PaperStream IP (TWAIN)
While performing a manual enumeration, a strange process was identified to run an unknown binary, FJTWSVIC.exe, which appears to be invoked from a service; FJTWSVIC
PS C:\Users\tony> cmd /c sc qc FJTWSVIC
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: FJTWSVIC
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Windows\twain_32\Fjicube\FJTWSVIC.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : FJTWSVIC
DEPENDENCIES :
SERVICE_START_NAME : LocalSystemIt’s running with the SYSTEM privileges, and C:\Windows\twain_32\Fjicube\ is the directory
PS C:\Windows\twain_32\Fjicube> ls
Directory: C:\Windows\twain_32\Fjicube
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/27/2020 9:01 PM DeviceCtl
d----- 4/27/2020 9:01 PM ExtraMode
d----- 4/27/2020 9:01 PM I3ipCore
d----- 4/27/2020 9:01 PM imageformats
d----- 4/27/2020 9:01 PM OLU
d----- 4/27/2020 9:01 PM trans
d----- 4/27/2020 9:01 PM x64
-a---- 7/11/2016 2:57 PM 429056 AssistScanMode.exe
-a---- 7/13/2016 2:25 PM 56 Disk1.id
-a---- 3/24/2016 10:01 AM 109916 fi6800.xml
-a---- 3/24/2016 10:01 AM 110022 fi6800_0409.xml
-a---- 5/27/2016 10:18 AM 110519 fi7180.xml
-a---- 5/27/2016 10:18 AM 110621 fi7180_0409.xml
-a---- 12/4/2013 1:18 PM 161792 Fied0401.dll
-a---- 12/4/2013 1:18 PM 157184 Fied0404.dll
-a---- 12/4/2013 1:18 PM 164352 Fied0407.dll
-a---- 12/4/2013 1:18 PM 161792 Fied0409.dll
-a---- 12/4/2013 1:18 PM 163840 Fied040C.dll
-a---- 12/4/2013 1:18 PM 163328 Fied0410.dll
-a---- 12/4/2013 1:18 PM 159232 Fied0411.dll
-a---- 12/4/2013 1:18 PM 159232 Fied0412.dll
-a---- 12/4/2013 1:18 PM 161792 Fied0416.dll
-a---- 12/4/2013 1:18 PM 161792 Fied0419.dll
-a---- 12/4/2013 1:18 PM 161792 Fied041F.dll
-a---- 12/4/2013 1:18 PM 157184 Fied0804.dll
-a---- 12/4/2013 1:18 PM 163328 Fied0C0A.dll
-a---- 12/4/2013 1:18 PM 727552 FIEDOLut.dll
-a---- 7/11/2016 2:57 PM 512000 fjicGuiCommon.dll
-a---- 5/23/2014 9:10 PM 645120 fjicImageRotation.dll
-a---- 7/11/2016 2:57 PM 54784 fjicqtwrap.dll
-a---- 3/24/2016 10:01 AM 109916 FJICSTI.xml
-a---- 3/24/2016 10:01 AM 110022 FJICSTI_0409.xml
-a---- 6/3/2016 10:24 AM 30208 fjictwcl.dll
-a---- 7/11/2016 2:57 PM 1603072 fjictwin.dll
-a---- 6/10/2016 4:46 PM 2322 fjictwinGui.ini
-a---- 7/11/2016 2:57 PM 2235904 fjictwinGuiDLL.dll
-a---- 6/3/2016 10:24 AM 25600 fjictwsv.exe
-a---- 11/17/2014 1:51 PM 15872 Fjicwrap.wrp
-a---- 11/1/2012 10:17 PM 49152 FJSTMKIC.dll
-a---- 10/7/2015 3:33 PM 1605632 FJTWMKIC.exe
-a---- 11/1/2012 10:17 PM 20 FJTWMKIC.ini
-a---- 7/6/2015 5:22 PM 49152 FJTWSVIC.exe
-a---- 12/9/2013 12:01 PM 204800 FsipDCB2.dll
-a---- 4/26/2016 1:06 PM 16384 i3DCmn.dll
-a---- 4/26/2016 1:06 PM 173568 i3DCmnRsc.dll
-a---- 4/26/2016 1:06 PM 15360 i3DLog.dll
-a---- 3/4/2014 4:49 PM 148 i3pfimex.ini
-a---- 5/30/2016 11:05 AM 781 icScanner.id
-a---- 10/1/2012 6:44 PM 543 icSupport.ini
-a---- 2/26/2014 1:07 PM 86016 IcWiaChecker.exe
-a---- 3/3/2014 3:03 PM 350 icWrapLog.ini
-a---- 5/31/2016 1:05 PM 983 icwReadThreadParam.ini
-a---- 3/24/2016 10:01 AM 111068 Import.xml
-a---- 3/24/2016 10:01 AM 111058 Import_0409.xml
-a---- 12/3/2015 7:23 PM 2356 ISInstallScannerEx.id
-a---- 12/3/2015 7:22 PM 784 ISInstallScanner_V01L01.ini
-a---- 2/26/2014 1:07 PM 49152 KillStisvc32ic.exe
-a---- 2/26/2014 1:07 PM 48128 KillStisvc64ic.exe
-a---- 2/26/2014 1:07 PM 47104 KillWia64ic.exe
-a---- 9/15/2015 2:34 PM 175104 pfexport.exe
-a---- 9/15/2015 2:34 PM 187904 pfimport.exe
-a---- 7/13/2016 2:24 PM 31 ProductInfo.ini
-a---- 1/29/2015 8:02 PM 2599424 QtCoreFjic4.dll
-a---- 1/29/2015 8:02 PM 8581120 QtGuiFjic4.dll
-a---- 7/31/2015 8:17 AM 182784 ScanTest.exe
-a---- 2/26/2014 1:07 PM 23 SCASupport_pstwain.ini The directory contains a file that might reveal the version information; ProductInfo.ini
PS C:\Windows\twain_32\Fjicube> cat ProductInfo.ini
[Version]
Version1=1.42.0.5685Vulnerabilities
/Practice/Jacko/4-Post_Enumeration/attachments/{6AE6F4AF-FDC8-4468-8346-4857F785B1C2}.png)
Looking it up online reveals a local privilege escalation exploit for PaperStream IP (TWAIN) 1.42.0.5685
Moving on to the Privilege Escalation phase