Responder walkthrough HTB

Hey everyone !

I will cover solution steps of the “Responder” machine, which is part of the ‘Starting Point’ labs and has a difficulty rating of ‘Very Easy’.

Now, navigate to Responder machine challenge and download the VPN (.ovpn) configuration file and open a terminal window to run below mentioned command –

sudo openvpn [filename].ovpn

Note: [filename] should be replaced with the name of your downloaded .ovpn file for the Starting Point lab.

So, now let’s spawn the machine. And this is the interface that looks like after the machine gets spawned !!!

Task 1

When visiting the web service using the IP address, what is the domain that we are being redirected to?

Ans: unika.htb

In order to view the webpage, you will need to add the target IP to the /etc/hosts file. Then, open a text file editor in the terminal and enter the hostname and IP address of the page.

After following this steps the page will load instantly.

Task 2

Which scripting language is being used on the server to generate webpages?

Ans: php

Task 3

What is the name of the URL parameter which is used to load different language versions of the webpage?

Ans: page

Once the language is changed, the URL in the address bar reflects the different language versions of the webpage.

Task 4

Which of the following values for the `page` parameter would be an example of exploiting a Local File Include (LFI) vulnerability: “french.html”, “//10.10.14.6/somefile”, “../../../../../../../../windows/system32/drivers/etc/hosts”, “minikatz.exe”

Ans: ../../../../../../../../windows/system32/drivers/etc/hosts

Task 5

Which of the following values for the `page` parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: “french.html”, “//10.10.14.6/somefile”, “../../../../../../../../windows/system32/drivers/etc/hosts”, “minikatz.exe”

Ans: //10.10.14.6/somefile.

To exploit the Remote File Include, it needs to have an IP address of the target machine, in this case,//10.10.14.6/somefile.

Task 6

What does NTLM stand for?

Ans: New Technology LAN Manager

Task 7

Which flag do we use in the Responder utility to specify the network interface?

Ans: -I

First, identify the IP using the command “ip a |grep + network interface.”

We can check if Responder captures an event to see if Responder is working correctly. To do this, attempt to open a shared file using the IP and a shared folder name on your web browser. However, this action will likely be denied due to the folder needing to be available and needing permission.

In the terminal where Responder was operating, NTLM information includes the client’s IP, username, and password hash.

Task 8

There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as `john`, but the full name is what?.

Ans: john the ripper

Task 9

What is the password for the administrator user?

Ans: badminton

Task 10

We’ll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?

Ans: 5985

Submit root flag

Let’s proceed with the flag hunt by utilizing evil-winrm, a package that includes Windows Remote Management for accessing the target computer. Finally, we have all the necessary information, including the IP address, username, and password.

To move between directories and folders, the command “cd” can be used, while the contents of a folder can be listed using “dir.” The flag was hidden on the user Mike.

flag:ea81b7afddd03efaa0945333ed147fac

And we can see that our machine has been pwned!