Tier 1: Responder - HackTheBox Starting Point - Full Walkthrough

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we're going to take a look at the newly released responder machine from tier 1 of the hacker box starting point track i'm already connected to the vpn and i've booted up the machine but i haven't done anything else yet so let's take a look at the first question how many tcp ports are open on the machine so there's a hint of what we need to do first of all which is run a port scan normally i would use mass scan to check all of the open tcp and udp ports because it's quite fast at doing that and you'll see me doing that on some of these videos if you stick with the series in this case i'm not going to do that let's have a look we can have a look at nmap h to get the help menu and get a lot of different information about options here we can also have a look at the man page and get a lot more detailed information or we can use tldr to get some example commands and this will give you some commands you can quite easily just copy and paste somebody also recommended a tool called navi to me recently which can open up with the control and g shortcut on the keyboard and we can actually specify in here what we want to do so in this case nmap i'm going to do the tcp syn scan because the standard scan didn't bring all the ports up for me so i'm just going to hit enter on this one it asks what ip or range we want to scan so let's grab the ip address let's paste that in there and then it basically gives us everything we need for the command so i'm going to take some of this out i'm actually gonna go and add the service enumeration and default scripts it didn't need this either oh we also need pseudo privileges so let's add that and let's leave that to run while that's running let's go and see if we've got any web service we can just go and open this up in a browser we try to connect to the service and it's redirected to this host name you'll know on some of these videos what i often do is go and add the ip address to the host file and just take the name of the machine so in this case it would be responder dot hack the box if i'd done that in this case we would run into some problems because it's actually redirecting to unicode.hyperbox so let's go and add that to the host file etc hosts let us paste in that domain let's grab the ip address that we've been assigned and this is going to root any request to this domain to this ip address vice versa and we'll close that down we'll now try to reload that page and see what we get and it seems to be loading up we could have a browse around here and try and get an idea what kind of services we've got we could also use this wapalizer to see what we've got so we've got an apache web server it's running php we can also see it's windows as well so we might want to go and have a look for php files we can do that with go buster so go buster dash h we can see that we want to use directory mode i've got an alias for this which you've probably seen me use before but let me just grab it out in case you haven't so from our bash aliases we want to grab let me just grab go buster and you can see this is just running the directory mode with the standard word list and taking in the url so we'll do go busters let me oh let me grab the domain name and let's provide that with php we might want to do html or txt or something as well but that's fine i'll just leave that as it is we could also run neato pass in the host and again we can see the version of php that we've got running see what headers we've got this might identify some vulnerabilities as well let's see is our map scan is still running so while we're waiting when i was going to check out some more of these links maybe have a look at the source code on the site as well see is there any interesting comments we could have a look at whatever files have been returned here so there are any interesting directories or files you might want to check out you can see a lot of these are coming back with 403 errors so we wouldn't actually be able to load them index.php is the only one we're getting the 200 okay on let's have a look at nmap that's still running okay so the first thing we need is to identify how many tcp ports drop on the machine so let's wait for maps complete and then i'll come back so that took another minute or two to complete i should have actually run it with the verbose flag and then we would have seen the open ports as it was running because it will first check for the open ports and then it will do the service enumeration and the default scripts afterwards so we could have saved a little bit of time but we've got our three open tcp ports port 80 or http service 5985 and 7680 let me take a copy of this this port comes up quite a lot on windows machines let's go and answer this question so there's three tcp ports open let's also go and google this port 5985 and if we google that i was expecting hat tricks to come up pretty quickly but it didn't all right we'll google that with hat tricks and we'll see here pen testing winrm so we can see here that winrm or windows remote management is a microsoft protocol that allows remote management of windows machines of a https if it's enabled the machine is trivial to remotely administer the machine from powershell in fact you can just drop into a remote powershell session on the machine if you use an ssh the easiest ways is to see if these ports are open so we do have one of those ports open there's also a tool that we can use called evil winrm i'm not sure if that's mentioned in here let me search for evil yeah so you can install evil winrm with gem install evil winrm and we can use that to connect this port once you've got a username and a password you can also