryptIntro.jsp
-a---- 4/16/2019 11:59 AM 1834 LetsEncryptStatus.jsp
-a---- 5/3/2019 12:37 PM 1673 LetsEncryptTerms.jsp
-a---- 4/25/2019 10:35 AM 3107 LetsEncryptThanks.jsp
-a---- 3/4/2016 9:34 AM 1275 LoadEb.jsp
-a---- 12/16/2019 2:21 PM 221 LoggedOut.jsp
-a---- 11/27/2019 12:25 PM 394 Login.jsp
-a---- 1/10/2019 1:23 PM 449 Login2FA.jsp
-a---- 8/24/2020 5:14 AM 2338 LoginHolder.jsp
-a---- 2/7/2022 6:45 AM 2470 LoginHolder2FA.jsp
-a---- 7/4/2014 4:33 AM 1590 LoginUrl.jsp
-a---- 11/17/2017 10:16 AM 1838 LogViewer.jsp
-a---- 11/21/2017 7:18 AM 4082 ManageFolderNotifications.jsp
-a---- 7/29/2021 10:53 AM 9894 ManageFolders.jsp
-a---- 1/24/2022 7:04 AM 4156 ManageQuotas.jsp
-a---- 1/24/2022 7:04 AM 5669 ManageUsers.jsp
-a---- 4/6/2021 8:01 AM 1612 ManEncDec.jsp
-a---- 6/25/2012 7:35 AM 1086 MDFooter.jsp
-a---- 1/14/2019 6:12 AM 2595 MDHeader.jsp
-a---- 7/29/2021 11:37 AM 1372 ModifyFolder.jsp
-a---- 4/7/2021 8:49 AM 6356 MountWindows.jsp
-a---- 5/25/2011 9:53 AM 600 NetWizAnalyzing.jsp
-a---- 4/13/2015 10:06 AM 1678 NetWizAppList.jsp
-a---- 5/25/2011 8:24 AM 412 NetWizBottom.jsp
-a---- 5/25/2011 3:00 PM 286 NetWizComplete.jsp
-a---- 4/13/2015 11:43 AM 803 NetWizIntro.jsp
-a---- 11/21/2017 7:20 AM 412 NetWizTop.jsp
-a---- 11/16/2017 6:59 AM 1000 NewsViewer.jsp
-a---- 4/13/2015 10:06 AM 3472 NewTrigger.jsp
-a---- 1/28/2022 9:50 AM 3895 NewUser.jsp
-a---- 1/26/2022 10:30 AM 547 PageNotFound.jsp
-a---- 11/22/2017 8:39 AM 2492 PanelDiskStatus.jsp
-a---- 11/17/2017 8:53 AM 2407 PanelMemoryStatus.jsp
-a---- 4/13/2015 10:06 AM 820 PasswordRestore.jsp
-a---- 3/28/2019 5:59 AM 863 PInsp.jsp
-a---- 11/21/2017 7:20 AM 2007 Plex.jsp
-a---- 11/14/2017 4:55 AM 686 PortBlocked.jsp
-a---- 8/29/2021 9:08 AM 1877 PromptForManualUpdate.jsp
-a---- 8/13/2019 10:53 AM 931 PublicLinkBottom.jsp
-a---- 1/10/2019 1:23 PM 666 PublicLinkDownload.jsp
-a---- 9/15/2020 8:08 AM 1685 PublicLinkDownloadHolder.jsp
-a---- 1/10/2019 1:23 PM 587 PublicLinkPassword.jsp
-a---- 8/27/2020 11:47 AM 584 PublicLinkPasswordHolder.jsp
-a---- 12/2/2017 12:43 AM 426 PublicLinkTop.jsp
-a---- 1/10/2019 1:23 PM 583 PublicLinkUpload.jsp
-a---- 1/10/2019 1:23 PM 591 PublicLinkUploadDone.jsp
-a---- 5/12/2011 8:39 AM 196 PublicLinkUploadDoneHolder.jsp
-a---- 5/20/2021 6:51 AM 622 PublicLinkUploadHolder.jsp
-a---- 8/13/2019 6:32 AM 585 PublicLinkUserInfo.jsp
-a---- 8/27/2020 11:47 AM 1556 PublicLinkUserInfoHolder.jsp
-a---- 11/14/2017 4:57 AM 611 Purchase.jsp
-a---- 3/30/2020 10:28 AM 4207 PurchaseAutoRenew.jsp
-a---- 9/1/2021 12:28 PM 30199 PurchaseContCC.jsp
-a---- 11/29/2017 5:09 AM 1765 PurchaseEE.jsp
-a---- 2/15/2019 3:20 PM 1063 PurchasePE.jsp
-a---- 4/6/2020 8:52 AM 3757 PurchasePfq.jsp
-a---- 3/27/2020 7:19 AM 5658 PurchaseRenewal.jsp
-a---- 3/27/2020 8:00 AM 3652 PurchaseReview.jsp
-a---- 3/30/2020 8:44 AM 3108 PurchaseSel.jsp
-a---- 5/6/2020 5:38 AM 1680 PurchaseSummaryTable.jsp
-a---- 11/29/2017 5:09 AM 1757 PurchaseU2E.jsp
-a---- 1/28/2022 12:36 PM 2012 QuickLinks.jsp
-a---- 7/29/2021 6:23 AM 6041 RecycleBinConfig.jsp
-a---- 7/29/2021 10:29 AM 3508 RecycledFileHolders.jsp
-a---- 7/27/2021 1:28 PM 289 RecycledFiles.jsp
