Vulnerable Services

We may be able to escalate privileges on well-patched and well-configured systems if users are permitted to install software or vulnerable third-party applications/services are used throughout the organization.

Below we illustrate an example of exploiting a vulnerable 3rd party service.

1 - Enum installed programms

:\hacker> wmic product get name

Name
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.28.29910
Update for Windows 10 for x64-based Systems (KB4023057)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.24.28127
VMware Tools
Druva inSync 6.6.3
Microsoft Update Health Tools
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.28.29910
Update for Windows 10 for x64-based Systems (KB4480730)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.24.28127

Druva inSync 6.6.3 is vulnerable to a command injection attack via an exposed RPC service. We will us this exploit PoC to privesc.

2 - Confirm Druva is installed and running

Check local port

Check process ID

Check service

3 - Adjust the POC

We change $cmd in the POC to the command of our choice:

4 - Exploit

Bypass the scope:

Then run the exploit

Log out and log back in to get your new token.

PreviousCVE-2020-0668NextDLL Injection

Last updated