pass the hash as well so you can provide a hash instead of a password if you're not able to crack the hash for example okay that's fine let's go back anyway let's see what else we've got to do here so when visiting the web service using the ip address what was the domain that were redirected to so that was what we had to set up here this unica dot height the box let's paste that in what scripting language is being used we know that as well because we had a look with wapalizer so we saw that programming languages we've got this php so we'll submit that here as well we also used go buster to search for php files directory busting and this showed php here as well for the server type in nikto let's close these down for now and next we're asked what is the name of the url parameter which is used to load different language versions on the web page so we'll go to the web page we can see our languages over here we can swap between english french and german so let's change it to german and we can see that the parameter is page so this is the get parameter and we can supply the language as the value let me close that down let's submit that which of the following values for the page parameter would be an example of exploiting a local file inclusion vulnerability so this is funny it's actually it's given us some different examples asking us a question but it's quite clear from the answer field what the right answer is but let's look through it anyway so local file inclusion would be including a local file on the system that we shouldn't be able to access this french.html we can access that's supposed to be accessed so we can just click that we are including a local file but we're not exploiting any vulnerability this is using an external ip address so this could be a remote file inclusion and it's also using a syntax like you would see with smb or something and then we have some directory traversal go into the hosts file so including a file which shouldn't be accessible and then we've got one just mimickats.exe so just a binary so it's going to be this one actually what we would probably do as well is go and have a look for an lfi list so let's search lfi windows and we can probably get a list of some file names to brute force let me word list so here's one for example we could it says intruder there so we could use burp intruder we could use some other kind of fuzzing tool f or something like that i'm basically just passing this list and trying to see what comes back so what files are on the system and accessible we could also get an idea what's there based on the server so we saw that it was an apache server so maybe we'd have a look in here and see what is the format for the apache so you can see here apache logs so you might want to take that you can also add some of the directory traversal stuff into the into this as well that won't always be needed let's actually let's try this out so at the moment it's taking this french.html let's take a copy of this we want to use this one because this is a file you want to try and find a file that's going to be there on the system oh i hate it when that happens okay let's do that again just make sure it has the http at the beginning so that doesn't happen and you can see that works we could also try and take out this directory traversal and see can we just provide c that also works so in some cases let me try and let's try and access something that is maybe not available let me try the apache i can't remember what it was now apache log or apache.log or something so in this case we get an error so this could also give us an idea in some cases you might not be able to provide the actual file path like this you might need to traverse the directory back to the root so in our case for example we can see that we can see what it's trying to call here so we might need to go back one directory two directories to get back to the c directory in that case we know we need to do something like dot dot slash dot dot slash we could also potentially use this to read php files so typically the php file we shouldn't be able to read the code because it's on the server side so we can't just right click and view source and access that but let's try and see if we can use a filter so if we just load that it's going to be nothing of interest let's i shouldn't have closed down hat tricks let's get the file inclusion cheat sheet here and what i'm looking for is one of these filters so you can see here php filter there's a few different options we can use rot13 and we can use base64 or something to basically encode the code that's in that file so let me provide that there we have the base64 encoded code so let's go and do echo paste that in and then send that to base64-d and here we can actually see the php code so we might want to try and do that if there's any other interesting files here maybe there's a database file or some kind of php file with credentials in it we might also want to test for remote file inclusion as well let's actually go back and see what it's asking us to do i don't want to skip too far ahead which of the following values for the page parameter would be an example of exploiting a remote file inclusion vulnerability so that would be this one so this is using the 10.10.14 ip address which is the same ip address as we should have for our vpn i've got point 14.18 so this is trying to access a file from our system let me submit that let's go back and try this let's put in the same thing mine was point 18. 