-a---- 11/22/2017 1:48 PM 2793 Register.jsp
-a---- 11/21/2017 7:20 AM 1849 RegistrationManual.jsp
-a---- 2/13/2020 10:34 AM 3057 RegSerialManual.jsp
-a---- 2/14/2020 6:05 AM 1673 RegSerialRevoke.jsp
-a---- 11/14/2017 9:31 PM 1289 RenewSupport.jsp
-a---- 5/25/2021 9:48 AM 3746 RestartSynaMan.jsp
-a---- 1/10/2019 1:23 PM 399 RExplore.jsp
-a---- 8/28/2017 2:49 AM 1825 RExploreHolder.jsp
-a---- 11/29/2017 10:47 AM 6600 SBrandingHolder.jsp
-a---- 11/14/2017 9:33 PM 290 SBrandIntro.jsp
-a---- 1/31/2022 8:22 AM 12417 SecurityConfig.jsp
-a---- 3/26/2020 10:00 AM 1935 SerialNumber.jsp
-a---- 12/1/2017 11:51 AM 79 SetupBottom.jsp
-a---- 11/22/2017 10:27 AM 733 SetupFirstPage.jsp
-a---- 12/1/2017 11:58 AM 4002 SetupFourthPage.jsp
-a---- 9/1/2021 11:54 AM 4194 SetupFW.jsp
-a---- 12/1/2017 11:36 AM 1324 SetupHomeFolder.jsp
-a---- 11/22/2017 11:20 AM 1253 SetupLastPage.jsp
-a---- 11/22/2017 10:27 AM 2006 SetupSecondPage.jsp
-a---- 12/1/2017 11:54 AM 2646 SetupThirdPage.jsp
-a---- 12/1/2017 11:51 AM 404 SetupTop.jsp
-a---- 11/14/2017 9:56 PM 2074 ShowEnv.jsp
-a---- 8/27/2018 12:00 PM 5785 SmtpConfig.jsp
-a---- 11/14/2017 10:18 PM 3283 SuppExpReminder.jsp
-a---- 4/15/2021 2:51 PM 3426 Support.jsp
-a---- 4/16/2021 9:02 AM 250 SupportButton.jsp
-a---- 11/14/2017 10:18 PM 1558 SuppPNow.jsp
-a---- 2/8/2022 7:51 AM 3924992 SynaManApplet.jar
-a---- 1/25/2022 6:16 AM 7929 TableX.jsp
-a---- 5/26/2021 1:31 PM 1527 TableY.jsp
-a---- 5/2/2020 3:27 PM 5978 TableZ.jsp
-a---- 7/28/2021 9:10 AM 445 Template.jsp
-a---- 11/14/2017 10:20 PM 458 Test.jsp
-a---- 1/10/2019 1:23 PM 407 TFAHome.jsp
-a---- 11/14/2017 10:34 PM 1102 TFAHome4Admin.jsp
-a---- 1/27/2022 10:58 AM 4330 TFAHomeHolder.jsp
-a---- 1/10/2019 1:23 PM 407 TFATotp.jsp
-a---- 1/25/2022 7:04 AM 1990 TFATotpHolder.jsp
-a---- 11/14/2017 10:38 PM 595 Time2Str.jsp
-a---- 10/8/2009 7:53 AM 18 TipFooter.jsp
-a---- 6/10/2020 7:04 AM 1829 TipHeader.jsp
-a---- 10/8/2009 7:54 AM 203 TipPage.jsp
-a---- 11/14/2017 10:49 PM 2390 TriggerHelp.jsp
-a---- 2/25/2019 1:17 PM 3062 Triggers.jsp
-a---- 10/20/2009 8:06 AM 660 TroubleShootBottom.jsp
-a---- 11/14/2017 11:04 PM 456 TroubleShootFail.jsp
-a---- 11/14/2017 11:06 PM 627 TroubleShootHome.jsp
-a---- 11/14/2017 11:05 PM 659 TroubleShootPass.jsp
-a---- 9/1/2021 11:58 AM 10567 TroubleshootResults.jsp
-a---- 11/21/2017 7:21 AM 402 TroubleShootTop.jsp
-a---- 11/14/2017 11:03 PM 549 UploadTest.jsp
-a---- 11/14/2017 11:13 PM 2799 Waiting.jsp
-a---- 6/23/2010 10:22 AM 148 XMLMessage.jsp
-a---- 2/22/2021 12:02 PM 283 XMLMessageFormatted.jspC:\SynaMan\htdocs\webapps\ROOT is the web application root directory
Vulnerabilities
PS C:\SynaMan\htdocs\webapps\ROOT> icacls C:\SynaMan\htdocs\webapps\ROOT
C:\SynaMan\htdocs\webapps\ROOT BUILTIN\Administrators:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
Successfully processed 1 files; Failed processing 0 filesThe C:\SynaMan\htdocs\webapps\ROOT directory is writable by anyone.
This is CVE-2022-26250. Given the process is running with privileges of SYSTEM, privilege escalation is archivable by writing a malicious JSP file to the web root directory.