17.Vulnerable-services

Enumeration Commands

wmic product get name
netstat -ano | findstr 6064
get-process -Id 3324
get-service | ? {$_.DisplayName -like 'Druva*'}

Exploitation (Setup) Commands

python3 -m http.server 8080
nc -lvnp 9443
Set-ExecutionPolicy Bypass -Scope Process

Verification Commands

whoami
hostname

Key Concepts:

• Third-Party Vulnerabilities:

  • User-installed software can introduce security flaws.

  • Services running as SYSTEM are high-value targets.

• Druva inSync Vulnerability:

  • Specific versions (e.g., 6.6.3) are vulnerable to command injection via RPC.

  • Allows arbitrary command execution as NT AUTHORITY\SYSTEM.

Approach, Commands, Tools, and Techniques:

1. Enumeration:

   • wmic product get name (Identify installed applications).

   • netstat -ano | findstr 6064 (Verify listening port).

   • get-process -Id 3324 (Map PID to process name).

   • get-service | ? {$_.DisplayName -like 'Druva*'} (Confirm service status).

2. Exploitation:

   • Modify the provided PowerShell PoC script:

     • Change the $cmd variable to execute a reverse shell.

     • Download Invoke-PowerShellTcp.ps1 (or similar).

     • Host Invoke-PowerShellTcp.ps1 using python3 -m http.server.

     • Modify the PoC to download and execute Invoke-PowerShellTcp.ps1.

   • Start a Netcat listener on the attacker machine: nc -lvnp 9443.

   • Bypass PowerShell execution policy: Set-ExecutionPolicy Bypass -Scope Process.

   • Execute the modified PowerShell PoC script.

3. Verification:

   • whoami (Verify SYSTEM privileges).

   • hostname (Verify target host).

Commands:

• wmic product get name

• netstat -ano | findstr 6064

• get-process -Id <PID>

• get-service | ? {$_.DisplayName -like 'Druva*'}

• python3 -m http.server <port>

• nc -lvnp <port>

• Set-ExecutionPolicy Bypass -Scope Process

• whoami

• hostname