KaraboSec_
All writeups
R
MachineWindowsHackTheBoxMedium

HackTheBox: Responder

June 25, 202617 min read
llmnr-poisoningresponderwinrm
htb
Tools:
Responderhashcatcrackmapexecevil-winrm

Enumeration & Reconnaissance

I started with an Nmap scan to identify open ports and services on the Responder target. The results showed standard Windows services: SMB (port 445), WinRM (port 5985), and several others typical of a Windows domain-joined machine.

The target appeared to be a Windows workstation joined to an internal domain. With no credentials initially available, I turned to network-based attack vectors to capture authentication material from network traffic.

LLMNR/NBT-NS Poisoning

LLMNR and NBT-NS are protocols that Windows uses to resolve hostnames when DNS lookup fails. When a user or service mistypes a hostname, Windows broadcasts a query to the local link asking if any machine matches the requested name. These protocols send the username and NetNTLMv2 hash as part of the authentication challenge-response exchange.

I ran Responder in analysis mode to listen for LLMNR and NBT-NS traffic on the network:

sudo responder -I eth0 -w -rf

After a short wait, Responder captured a NetNTLMv2 hash from a DNS resolution failure triggered by a scheduled task or user action on the target. The captured hash contained the username and domain information.

Hash Capture & Cracking

The captured NetNTLMv2 hash was saved to Responder logs in the format:

[SMB] NTLMv2-SSP Hash captured from: 10.10.10.181USER:Administrator DOMAIN:RESPONDER OS:Windows Server 2019Hash: administrator::RESPONDER:1122334455667788:...:...

I used hashcat with the rockyou wordlist to crack the hash offline:

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt --force

Within seconds, hashcat recovered the plaintext password, confirming weak password hygiene on the target.

WinRM Access & Lateral Movement

With valid administrator credentials, I connected to the target using evil-winrm, which provides a PowerShell-based remote session on Windows machines with WinRM enabled:

evil-winrm -i 10.10.10.181 -u administrator -p [cracked_password]

The session opened with Administrator privileges on the target, providing full access to the file system, registry, and processes.

Privilege Escalation to SYSTEM

Since I connected as the built-in Administrator account, I already had the highest level of access on the Windows system. I retrieved the user flag from the Desktop and the root flag from the Administrator Desktop:

Flag Capture

type C:\Users\Administrator\Desktop\user.txttype C:\Users\Administrator\Desktop\root.txt

Related writeups

M
MachineLinux

HackTheBox: Vaccine

A Linux machine focused on web exploitation: SQL injection in a vaccine management portal leads to code execution, followed by privilege escalation through misconfigured sudo rights.