Fkn lifesaver dude! Been stuck on that LFI question for days, because of the way they had formatted it. The answer they wanted made no sense to me - had they presented them in bullet points, it would've been much more clear - I genuinely just got confused as they had 3 strings back to back. Also, didn't think to add the IP to my /etc/hosts file & was wondering why it wouldn't connect to the website; thx! Keep up the great work, man!
I was thinking a multiple choice option would be better there as well! It would be good to see that implemented in future so they can use a mix of text entry and multiple choice questions. Thanks mate 🙏🥰
I've been struggling for a few days trying to connect with certain machines, looking at hundreds of forum posts, and all i needed to do was add the address to host file, which i did learn ages ago btw lol. Really happy i stumbled on this video, thanks for the upload.
awesome thank you so much for this guide, I'm still very new so a little extra help here was needed. You talked the process and explained things very well. Helpful videos like this means it's less likely that people will quit when they hit a bit of a wall as i did here, I will run the process through a few times again solo, just to graps it all. Again many thanks.
Dude, you're my hero! I couldn't figure out why responder was picking up my local router instead of the htb IP. I was using wlan0 instead of tun0. Thanks so much!
Was praying for a walkthrough. I don't like that flags aren't randomly generated per-person on htb, but on instances where I physically can't reach the flag because of a bug and not being able to use a tool just being able to progress the starting point is really helpful. Loved the approach as well CryptoCat, thanks!
Also worth noting, HTB Starting Point in the top-right of their respective tab for the challenge have 'Open Walkthrough' which is a PDF write-up on the CTF.
@@safesploit Yep, same as for retired boxes! The walkthroughs are excellent, I always recommend reviewing them after solving a machine as they contain a lot of background info that you wouldn't get from solving the box alone, but will improve overall understanding 🙂
Amazing walkthrough! It really helps that you show us how you are moving forward and how you are googling to get learn all the different things needed. I did this box before I saw your video, but I didn't manage to get through it without having a peek at the walkthrough provided on htb as I didn't really know about the responder and it didn't show up in any of my google searches neither. But searching for the exact TCP port like you did would have probably gotten me on the right track :)
Subbed, host appending and responder were new concepts for me, just those bits helped me a lot. Thank you. I didn't realise we could cat out the flag, ended up downloading it :')
Nice video ! I feel like this challenge is much more difficult than the other one of the same tier, I was able to do the other challenges by myself but without the write-up I wouldn't have been able to complete this one.
For the responder, I kept getting the set.daemon() deprecated error so I was unable to see the hash code. Do you perhaps know how to go about solving that?
Hmmm it might be similar to this: code.djangoproject.com/ticket/32638 Try and run with an earlier version of Python (not 3.10) and/or double-check you're using the latest Responder: github.com/lgandx/Responder
awesome, thanks for the video ! I tried adding /etc/hosts in WSL, but I still cant open unika.htb, I use windows. Does WSL configuration doesnt come in-line with windows?
@CryptoCat thank you very much for this walkthrough. It was very informative! I just have one question (and this is one of the things that has been baffling me in my journey to becoming a Red Teamer thus far: choosing the right tools for the job. Why did you choose Evil Winrm? Could SSH have done the same job?
thanks mate 🥰 the SSH port was closed on this one, otherwise that would of been a great option! winrm would of done the job fine (connecting to that 5985 port) but evil-winrm has some powerful functionality: github.com/Hackplayers/evil-winrm
where do you get these wordlist files for john? I'm guess that a lot of these tools are pre-installed in kali and you would have to figure out how to get them installed for a different distro or maybe if it is pre-installed in kali maybe just load up that distro and grab the wordlist I need?
Yep, kali and parrot will come with a lot of tools and should have some wordlists in /usr/share/wordlists by default. You can also install a repo of wordlists with "sudo apt-get install seclists" but if on a non-kali/parrot machine you might need to manually clone the git repo: github.com/danielmiessler/SecLists
Hi and thank you for this great tuto! Small question, at 56 seconds you open a new menu with the "G" key? Is this part of TLDR? I can't access this menu... Thank you in advance for your answer :)
Good question! I should of mentioned that is "navi", a tool that was recently recommended to me. It allows you to add (or create) cheatsheets and easily execute them: github.com/denisidoro/navi
@@_CryptoCat Hi, I searched through the web and couldn't find any way to install the tool. could you help out? I am struggling with this for 2 days now
@@tomerbalkai There's a few ways to install it, if you check here (scroll down): github.com/tldr-pages/tldr You'll see any option to install with npm or python. I probably used the python method, e.g. "pip install tldr". edit: sorry, I realised you are talking about navi, not tldr. I can't remember if I used the "cargo" install method or the install script: github.com/denisidoro/navi/blob/master/docs/installation.md - you can also download the pre-compiled binary and add it to your path so quite a few options to try 😉
Hey I really liked your video. I have one problem which makes nmap scans very painful for me. Doing the same scan as you takes me a whopping 30-40 minutes. If I use -T4 as a option it takes about 15 minutes... Any idea what might be causing such slow scanning times? Of course scanning only the first 1000 ports doesn't take that long but that made me miss the WinRM port the first time I was scanning :/ Any advice you can give me to troubleshoot this issue?
