poniedziałek, 17 czerwca 2019

Unquoted path for CA Deploy Agents

Sometimes during pentest(s) we can find some not-so-usual ports open. Few of them you can find described here or here in latest posts. But today we will check "that 6600/tcp" port open. Here we go...

We will start here:



Quick summary:
    If there is port 6600/tcp open - it could be a good indicator that there is CA Agent installed.

So:
In case you would like to check it 'as your local user', try this from the command line (cmd.exe):

cmd.exe> wmic service get name,pathname | findstr /i "c:\pro"

You should find that interesting line:


Next thing you can do is:

cmd.exe> sc qc nolioagent

 
Cool enough to:
- use calc.exe (copied from c:\windows\system32)
- and replace nolio_w.exe with our calc.exe
- to finally restart service.

Checking:



...and...



Maybe you'll find it useful. :)

Cheers


Brak komentarzy:

Prześlij komentarz