Port 29817, 29819, 29820
Nmap discovered open ports of 29817, 29819, and 29820 on the target system and was unable to identify what services that these ports are running.
I tried connecting to them through Netcat
Port 29817
The port 29817 was just complete unresponsive. There’s been only the 3-way TCP handshake
Port 29819
The port 29819 only sent out a string, “PING”, after establishing a TCP connection
Port 29820
It’s the same with the port 29820, but an arbitrary byte code this time.
Online Research
I was unable to proceed on my own, so I decided to look it up online.
upon searching it on Google, the first result appears to be the most promising as it is a PDF file show casing a vulnerability and exploit.
Based on the information provided by the PDF document, It would appear that those 3 ports are related to Sirep services from am HLK client.
the hlk (Hardware Lab Kit) client run the Sirep (Smart Integration and Remote Procedure Call) service over port 29817, 29819, and 29820. These ports are used for communication between the HLK client and the HLK server during the testing process.
the sirep service provides a mechanism for remotely controlling and managing windows devices, including those running windows iot. the hlk client can communicate with the Sirep service to perform various tasks, such as installing software, configuring settings, and collecting data from the device.
The Sirep (System Image and Recovery Engine Protocol)
- is used in Windows systems to facilitate the creation, installation, and management of system images.
- provides a communication protocol for Windows hardware certification kits (HCKs) to communicate with the Windows hardware lab kit (HLK) client.
- enables HCKs to remotely manage and automate testing of system images.
- provides a way for HCKs to execute remote commands, transfer files, and manage the deployment and recovery of system images in the lab environment.
Given the fact that the service running over those ports are the Sirep service by an HLK client, it is likely that the target system is Windows IoT Core
The PDF document also provided an exploit. I will try that.