Thanks 🥰 They can take a while but 30-40 minutes seems way too long! It might be worth trying another site e.g. TryHackMe, to try and identify whether the problem is with your connection to HackTheBox, or your network/config more generally. For HTB you could try and regenerate your VPN pack or swap server / upgrade to VIP to see if that helps. Lastly, you can run NMap with the verbose flag, so you at least see the open ports as they are discovered 😉
@@_CryptoCat Thanks for the reply! I am already VIP. I switched VPN over UDP which improved my speeds. It's still not as fast as yours but it's ok: 10-13 minutes to scan all ports of one IP address. Thanks for hinting me in the right direction :)
I really don't get it and no video seems to explain it: As I understood the problem with Name-Based Virtual hosting, is that if you write the IP address, it cannot be decided which domain name should be returned. But if you write the ip to the browser, it transforms it to unika.thb, so the DNS server is able to resolve the ip doesn't it? What does adding the line to the hosts file change?
I think you've got it the wrong way round, i.e. when you write unika.htb to the browser, it translates to the IP address in /etc/hosts - it's just to save you memorising the IP address etc
@@_CryptoCat thanks for the quick response. Ended up just running a base kali Linux iso on my VirtualBox and got it to work. I think wsl2 kali Linux has some issues with this. Better practice for me to use a VirtualBox anyways. Thanks again! Great videos and really helping me learn
when connecting with evil-winrm i always get: Error: An error of type HTTPClient::ReceiveTimeoutError happened, message is execution expired, pls i need help 😥
Hey ! Nice one ! I was struggling with this one.. I didn't add the /etc/hosts so i can't see the website nor uses responder well. Btw my john --wordlist=path hash didn't show me cracked password i've tried some other command, deleting ~/.john/john.pot but still don't have it :/ Any ideas ?
I had the same issue and fixed it. It was because the rockyou.txt file was zipped. I simply unzipped it: sudo gzip -d /usr/share/wordlists/rockyou.txt.gz I'm assuming you're on Kali Linux as this is where the wordlist is located by default.
Hi I have a question, basically what we are doing is using LFI, we "create" A server that then we access by the target forcing it to authenticate with NTLM (that we are hosting to get the challenge hashed with the password) to then crack the challenge to get the password and then access the winrm, my question is what is the point if we have to guess the password anyways? Wouldn't unhashing the challenge be the same as guessing the password directly? Is it to not get noticed too much by avoiding to brute force a login?
You're right IRL you'd rather avoid detection (and lockouts) by cracking the hash rather than the password. Apart from that, cracking the hash locally removes the network dependency should be much faster with a good GPU. Even better, you might find the hash has already been cracked by someone else! Finally, you can use the hash directly for relay attacks (although unfortunately not pass-the-hash).
Hmmmm double-check each step in the vid, or check the official PDF walkthrough as it might use a slightly different approach. You might find additional troubleshooting steps on hackthebox forums/discord 🙂
Hey this was really great. As someone who is a true beginner I'm not really sure if the point of these boxes is to just stump me or what lol. It says "Very Easy" but someone who is new to the world of pentesting sure wouldn't know what Responder is.
Thanks and you're totally correct, HTB is hard.. even when it is "easy". That's especially true when you're new to cybersecurity (maybe IT in general). You'll learn through the struggle though 🙂
ermmm tbh I haven't really used many of them 😂 I just installed whatever security related ones I could find linked to the navi github. My friend put together these cheat sheets though, which I'd definitely recommend for pentesting: github.com/esp0xdeadbeef/cheat.sheets
@@biba7859 i also tried to output to a file to see if anything changed and i tried to see in the .pot file john is creating for the passwords both failed both files came out empty as if john is not producing any output and sth i found iteresting there where is shows the numbers of guesses my sessions end with 0gs
Hmmm I had a look through GitHub issues but couldn't see much, unless this helps: github.com/openwall/john/issues/4852 github.com/openwall/john/issues/5074
I keep getting this error when i try to launch the responder using "sudo python Responder -I ..." /Responder.py", line 42 print color("[!] Responder must be run as root.") which git repository did you clone from
I had the same issue, here's what worked for me: "sudo python2 Responder.py -I tun0" Use "phython2" instead of "python". This allowed me to intercept the NTLM hash without the error anymore. Hope this helps.
At last i found a mentor... Thank you so much! Here I got a few small open points. 1) When we injected the attacker ip address via page parameter, why the victim tried to authenticate? How does the victim know that it should send the username and hashed password to auhenticate? Furthermore, is it possible to capture that request via netcat with something like -lnvp? I learnt that when a server got a authentication request, it should transmit a challenge to the requester, but still I thought that I can use netcat to prove RFI is possible. Why I cannot catch them via netcat? Why we should add a wrapper such as "php://filter/convert.base64-encode/resource=index.php"to see the contents of index.php? Why it did not work at the first time? What precaution forces us to add this while we can get the contents of the file "hosts.txt" easily? Thanks
Hi mate, thanks for the support! For your first question (on how the authentication request works), I would recommend reviewing the article that I skimmed over in the video: www.sikich.com/insight/using-multirelay-with-responder-for-penetration-testing Your second question; if you setup a netcat listener on SMB port you should see some request from the RFI (I incorrectly used HTTP port in video, which presumably does not have outbound access). Although that should give some response, you would responder to say "I am the machine you are looking for" in response to each of the requests. Final question; We need the PHP filter trick to read PHP files because the vulnerable code is using the "include" function. If we try to access PHP files without the filter, they will be included (executed) and we won't see the source code. Any other extensions e.g. txt should be fine to read without a filter. Hope that helped, all the best 😊
For the subl part? In sublime text editor, do I need to type the screen at 2:23? Or is there a file I need to download to be able to view the website? When i downloaded subl, it comes up as blank
Nice video! there's is something I dont get though, I understand virtual hosting and why we need to add the ip address to the /etc/hosts file. I understand the server wouldn't know to which hostname to redirect the browser if we type in the ip address without that. However I dont understand why if we type the hostname in the browser (without updating /etc/hosts) the page won't load. can you explain on that ? thanks.
