vulnerable-services

Enumeration Commands

wmic product get name
netstat -ano | findstr 6064
get-process -Id 3324
get-service | ? {$_.DisplayName -like 'Druva*'}

Exploitation (Setup) Commands

python3 -m http.server 8080
nc -lvnp 9443
Set-ExecutionPolicy Bypass -Scope Process

Verification Commands

whoami
hostname

Key Concepts:

• Third-Party Vulnerabilities: - User-installed software can introduce security flaws. - Services running as SYSTEM are high-value targets.

• Druva inSync Vulnerability: - Specific versions (e.g., 6.6.3) are vulnerable to command injection via RPC. - Allows arbitrary command execution as NT AUTHORITY\SYSTEM. Approach, Commands, Tools, and Techniques:

1. Enumeration: - wmic product get name (Identify installed applications). - netstat -ano | findstr 6064 (Verify listening port). - get-process -Id 3324 (Map PID to process name). - get-service | ? {$_.DisplayName -like 'Druva*'} (Confirm service status).

2. Exploitation: - Modify the provided PowerShell PoC script: - Change the $cmd variable to execute a reverse shell. - Download Invoke-PowerShellTcp.ps1 (or similar). - Host Invoke-PowerShellTcp.ps1 using python3 -m http.server. - Modify the PoC to download and execute Invoke-PowerShellTcp.ps1. - Start a Netcat listener on the attacker machine: nc -lvnp 9443. - Bypass PowerShell execution policy: Set-ExecutionPolicy Bypass -Scope Process. - Execute the modified PowerShell PoC script.

3. Verification: - whoami (Verify SYSTEM privileges). - hostname (Verify target host). Commands:

• wmic product get name

• netstat -ano | findstr 6064

• get-process -Id <PID>

• get-service | ? {$_.DisplayName -like 'Druva*'}

• python3 -m http.server <port>

• nc -lvnp <port>

• Set-ExecutionPolicy Bypass -Scope Process

• whoami

• hostname