Fish
00 min
2025-3-20
Source
https://portal.offsec.com/labs/practice
Date
Mar 20, 2025 → Mar 20, 2025
Tag
Nmap
Web Exploitation
Privilege Escalation Techniques

192.168.247.168

Nmap

└─# nmap -sT -p- --min-rate 5000 $ip Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-20 06:39 EDT Warning: 192.168.247.168 giving up on port because retransmission cap hit (10). Nmap scan report for 192.168.247.168 Host is up (0.057s latency). Not shown: 65130 closed tcp ports (conn-refused), 386 filtered tcp ports (no-response) PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 3700/tcp open lrs-paging 4848/tcp open appserv-http 5040/tcp open unknown 6060/tcp open x11 7676/tcp open imqbrokerd 7680/tcp open pando-pub 8080/tcp open http-proxy 8181/tcp open intermapper 8686/tcp open sun-as-jmxrmi 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 49669/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 26.85 seconds
└─# nmap -sT -p- --min-rate 5000 $ip Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-20 06:40 EDT Warning: 192.168.247.168 giving up on port because retransmission cap hit (10). Nmap scan report for 192.168.247.168 Host is up (0.064s latency). Not shown: 65123 closed tcp ports (conn-refused), 393 filtered tcp ports (no-response) PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 3700/tcp open lrs-paging 4848/tcp open appserv-http 5040/tcp open unknown 6060/tcp open x11 7676/tcp open imqbrokerd 7680/tcp open pando-pub 8080/tcp open http-proxy 8181/tcp open intermapper 8686/tcp open sun-as-jmxrmi 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 49669/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 26.68 seconds

139,445

notion image
nothing found

3700

notion image

4848

notion image
we try use weak password to login but failed.

8080

notion image

192.168.190.168

4848

Oracle GlassFish Server 4.1 - Directory Traversal - Multiple webapps Exploit
we can use this vulne to find account information about glass fish account
Exploiting GlassFish
notion image
└─# echo aLatQQ3qEJHinsX4N/+V/45mJwFSkXN5w7vz3P6kHy4jrX+U7hXCkQ== | base64 -d | xxd -p -c 40 | sed 's/.\{64\}/&:/' 68b6ad410dea1091e29ec5f837ff95ff8e66270152917379c3bbf3dcfea41f2e:23ad7f94ee15c291
notion image
尝试去破解密码
failed
http://192.168.190.168:4848//theme/META-INF��..��..��..��..��..��..��..��..��..��..��..��..��Synaman��config��appconfig.xml
We can use Local File inclusion to find the Synaman credentials
notion image
notion image
cant but we can try other services, such as rdp
notion image
login successfully
notion image
wow, use it
TotalAV 2020 4.14.31 Privilege Escalation (CVE-2019-18194)
this is how to use it
the anti V expired but we can got the shell via this way
 
上一篇
HB
下一篇
AZ-900