2018 let me go and set up a web server on port 8c that s is just a pseudo i've just got a shortcut set up so i don't have to type in the full pseudo all the time this is gonna complain because i don't have http there notice that so let's go back let me do that again http i know you can set it so it doesn't do that but sometimes i want to just search the search bar so i don't bother but we don't get any requests back here anyway we're asked next then what does ntlm stand for so we can just google this is the new technology lan manager ntlm acronym or you can just google the name it should come up here somewhere in the search engine yeah empty windows new technology lan local area network manager okay so new technology manager and now we're getting on to the goal of the box or well to the top of the box which is the responder utility which flag do we use in the responder utility specify the network interface so we can go and do responder h you can use tldr if there is an index for this one as well which just gives you the examples from the man page but i don't think there is actually one for this but we can see that it takes dash i as the adapter in our case the adapter will be not e0 but the ton zero because that's where our vpn is connected so let's provide dash i and let's also go and have a look and see what responders all about so i'll leave a link to this article in the description along with some others about responder and lfi and whatever we go through in this video but as we can see here responder is a standard go-to tool in a penetration testers toolbox it's likely one of the first tools run when simulating attackers trying to steal password hashes and gain a foothold into the network after capturing a hash most testers assume that only path forward is cracking the captured password hashes however if the hashes prove uncrackable responder can be used with its less well-known sidekick multi-relay to automatically relay the authentication requests we're not going to be doing that but that's worth bearing in mind you can follow this article and use multi-relay to relay hashes so how does responder work well i'll simplify and summarize this a little bit but essentially it's telling us that when windows machines are unable to resolve host names through their dns or localhost file like we set up at the beginning of this video where we linked the ip address to the host name well if it can't resolve it'll essentially broadcast out to the network and ask if there are any other systems that can resolve that address so that host name and that's where responders going to commence responder is going to respond and say we're weather system that you're looking for and essentially the system's gonna try to authenticate with us and send over the ntlm password hash okay so the next question is asking us to crack the hashes ask him what tool can we use the tool is often referred to as john what's the full name and it's john the ripper so let's submit that and let's go and get the hash so we need to run responder remember this is ton zero we need to do that with root privileges so pseudo that as well and you can actually see that this will set up a lot of different servers it's going to try a range of different servers only some of them might be accessible due to permissions and stuff on the victim and that's it we've got our ip address i'm going to take a copy of this in fact i think we've already got it in there still let's go back over here yeah all right so we've got that it's trying to request some file let's try and run it let's go back and there's our hash coming through so we can take a copy of this we can create a file called hash and paste that in there and let's use john the ripper and provide a word list i'm going to put a space here because i want to be able to use autocomplete and use the rocky password list we're taking a hash and i'm going to go back and take the space out it's a little bit quicker and very very quickly we cracked the hash which was badminton so there we go we've now got a password to log in with let's go and answer a question and we've been asked then what is the windows service we looked at earlier it was five nine eight five and that's service they're gonna be able to connect to using evil winrm it's asking us for the root flag so that's the last thing we need to do let's connect to it let's take let's do evil win our m h and we can see it wants an ip address from us it wants a user and we want to provide the password as well so let's go and grab that ip although we could just provide the host name but i can't remember what that is either off the top of my head let's provide evil winner winrm the ip address the user was administrator where is it there it is administrator and the password was badminton we'll run that and that should connect us and we can use ls and stuff here as well as well as using the windows alternatives basically we're connected to a powershell so let's go back see what we've got here we can have a look around for this flag do we get auto complete here we don't okay and let's check this mic directory we've got a flag.txt we print that out and we've got our flag so let's submit that and that's the responder machine completed so i hope you've enjoyed this video if you have any questions or comments leave them down below thanks

Info

Channel: CryptoCat

Views: 70,038

Rating: undefined out of 5

Keywords: Responder, Hack The Box, HackTheBox, HTB, Starting Point, starting-point, tier 1, Windows, SAMBA, Enumeration, Apache, WinRM, LFI, local file inclusion, remote file inclusion, password cracking, evil-winrm, NTLM, netbios, multirelay, pen-testing, pentest, OSCP, penetration test, redteam, offsec, infosec, cybersecurity, training, ethical hacking, enumeration, port scanning, fuzzing, nmap, nikto, gobuster, tldr, wappalyzer, web proxy, privesc, learn, walkthrough, guide, hacking, hack, cyber, CTF, capture the flag, security

Id: R8GOLiKIA1k

Channel Id: undefined

Length: 19min 26sec (1166 seconds)

Published: Sun Apr 10 2022