Responder is a boot2root challenge on HackTheBox. It has “Very Easy” difficulty and is part of starting point challenges.
Enumeration started with an Nmap scan. The following command will scan top ports of the target and use scripts and version enumeration. The results will be output to a file called “initial”. I also increased the verbosity of the scan with
sudo nmap 10.129.185.223 -sC -sV -oN initial -vv
After the scan, we can see that the target is running an Apache web server on port 80.
After that I started another scan, which scans for all ports of the target:
sudo nmap 10.129.185.223 -p- -oN all_ports -vv
The second scan showed that there were 3 ports open.
I’ve scanned the target again with Rustscan and it seemed liked port 7680 is closed. So this was a false positive.
Analyzing the web server
After opening the IP in a web server to navigate to the web server, we get redirected to “unika.htb”.
So I have added that domain to my
After that I was able to open the web page.
With Wappalyzer I was able to analyze which technologies are used. Interesting ones are that the target is a Windows server and uses PHP as programming language.
The web page has the functionality to change language. When changing the parameter “page” is used followed by a HTML file name.
Next I tested that parameter for an local file inclusion vulnerability. I tried to load the
hosts file on the server. Because this server is a Windows hosts I used the following path:
After that I tried to load a remote file. First I started responder on tun0 interface, because that’s the interface, with which I am connected to the HTB network:
sudo responder -I tun0
Next I send the following GET request:
That request worked and I was able to see the NTLM hash of the Administrator user of the target machine:
I saved that hash into a file called “hash.txt” and used JohnTheRipper to crack the hash. I used “rockyou.txt” password list.
Getting the flag
From the scans we know, that WinRM is running on the server. So I connected as Administrator to the target using
evil-winrm -i 10.129.185.223 -u Administrator -p badminton
The flag was inside the Desktop of user