Thanks, and sure! When we type the hostname into the address bar, e.g. responder.htb, the browser will attempt to resolve the DNS. It will ask the OS, "what is the IP address for responder.htb?". First, the OS will look in the /etc/hosts file and see if there's an entry for responder.htb. If so, it will return that IP and redirect the browser accordingly. If there is no entry for responder.htb it will reach out to DNS servers, e.g. Google, and ask if they know which IP address is associated with the domain. Since responder.htb isn't a real website (.htb isn't even a valid TLD), no DNS server will be able to find an IP, so our only option is to add an entry to /etc/hosts. Hopefully I understood your question properly and the answer made sense 😁
keep getting this error when trying to run responder "Error starting TCP server on port 3389, check permissions or other servers running.", anyone else have this or know how to fix?
@@_CryptoCat I am also getting the same error as @GeratTheGreat. And yes on port 3389 I have a RDP Session because I am doing on Practice-Labs. Is there a way to change port of Responder instead.
Navi actually looks like a really interesting tool, I'll note that one down. May I ask which repo you got the cheatsheet for nmap etc. from, or is that one selfmade?
I installed this one: github.com/esp0xdeadbeef/cheat.sheets and some of the security related ones from the Navi repo. I really need to put my own commands into the cheatsheet but I cba 😂
@@_CryptoCat Thanks a lot, definitely a nice tool though, that I could see becoming all the more useful under time pressure at a ctf or something, nothing worse than sitting there in the last hour getting stuck when forgetting about how a tool exactly worked again.
@@_CryptoCat hey, i can't manage to install the shell widget on kali. i get this errormessage: navi widget fish | source source: not enough arguments Command 'navi' not found, did you mean: command 'savi' from deb savi command 'nvi' from deb nvi command 'navit' from deb navit command 'nabi' from deb nabi Try: sudo apt install so ctrl + g dosen't work for me.
Hey thanks for this video! I was wondering how I could find the LFI vulnerability (AKA the windows host file ) on the target without the help of the htb questions. And I’m struggling because the vulnerable page display an error which is considered by gobuster as a 400 status. So every path tried is considered a success. I could also try to add ../ until I find what I want but it’s not a very efficient way ? How would you do it ? Thanks again for the video it is very helpful!
You can use the --exclude-length option if all responses return to the same response code, e.g. "don't show any responses that are 100 bytes long". You could also switch to a tool like ffuf, that allows you to filter by response code, length *or* regex, so you could just filter out the responses with an error message 🙂
i just wanted to know that how did you answered the windows service listening port question which was the second last question, and the answer was 5985, but how did you deduce that answer
Hmmm I probably just knew this already, as the WinRM service (5985) is exploited a lot in pentesting. If you didn't know, you could check the NMap scan and google each of the ports/services. You could probably find it in the evil-WinRM documentation as well.
don't know if there's any chance for someone to answer but here i am: Succeed to get the Admin hash with responder, but when it comes to john, when my hash.txt is "Administrator :: Responder : xxxxxxx" john says to me that "No password hashes loaded" and when I put only "xxxx" with no "Administrator:: Responder:" john tells me that he loaded 2 passwords with no different salts aaaand... that's all so far. No mdp, no more infos. What do i do wrong please ?
Hey, good question. There are some security-focused cheatsheets on the navi repo as well as some external, e.g. github.com/esp0xdeadbeef/cheat.sheets or, you can create your own. In all honesty, I don't use it very often but I guess if you get in the habit of using in your day-to-day, it's good.
It's mostly just so that you don't need to remember the IP address, i.e. it's easier to memorize responder.htb than 10.123.18.90. Often the websites will use links like responder.htb/login as well, so if you don't have it set in the hosts file, it simply won't know where to resolve. Also, if you want to enumerate subdomains, you'll first need to have the domain linked via /etc/hosts.
Can I get help with this error message when using evil-winrm "Error: An error of type OpenSSL::Digest::DigestError happened, message is Digest initialization failed: initialization error Error: Exiting with code 1 " I tried at my laptop using ubuntu 22.04.1 LTS or pwnbox, the result is same error,
It's a problem with the OpenSSL version: forum.hackthebox.com/t/evil-winrm-error-on-connection-to-host/257342 You can update your OpenSSL library OR use this quick fix: forum.hackthebox.com/t/lab-access-openvpn-certificate-verify-failed/257102/2
@@_CryptoCat i appreciate the fast reply, tried again today with a new ip and it worked fine so not really sure what was going on yesterday. Thank you anyway
evil-winrm just tells me that there's no route to host even though i did everything correctly the first time (i hope) then re-did it when i found this video to make sure
You have to enter the ip address given on the htb account (it is different for everyone) and not the ip given on the document. You can check on google how to add entry on etc/host which is very easy. You are putting the wrong ip which is the problem. I faced the same issue but now solved this problem and I am able to view the website on the browser.
