Fish Proving Grounds Write-Up
SUMMARY
This write-up covers the Fish machine from Offsec’s Proving Grounds, a Windows machine with multiple exposed Java-based services where a directory traversal vulnerability enabled credential discovery.
The nmap scan reported multiple ports associated with GlassFish 4.1, which is vulnerable to Directory Traversal via double URL-encoded path separators. Enumerating GlassFish itself did not yield useful files, but another web service — SynaMan 5.1 — was running alongside it. By traversing to the SynaMan configuration path (AppConfig.xml) through the GlassFish traversal, credentials for user arthur were extracted in cleartext. RDP access was established on port 3389 using those credentials.
Privilege escalation was achieved through a combination of three conditions: arthur held SeShutdownPrivilege, a GlassFish-related service (domain1) was found running as SYSTEM with automatic startup, and the service binary was writable by Authenticated Users. A malicious binary was crafted with msfvenom, the original binary renamed, the payload placed in its path, and the machine rebooted — returning a shell as NT AUTHORITY\SYSTEM.
PATH TO FOLLOW
- Reconnaissance & GlassFish 4.1 Discovery
- Directory Traversal via Double URL-Encoded Path
- SynaMan AppConfig.xml Credential Extraction
- RDP Access as
arthur - SeShutdownPrivilege & Writable System Service Binary Identification
- Service Binary Replacement with msfvenom Payload
- Machine Reboot & Shell as NT AUTHORITY\SYSTEM
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.