17.Vulnerable-services

Enumeration Commands

wmic product get name
netstat -ano | findstr 6064
get-process -Id 3324
get-service | ? {$_.DisplayName -like 'Druva*'}

Exploitation (Setup) Commands

python3 -m http.server 8080
nc -lvnp 9443
Set-ExecutionPolicy Bypass -Scope Process

Verification Commands

whoami
hostname

Key Concepts:

  • Third-Party Vulnerabilities:

    • User-installed software can introduce security flaws.

    • Services running as SYSTEM are high-value targets.

  • Druva inSync Vulnerability:

    • Specific versions (e.g., 6.6.3) are vulnerable to command injection via RPC.

    • Allows arbitrary command execution as NT AUTHORITY\SYSTEM.

Approach, Commands, Tools, and Techniques:

  1. Enumeration:

    • wmic product get name (Identify installed applications).

    • netstat -ano | findstr 6064 (Verify listening port).

    • get-process -Id 3324 (Map PID to process name).

    • get-service | ? {$_.DisplayName -like 'Druva*'} (Confirm service status).

  2. Exploitation:

    • Modify the provided PowerShell PoC script:

      • Change the $cmd variable to execute a reverse shell.

      • Download Invoke-PowerShellTcp.ps1 (or similar).

      • Host Invoke-PowerShellTcp.ps1 using python3 -m http.server.

      • Modify the PoC to download and execute Invoke-PowerShellTcp.ps1.

    • Start a Netcat listener on the attacker machine: nc -lvnp 9443.

    • Bypass PowerShell execution policy: Set-ExecutionPolicy Bypass -Scope Process.

    • Execute the modified PowerShell PoC script.

  3. Verification:

    • whoami (Verify SYSTEM privileges).

    • hostname (Verify target host).

Commands:

  • wmic product get name

  • netstat -ano | findstr 6064

  • get-process -Id <PID>

  • get-service | ? {$_.DisplayName -like 'Druva*'}

  • python3 -m http.server <port>

  • nc -lvnp <port>

  • Set-ExecutionPolicy Bypass -Scope Process

  • whoami

  • hostname

Previous16.Kernel-exploitsNext18.DLL-injection

Last updated