@@yogeshcs2003 i entered the correct ip address from the hackthebox website, i was able to connect to the box but couldn't install a reverse shell on it
for the terminal? imgur.com/a/EXSO6l0 the only problem is.. with some tools colour coding is very helpful e.g. LinPEAS. You can have multiple colour profiles though and easy swap between them 😉
It's just the standard parrot config IIRC, here's a terminal colour scheme: imgur.com/a/EXSO6l0 - the only thing is if you use scripts like linPEAS, the colours are not very useful 😂
hahaha 😂 I did use responder?? I'm guessing you mean why didn't I jump straight to the obvious solution (based on the name) - Since it's starting point and there will be lots of beginners, I basically want to get people into the habit of enumerating properly and try to demonstrate the process of elimination as I think this is more important than learning any one tool/technique 😆
Im on the evil-winrm part and when i run it it gives me the error as follows. " /var/lib/gems/3.0.0/gems/evil-winrm-3.3/lib/evil-winrm.rb:123:in `completion_check': undefined method `quoting_detection_proc' for Reline:Module (NoMethodError) " please help!
Hmmm it's weird that evil-winrm github doesn't even seem to have an "Issues" tab 🤔 Only thing I could find was: tryhackme.com/forum/thread/6171e3b46b0cfe00412b0a1d Did you install using 'sudo gem install evil-winrm'? Not sure what to suggest really, maybe reinstalling evil-winrm or Ruby itself will help 😕
Ermmm if you are using Parrot/Kali it should be pre-installed, make sure it's type exactly as in the video.. If not, you can check the install instructions: github.com/Hackplayers/evil-winrm?tab=readme-ov-file#installation--quick-start-4-methods
Glad you liked it 🙂 HackTricks is one of the best resources for sure, I rarely solve CTF challenge or vulnerable machine without referring to it at some stage!
Fkn lifesaver dude! Been stuck on that LFI question for days, because of the way they had formatted it. The answer they wanted made no sense to me - had they presented them in bullet points, it would've been much more clear - I genuinely just got confused as they had 3 strings back to back.
Also, didn't think to add the IP to my /etc/hosts file & was wondering why it wouldn't connect to the website; thx!
Keep up the great work, man!
I was thinking a multiple choice option would be better there as well! It would be good to see that implemented in future so they can use a mix of text entry and multiple choice questions. Thanks mate 🙏🥰
I've been struggling for a few days trying to connect with certain machines, looking at hundreds of forum posts, and all i needed to do was add the address to host file, which i did learn ages ago btw lol. Really happy i stumbled on this video, thanks for the upload.
Haha it happens! Even if the final answer was something you knew, you're developing research skills in the process 😉
@@_CryptoCat Indeed, i'm about to be the best researcher this side of England lol, thanks again.
awesome thank you so much for this guide, I'm still very new so a little extra help here was needed. You talked the process and explained things very well. Helpful videos like this means it's less likely that people will quit when they hit a bit of a wall as i did here, I will run the process through a few times again solo, just to graps it all. Again many thanks.
thank you mate! appreciate the positive feedback 🙏🥰
Dude, you're my hero! I couldn't figure out why responder was picking up my local router instead of the htb IP. I was using wlan0 instead of tun0. Thanks so much!
Was praying for a walkthrough. I don't like that flags aren't randomly generated per-person on htb, but on instances where I physically can't reach the flag because of a bug and not being able to use a tool just being able to progress the starting point is really helpful.
Loved the approach as well CryptoCat, thanks!
thanks! happy to help 🥰
Also worth noting, HTB Starting Point in the top-right of their respective tab for the challenge have 'Open Walkthrough' which is a PDF write-up on the CTF.
@@safesploit Yep, same as for retired boxes! The walkthroughs are excellent, I always recommend reviewing them after solving a machine as they contain a lot of background info that you wouldn't get from solving the box alone, but will improve overall understanding 🙂
Amazing walkthrough!
It really helps that you show us how you are moving forward and how you are googling to get learn all the different things needed. I did this box before I saw your video, but I didn't manage to get through it without having a peek at the walkthrough provided on htb as I didn't really know about the responder and it didn't show up in any of my google searches neither. But searching for the exact TCP port like you did would have probably gotten me on the right track :)
Thank you! 🙏🥰
You're walkthroughs are incredible. Thank You.
Thank you!! Much appreciated 🥰
THANK YOU SO MUCH! I love how you show different methods and hacks! Keep it up!
Thank you!! 💜
Subbed, host appending and responder were new concepts for me, just those bits helped me a lot. Thank you.
I didn't realise we could cat out the flag, ended up downloading it :')
Well done bruv, your hacking skills are insane!
keep it up, your videos are great!!
Thanks mate! 👊
Nice video ! I feel like this challenge is much more difficult than the other one of the same tier, I was able to do the other challenges by myself but without the write-up I wouldn't have been able to complete this one.
I agree, this one was a bit trickier than others!
Exactly. I am a beginner and this challenge is quite confusing
Thank you for this. This machine was too tough for me and I still need to understand a lot of what you did but very insightful video
🙏🥰
thank you for this video, i had a dns problem! And thanks to you I was able to solve this problem and then look for information on the internet
Excellent! 🔥
You are a lifesaver!!! And you've earned a new subscriber 🤝🏽
For the responder, I kept getting the set.daemon() deprecated error so I was unable to see the hash code. Do you perhaps know how to go about solving that?
Hmmm it might be similar to this: code.djangoproject.com/ticket/32638
Try and run with an earlier version of Python (not 3.10) and/or double-check you're using the latest Responder: github.com/lgandx/Responder
@cryptocat Thank you for the Video.. I was stuck and needed help. This was what I needed. Thanks!
thanks mate 🥰
make more I subbed ive been stuck on this one for almost 2 months
Thanks for this video buddy :) good one.
