Open in app

Sign in

Write

Sign in

HTB — Tier 1 Starting Point: Responder

Dan Schwarzentraub
3 min readJul 20, 2023

--

Task 1

When visiting the web service using the IP address, what is the domain that we are being redirected to?

Answer: unika.htb

We need to add the site to our hosts file

Task 2

Which scripting language is being used on the server to generate webpages?

Let’s view the source code

I initially thought it was CSS, which it’s not. So I ran an nmap scan

Answer: PHP

Task 3

What is the name of the URL parameter which is used to load different language versions of the webpage?

Answer: page

Task 4

Which of the following values for the `page` parameter would be an example of exploiting a Local File Include (LFI) vulnerability: “french.html”, “//10.10.14.6/somefile”, “../../../../../../../../windows/system32/drivers/etc/hosts”, “minikatz.exe”

Answer: ../../../../../../../../windows/system32/drivers/etc/hosts

Task 5

Which of the following values for the `page` parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: “french.html”, “//10.10.14.6/somefile”, “../../../../../../../../windows/system32/drivers/etc/hosts”, “minikatz.exe”

Answer: //10.10.14.6/somefile

Task 6

What does NTLM stand for?

Answer: New Technology LAN Manager

Task 7

Which flag do we use in the Responder utility to specify the network interface?

Answer: -I

Task 8

There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as `john`, but the full name is what?.

Answer: John the Ripper

Task 9

What is the password for the administrator user?

We will need to start responder on our tun0 interface ( i had a lot of TCP server errors, so i had to run ps aux | grep responder and kill each individual responder process that was running)

Now with it monitoring for events, we need to navigate to the following URL (replacing the IP with our tun0 IP)

When we head back to Responder, we will have captured a hash

Let’s copy the hash into a file

Now we will use John and the rockyou wordlist to crack it

Answer: badminton

Task 10

We’ll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?

Answer: 5985

Submit root flag

Answer: ea81b7afddd03efaa0945333ed147fac

Hackthebox
Hackthebox Writeup
Hackthebox Walkthrough
Ethical Hacking Training

--

--

Dan Schwarzentraub
Dan Schwarzentraub

Written by Dan Schwarzentraub

127 Followers
5 Following

PNW_Hacker

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams