Enumeration

Nmap

Initial nmap scan revealed SMB, LDAP, Kerberos and some non-default ports such as 81,82 were open.

00 - nmap

SMB Null Session

SMB Null session was active and with the null session I got access to the IPC$ share. Thus, I can apply rid brute forcing attack.

01 - smb null

02 - rid brute

Brute Forcing

With the retrieved users, first I generated a userList.

03 - userList

Then I generated Brute Force list with null, reverse and same passwords as usernames.

04 - nsr wordlist

The Brute Force revealed the user “intern” has the password “intern”.

05 - intern

Exploitation

Lansweeper

Lansweeper is an IT discovery & inventory platform which delivers insights into the status of users, devices, and software within IT environments. This platform inventories connected IT devices, enabling organizations to centrally manage their IT infrastructure.

The port 81 was Web interface of Lansweeper which can be logged on using domain credentials. I used “intern:intern” to login the Lansweeper dashboard.

06 - intern with sweep vl

With the lansweeper, we can run credentialed scan to discover assets. At first I checked which credentials were saved.

07 - saved creds

There were two service account credentials saved. One of them was a linux service account. I can create an SSH honeypot with sshesame, and run credentialed scan to my machine to capture password of the service account.

08 - listener

09 - started

10 - password

With the obtained credentials, I ran BloodHound to analyze further. The service account had generic all privileges over “Lansweeper Admins” group which could winRM to the DC.

11 - initial

So I simply added service account to the “Lansweeper Admins” group, and using evil-winrm got a shell and user flag.

12 - remote

Privilege Escalation

I first checked BloodHound which did not reveal any path to Administrator. Then ran winPEAS which also did not reveal anything useful.

I then re-login to the Lansweeper but this time with the service account credentials. Because the service account was added to the Lansweeper Admins group, I could now see some additional functionalities such as deployment.

The deployment functionality allows us to run commands on specified machine. We can run these commands as users whom credentials are stored or as system account. System account did not work.

From the BloodHound output I knew that other service account was in the Administrators group.

admin

Thus, I simply mapped the other service account credentials to Domain Controller. 13 - creds

Then I tested if I can run commands as the user. I tried ‘powershell.exe echo “test” > test.txt’ and it worked.

14 - deployment

I then updated the command, then downloaded Invoke-PowerShellTcp.ps1 and started a python web server.

15 - change deployment

Starting a netcat listener and deploying the command got me the Administrator shell.

16 - gg

Pwned

The machine was fully pwned.

17 - pwned

<
Previous Post
Keeper - Hack The Box
>
Next Post
Sendai - Hack The Box