You are the best out here
🥰🥰🥰
THANKS FOR THE TIP ON 12:18 sometimes HEADACHE IS NOT SUFFICIENT TO FIND THE ANSWER
awesome, thanks for the video ! I tried adding /etc/hosts in WSL, but I still cant open unika.htb, I use windows. Does WSL configuration doesnt come in-line with windows?
Hey, thanks! You can edit the hosts file in Windows as well, it's in System32/drivers/etc/ - www.hostinger.co.uk/tutorials/how-to-edit-hosts-file
@CryptoCat thank you very much for this walkthrough. It was very informative! I just have one question (and this is one of the things that has been baffling me in my journey to becoming a Red Teamer thus far: choosing the right tools for the job. Why did you choose Evil Winrm? Could SSH have done the same job?
thanks mate 🥰 the SSH port was closed on this one, otherwise that would of been a great option! winrm would of done the job fine (connecting to that 5985 port) but evil-winrm has some powerful functionality: github.com/Hackplayers/evil-winrm
where do you get these wordlist files for john? I'm guess that a lot of these tools are pre-installed in kali and you would have to figure out how to get them installed for a different distro or maybe if it is pre-installed in kali maybe just load up that distro and grab the wordlist I need?
Yep, kali and parrot will come with a lot of tools and should have some wordlists in /usr/share/wordlists by default. You can also install a repo of wordlists with "sudo apt-get install seclists" but if on a non-kali/parrot machine you might need to manually clone the git repo: github.com/danielmiessler/SecLists
Thank you very much!
Hi and thank you for this great tuto! Small question, at 56 seconds you open a new menu with the "G" key? Is this part of TLDR? I can't access this menu... Thank you in advance for your answer :)
Good question! I should of mentioned that is "navi", a tool that was recently recommended to me. It allows you to add (or create) cheatsheets and easily execute them: github.com/denisidoro/navi
@@_CryptoCat Thank you so much for sharing and for your work. Good continuation :)
@@_CryptoCat Hi, I searched through the web and couldn't find any way to install the tool. could you help out? I am struggling with this for 2 days now
@@tomerbalkai There's a few ways to install it, if you check here (scroll down): github.com/tldr-pages/tldr
You'll see any option to install with npm or python. I probably used the python method, e.g. "pip install tldr".
edit: sorry, I realised you are talking about navi, not tldr. I can't remember if I used the "cargo" install method or the install script: github.com/denisidoro/navi/blob/master/docs/installation.md - you can also download the pre-compiled binary and add it to your path so quite a few options to try 😉
Subscribed and followed on Twitter 💕
ty 🥰
Respect! thx
💜
Hey I really liked your video. I have one problem which makes nmap scans very painful for me. Doing the same scan as you takes me a whopping 30-40 minutes. If I use -T4 as a option it takes about 15 minutes... Any idea what might be causing such slow scanning times? Of course scanning only the first 1000 ports doesn't take that long but that made me miss the WinRM port the first time I was scanning :/ Any advice you can give me to troubleshoot this issue?
Thanks 🥰 They can take a while but 30-40 minutes seems way too long! It might be worth trying another site e.g. TryHackMe, to try and identify whether the problem is with your connection to HackTheBox, or your network/config more generally. For HTB you could try and regenerate your VPN pack or swap server / upgrade to VIP to see if that helps. Lastly, you can run NMap with the verbose flag, so you at least see the open ports as they are discovered 😉
@@_CryptoCat Thanks for the reply! I am already VIP. I switched VPN over UDP which improved my speeds. It's still not as fast as yours but it's ok: 10-13 minutes to scan all ports of one IP address. Thanks for hinting me in the right direction :)
Just 💕 wow!!
💜
Thanks !
I really don't get it and no video seems to explain it:
As I understood the problem with Name-Based Virtual hosting, is that if you write the IP address, it cannot be decided which domain name should be returned. But if you write the ip to the browser, it transforms it to unika.thb, so the DNS server is able to resolve the ip doesn't it? What does adding the line to the hosts file change?
I think you've got it the wrong way round, i.e. when you write unika.htb to the browser, it translates to the IP address in /etc/hosts - it's just to save you memorising the IP address etc
I get an OpenSSL::digest initialization error when trying to connect to the evil-winrm. I’m using the VPN and am stuck. Any idea why?
check this out: forum.hackthebox.com/t/evil-winrm-error-on-connection-to-host/257342/4
@@_CryptoCat thanks for the quick response. Ended up just running a base kali Linux iso on my VirtualBox and got it to work. I think wsl2 kali Linux has some issues with this. Better practice for me to use a VirtualBox anyways. Thanks again! Great videos and really helping me learn
when connecting with evil-winrm i always get: Error: An error of type HTTPClient::ReceiveTimeoutError happened, message is execution expired, pls i need help 😥
Could be a lot of things, I'd recommend to check forum.hackthebox.com/search?q=evil-winrm%20error or ask in the discord - discord.gg/hackthebox
Hey !
Nice one !
I was struggling with this one.. I didn't add the /etc/hosts so i can't see the website nor uses responder well.
Btw my john --wordlist=path hash didn't show me cracked password i've tried some other command, deleting ~/.john/john.pot but still don't have it :/
Any ideas ?
hmmm you can try run it with the --show flag, although I think it might just use the potfile. are you using the same rockyou wordlist? should work!
@@_CryptoCat Well i retry with the exact same file and command and it worked uhu
I probably make a mistakes somewhere !
Thanks :D
I had the same issue and fixed it. It was because the rockyou.txt file was zipped. I simply unzipped it:
sudo gzip -d /usr/share/wordlists/rockyou.txt.gz
I'm assuming you're on Kali Linux as this is where the wordlist is located by default.
