Sweep
A medium vulnlab machine
Enumeration
This is the
nmapscan below :-
┌──(krrish㉿krrish)-[~/hackthebox/sweep]
└─$ nmapAutomator -H 10.129.234.177 -t All
Running all scans on 10.129.234.177
Host is likely running Windows
---------------------Starting Port Scan-----------------------
PORT STATE SERVICE
53/tcp open domain
81/tcp open hosts2-ns
82/tcp open xfer
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5985/tcp open wsman
---------------------Starting Script Scan-----------------------
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
81/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-title: Lansweeper - Login
|_Requested resource was /login.aspx
82/tcp open ssl/xfer?
| ssl-cert: Subject: commonName=Lansweeper Secure Website
| Subject Alternative Name: DNS:localhost, DNS:localhost, DNS:localhost
| Not valid before: 2021-11-21T09:22:27
|_Not valid after: 2121-12-21T09:22:27
| tls-alpn:
| h2
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-01-05 03:04:31Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sweep.vl, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sweep.vl, Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=inventory.sweep.vl
| Not valid before: 2026-01-04T03:02:47
|_Not valid after: 2026-07-06T03:02:47
| rdp-ntlm-info:
| Target_Name: SWEEP
| NetBIOS_Domain_Name: SWEEP
| NetBIOS_Computer_Name: INVENTORY
| DNS_Domain_Name: sweep.vl
| DNS_Computer_Name: inventory.sweep.vl
| DNS_Tree_Name: sweep.vl
| Product_Version: 10.0.20348
|_ System_Time: 2026-01-05T03:05:03+00:00
|_ssl-date: 2026-01-05T03:05:43+00:00; +1s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: INVENTORY; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2026-01-05T03:05:04
|_ start_date: N/A
---------------------Starting Full Scan------------------------
PORT STATE SERVICE
53/tcp open domain
81/tcp open hosts2-ns
82/tcp open xfer
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5985/tcp open wsman
9389/tcp open adws
9524/tcp open unknown
49664/tcp open unknown
49668/tcp open unknown
55984/tcp open unknown
55998/tcp open unknown
63191/tcp open unknown
63192/tcp open unknown
64639/tcp open unknownIn the
nmapscan we can see that there is port81which is runningLandSweeperservice and has a login page .
Landsweeperis a service that help IT companies manage and monitor their technological assets , works on IT environments such as cloud , IoT , OT , etc.
First let's focus on
smbenumeration and check the guest login and gather more data about domain
here we can see that guest login is enabled so we did
--rid-bruteto info about domain
Let's make a
users.txtfor these users and try if any user has password same as its user
here we have got a hit as the user intern has same password as its username
enumerating more about this user tells us that he can read more shares than the guest , but unfortunately we didn't get anything
For user
When i further tried this password on the
Landsweeperwebsite , it was valid and we can login and explore the website
in
Landsweeperwe can abuse thescanningservice , and the way we can abuse is ask a service account to scan a service or target by trying to login with the help of his credentials and see if it is working or notwe will setup a fake
sshserver and the service account will login in that
Now let's just configure the scanning and setup a fake
sshserver to get the creds
first click on scanning --> scanning targets --> then click on add scanning targets
change the
sshport to6969as this will the port in our fakesshserver , also add your IP in the start IPthen save it , then go on scanning --> scanning credentials --> then credential mapping and add one with the below configuration and save it
go to the terminal and just make one file called
ssh.conf& start the fake server
now go on scanning targets and click on scan now
after sometime we will get the credentials of user
svc_inventory_lnx
The credentials of user
svc_inventory_lnxwere correct and it has same shares access like theinternuser so it was not worth it to explore shares , but was quite worth it to explore bloodhound
in the bloodhound we can see that the user
svc_inventory_lnxhasGenericAllon the groupLANDSWEEPER ADMINSand further the users of groupLANDSWEEPER ADMINSare the members ofREMOTE MANAGEMENT USERSso we can take the shell (winrm)
let's add the
svc_inventory_lnxto theLandsweeper Admins
let's grab the
user.txtfromwinrmshell
For root
The way I did was I used an automated tool that will automatically decrypt the password stored in the local database of the
Landsweeperthat are used for scanning credentials
https://github.com/Yeeb1/SharpLansweeperDecrypt
in the bloodhound we can see that
svc_inventory_winis inAdministratorsgroup , so we can dump the hashes :)
let's grab the
root.txtusing admin hash
Pwn3d the machine !!
Last updated