Hi, May I know which distribution are you using ?
I mean which Linux version?
I'm running the latest version of Parrot OS: www.parrotsec.org/
Hi I have a question, basically what we are doing is using LFI, we "create" A server that then we access by the target forcing it to authenticate with NTLM (that we are hosting to get the challenge hashed with the password) to then crack the challenge to get the password and then access the winrm, my question is what is the point if we have to guess the password anyways? Wouldn't unhashing the challenge be the same as guessing the password directly? Is it to not get noticed too much by avoiding to brute force a login?
You're right IRL you'd rather avoid detection (and lockouts) by cracking the hash rather than the password. Apart from that, cracking the hash locally removes the network dependency should be much faster with a good GPU. Even better, you might find the hash has already been cracked by someone else! Finally, you can use the hash directly for relay attacks (although unfortunately not pass-the-hash).
@@_CryptoCat got it thank you!
I'm not getting my hash in responder it is listening for events, the ip of listener is the same I give in url but nothing happens. Any idea why?
Hmmmm double-check each step in the vid, or check the official PDF walkthrough as it might use a slightly different approach. You might find additional troubleshooting steps on hackthebox forums/discord 🙂
Having a issue with adding the host file . I added it to subl but my page is still black
sometimes it takes a while.. think i saw ippsec show how to force refresh it before but i cant remember. maybe try to close browser and clear cache.
@@_CryptoCat i ran it threw burp and I'm getting a 200 but just a blank screen lol
And I didn't think of that 😕 duh
Damn I installed tldr but when I run 'tldr nmap' it says 'No tldr entry for nmap' :'(((((((
Nvm... I had to update it using 'tldr -u'
Eat that LSD everybody!!!
👾🐔
haha good advice 😂
Hey this was really great. As someone who is a true beginner I'm not really sure if the point of these boxes is to just stump me or what lol. It says "Very Easy" but someone who is new to the world of pentesting sure wouldn't know what Responder is.
Thanks and you're totally correct, HTB is hard.. even when it is "easy". That's especially true when you're new to cybersecurity (maybe IT in general). You'll learn through the struggle though 🙂
Hi, i keep getting the [!] Error: tun: Interface not found. What did i do wrong?
check 'ifconfig' and make sure you have a tun0 adapter, that should indicate you are connected to the VPN
Nice video!! little thing with that samba //10.10.14* you need to listen on the samba port not port 80 😃
Oh yeh, that makes sense 😂 Thanks 🥰
Nice video
ty 🙏
Hi and thanks for this! In navi what do you use as cheat sheet? You have 817 of them. Are these custom ones?
ermmm tbh I haven't really used many of them 😂 I just installed whatever security related ones I could find linked to the navi github. My friend put together these cheat sheets though, which I'd definitely recommend for pentesting: github.com/esp0xdeadbeef/cheat.sheets
@@_CryptoCat Nice for nmap ! :) tks a lot!!!
Nice effort
thanks mate 🥰
i have an issue using john , where the session is completed but i get no password output and idk what to do really
you did it? same issue...
@@biba7859 i also tried to output to a file to see if anything changed and i tried to see in the .pot file john is creating for the passwords both failed both files came out empty as if john is not producing any output and sth i found iteresting there where is shows the numbers of guesses my sessions end with 0gs
@@jokecrash7217 What OS are you using?
Hmmm I had a look through GitHub issues but couldn't see much, unless this helps:
github.com/openwall/john/issues/4852
github.com/openwall/john/issues/5074
@@vrikha I did it with nano. I'll also try this, but I'm not sure if it will help.
I keep getting this error when i try to launch the responder using "sudo python Responder -I ..."
/Responder.py", line 42
print color("[!] Responder must be run as root.")
which git repository did you clone from
I don't think I used git repo, AFAIK it comes with parrot os (I know it does kali).. Try to run your Responder.py with sudo privs
I had the same issue, here's what worked for me:
"sudo python2 Responder.py -I tun0"
Use "phython2" instead of "python".
This allowed me to intercept the NTLM hash without the error anymore. Hope this helps.
At last i found a mentor... Thank you so much! Here I got a few small open points.
1) When we injected the attacker ip address via page parameter, why the victim tried to authenticate? How does the victim know that it should send the username and hashed password to auhenticate? Furthermore, is it possible to capture that request via netcat with something like -lnvp? I learnt that when a server got a authentication request, it should transmit a challenge to the requester, but still I thought that I can use netcat to prove RFI is possible. Why I cannot catch them via netcat?
Why we should add a wrapper such as "php://filter/convert.base64-encode/resource=index.php"to see the contents of index.php? Why it did not work at the first time? What precaution forces us to add this while we can get the contents of the file "hosts.txt" easily?
Thanks
Hi mate, thanks for the support!
For your first question (on how the authentication request works), I would recommend reviewing the article that I skimmed over in the video: www.sikich.com/insight/using-multirelay-with-responder-for-penetration-testing
Your second question; if you setup a netcat listener on SMB port you should see some request from the RFI (I incorrectly used HTTP port in video, which presumably does not have outbound access). Although that should give some response, you would responder to say "I am the machine you are looking for" in response to each of the requests.
Final question; We need the PHP filter trick to read PHP files because the vulnerable code is using the "include" function. If we try to access PHP files without the filter, they will be included (executed) and we won't see the source code. Any other extensions e.g. txt should be fine to read without a filter.
Hope that helped, all the best 😊
did we get the hash in responder due to the RFI or it can be done on any type of parameter?
It's been a long time since I looked at this machine but I believe due to the RFI
@@_CryptoCat informative videos, thanks for the answer🙏
For the subl part? In sublime text editor, do I need to type the screen at 2:23? Or is there a file I need to download to be able to view the website? When i downloaded subl, it comes up as blank
try and open up "/etc/hosts" in subl, you should have it on linux system with some default text in there
@@_CryptoCat thank you!!!!!
Nice video!
there's is something I dont get though, I understand virtual hosting and why we need to add the ip address to the /etc/hosts file. I understand the server wouldn't know to which hostname to redirect the browser if we type in the ip address without that. However I dont understand why if we type the hostname in the browser (without updating /etc/hosts) the page won't load. can you explain on that ?
thanks.
Thanks, and sure! When we type the hostname into the address bar, e.g. responder.htb, the browser will attempt to resolve the DNS. It will ask the OS, "what is the IP address for responder.htb?".
First, the OS will look in the /etc/hosts file and see if there's an entry for responder.htb. If so, it will return that IP and redirect the browser accordingly. If there is no entry for responder.htb it will reach out to DNS servers, e.g. Google, and ask if they know which IP address is associated with the domain. Since responder.htb isn't a real website (.htb isn't even a valid TLD), no DNS server will be able to find an IP, so our only option is to add an entry to /etc/hosts.
Hopefully I understood your question properly and the answer made sense 😁
@@_CryptoCat Yes perfect that explains it. thanks a lot
In my case responder is not producing any hash. What can be the problem?
Hey, did you solve it? If not, double check the steps in the video and official PDF walkthrough.. If everything is the same, it should work 🙂
keep getting this error when trying to run responder "Error starting TCP server on port 3389, check permissions or other servers running.", anyone else have this or know how to fix?
are you running with sudo? do you have something running already on port 3389 (RDP)?
@@_CryptoCat I am also getting the same error as @GeratTheGreat. And yes on port 3389 I have a RDP Session because I am doing on Practice-Labs. Is there a way to change port of Responder instead.
Navi actually looks like a really interesting tool, I'll note that one down. May I ask which repo you got the cheatsheet for nmap etc. from, or is that one selfmade?
I installed this one: github.com/esp0xdeadbeef/cheat.sheets and some of the security related ones from the Navi repo. I really need to put my own commands into the cheatsheet but I cba 😂
@@_CryptoCat Thanks a lot, definitely a nice tool though, that I could see becoming all the more useful under time pressure at a ctf or something, nothing worse than sitting there in the last hour getting stuck when forgetting about how a tool exactly worked again.
@@_CryptoCat hey, i can't manage to install the shell widget on kali. i get this errormessage: navi widget fish | source
source: not enough arguments
Command 'navi' not found, did you mean:
command 'savi' from deb savi
command 'nvi' from deb nvi
command 'navit' from deb navit
command 'nabi' from deb nabi
Try: sudo apt install
so ctrl + g dosen't work for me.
@@kaiahnung8326 Did you follow the instructions on the GitHub? github.com/denisidoro/navi
@@_CryptoCat yeah but something went wrong. however, i tried it with brew and it works pretty well now. thanks.
Hey thanks for this video! I was wondering how I could find the LFI vulnerability (AKA the windows host file ) on the target without the help of the htb questions. And I’m struggling because the vulnerable page display an error which is considered by gobuster as a 400 status. So every path tried is considered a success. I could also try to add ../ until I find what I want but it’s not a very efficient way ? How would you do it ? Thanks again for the video it is very helpful!
You can use the --exclude-length option if all responses return to the same response code, e.g. "don't show any responses that are 100 bytes long". You could also switch to a tool like ffuf, that allows you to filter by response code, length *or* regex, so you could just filter out the responses with an error message 🙂
i just wanted to know that how did you answered the windows service listening port question which was the second last question, and the answer was 5985, but how did you deduce that answer
Hmmm I probably just knew this already, as the WinRM service (5985) is exploited a lot in pentesting. If you didn't know, you could check the NMap scan and google each of the ports/services. You could probably find it in the evil-WinRM documentation as well.
don't know if there's any chance for someone to answer but here i am:
Succeed to get the Admin hash with responder, but when it comes to john, when my hash.txt is "Administrator :: Responder : xxxxxxx" john says to me that "No password hashes loaded" and when I put only "xxxx" with no "Administrator:: Responder:" john tells me that he loaded 2 passwords with no different salts aaaand... that's all so far. No mdp, no more infos. What do i do wrong please ?
Ermm try it with hashcat, e.g. "hashcat -m 5600 hash_file.txt /path/to/wordlist.txt"
@@_CryptoCat Ok it worked just fine thanks :) Why do you think it didn't with John, any idea?
@@b4kug0u8 hmmm not sure, maybe the format wasn't quite right or you need to specify the format manually
❤❤amazinggg
ty 💜💜
Which repo did you import for "navi" tool to have these records?
Hey, good question. There are some security-focused cheatsheets on the navi repo as well as some external, e.g. github.com/esp0xdeadbeef/cheat.sheets or, you can create your own. In all honesty, I don't use it very often but I guess if you get in the habit of using in your day-to-day, it's good.
thanks guy :D
thank you 🙏🥰
Why does listening for events never work for me? It just shows nothing
Which part of video you at? I don't think my netcat listener got a hit either (as I had wrong port).
i don't understand wy add the ip and domain to etc/hosts ?
It's mostly just so that you don't need to remember the IP address, i.e. it's easier to memorize responder.htb than 10.123.18.90. Often the websites will use links like responder.htb/login as well, so if you don't have it set in the hosts file, it simply won't know where to resolve. Also, if you want to enumerate subdomains, you'll first need to have the domain linked via /etc/hosts.
❤❤❤❤
💜
I expected same app on my android, if it is possible share a googleplay link please
App for what??
Can I get help with this error message when using evil-winrm
"Error: An error of type OpenSSL::Digest::DigestError happened, message is Digest initialization failed: initialization error
Error: Exiting with code 1
"
I tried at my laptop using ubuntu 22.04.1 LTS or pwnbox, the result is same error,
It's a problem with the OpenSSL version: forum.hackthebox.com/t/evil-winrm-error-on-connection-to-host/257342
You can update your OpenSSL library OR use this quick fix: forum.hackthebox.com/t/lab-access-openvpn-certificate-verify-failed/257102/2
Hey man, for some reason my responder keeps on listening without giving me any hash. Do you know why that might be? I'm using my own kali machine
Not too sure, I would suggest to double-check the steps in the video and/or official PDF walkthrough
so, tldr nmap ok, but whit ctrl+g don't happens nothing
This is for the navi cheatsheets right? I remember having to setup the hotkey manually but not sure how I did it.. tbh I never use it 😂
@@_CryptoCat aaaaah ok! thank you
When I change the /etc/hosts it does nothing
Hmmm you can't access the domain name? Make sure it's "/etc/hosts" rather than "etc/hosts/"
@@_CryptoCat i appreciate the fast reply, tried again today with a new ip and it worked fine so not really sure what was going on yesterday. Thank you anyway
@@owengamingtubesucks5865 Excellent 👍
I am not able to get the hash from responder, and I have done everything exectaly the same to replicate this
Double check all the steps in the video and the official PDF walkthrough.. Probably something small somewhere
can i do tNice tutorials with the trial version?
With the trial version of what??
evil-winrm just tells me that there's no route to host even though i did everything correctly the first time (i hope) then re-did it when i found this video to make sure
hmmm were you able to ping the box? sounds like connectivity issues.
You have to enter the ip address given on the htb account (it is different for everyone) and not the ip given on the document. You can check on google how to add entry on etc/host which is very easy. You are putting the wrong ip which is the problem. I faced the same issue but now solved this problem and I am able to view the website on the browser.
@@yogeshcs2003 i entered the correct ip address from the hackthebox website, i was able to connect to the box but couldn't install a reverse shell on it
@@_CryptoCat yeah i was
@@exaq ok in reverse shell you have to enter your ip in the url. Type ifconfig then see tun0 line where you will get your ip address.
why it doesn't show me the port 5985 i'm using this: nmap --open -p- --min-rate 5000 -n -Pn IPADDRESS but just appeared port 80
you'll want to scan all open ports with the -p- flag (or you can specify -p 5985 to speed up)
Brehh wut theme is that my Gangster?
for the terminal? imgur.com/a/EXSO6l0
the only problem is.. with some tools colour coding is very helpful e.g. LinPEAS. You can have multiple colour profiles though and easy swap between them 😉
@@_CryptoCat hell yeah thanks man!
please share your terminal .bashrc file😁 that's really cool bro
It's just the standard parrot config IIRC, here's a terminal colour scheme: imgur.com/a/EXSO6l0 - the only thing is if you use scripts like linPEAS, the colours are not very useful 😂
@@_CryptoCat thakss😎🔥🔥
Easily my new favorite website but my lord am I behind. I have so much to learn. I'm fascinated and borderline retarded at the same time it seems
You'll get there! 🙂
seems handy as shit but tldr doesn't work
Did you install it? 😁
@@_CryptoCat I got it
WHY YOU DİDNT USE RESPONDER AT RESPONDER MACHİNE BROOOOOOOO THAT WAS NOT COOL
hahaha 😂 I did use responder?? I'm guessing you mean why didn't I jump straight to the obvious solution (based on the name) - Since it's starting point and there will be lots of beginners, I basically want to get people into the habit of enumerating properly and try to demonstrate the process of elimination as I think this is more important than learning any one tool/technique 😆
you are right sir i want the obivius one but your way is better. nice work@@_CryptoCat
🥰🥰🥰
not working only thing im going to hack is my head against the wall
😂
Im on the evil-winrm part and when i run it it gives me the error as follows. " /var/lib/gems/3.0.0/gems/evil-winrm-3.3/lib/evil-winrm.rb:123:in `completion_check': undefined method `quoting_detection_proc' for Reline:Module (NoMethodError) " please help!
Hmmm it's weird that evil-winrm github doesn't even seem to have an "Issues" tab 🤔 Only thing I could find was:
tryhackme.com/forum/thread/6171e3b46b0cfe00412b0a1d
Did you install using 'sudo gem install evil-winrm'?
Not sure what to suggest really, maybe reinstalling evil-winrm or Ruby itself will help 😕
When I used "evil-winRM" I have got this message "bash: Evil-WinRM: command not found"
What should I do ?
Ermmm if you are using Parrot/Kali it should be pre-installed, make sure it's type exactly as in the video.. If not, you can check the install instructions: github.com/Hackplayers/evil-winrm?tab=readme-ov-file#installation--quick-start-4-methods
This was such an awesome video, especially when you go to hacktricks.. I didn't know that existed.
Glad you liked it 🙂 HackTricks is one of the best resources for sure, I rarely solve CTF challenge or vulnerable machine without referring to it at some stage!