Skip to content

HTB Media — WMP NTLM leak → NTFS junction to webroot RCE → F... #1387

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

HTB Media — WMP NTLM leak → NTFS junction to webroot RCE → F... #1387

wants to merge 4 commits into from

Conversation

carlospolop
Copy link
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

  • Blog URL: https://0xdf.gitlab.io/2025/09/04/htb-media.html
  • Blog Title: HTB: Media — WMP NTLM leak → NTFS junction to webroot RCE → FullPowers + GodPotato to SYSTEM
  • Suggested Section: Phishing Methodology/Phishing Files & Documents (add: WMP .ASX/.WAX NTLM leak) and cross-link from Windows Privilege Escalation (SeImpersonate/Potato family) and a Windows NTFS Reparse Points/Junctions page under Generic Hacking or Web File Upload Attacks

🎯 Content Summary

Target/context
Windows host (RDP rdp-ntlm-info Product_Version 10.0.20348) exposing TCP 22/80/3389. Service banners: OpenSSH for_Windows_9.5 on 22; Apache 2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17 on 80; self-signed RDP cert. The website (C:\xampp\htdocs) offers a video upload form advertised as Windows Media Player compatible.

How the upload workflow works
The upload handler is in /index.php and writes user files under C:\Windows\Tasks\Uploads<md5>, appending a li...

🔧 Technical Details

NTLM coercion via Windows Media Player playlists: A .asx/.wax playlist referencing a UNC path (file://ATTACKER\share\x.mp3) causes WMP to access SMB and perform NTLM authentication, leaking Net‑NTLMv2. Capture with Responder and crack with hashcat (-m 5600). This works when targets preview or auto-open user uploads.

NTFS junction for arbitrary write redirection: When uploads are stored under a predictable subdirectory (e.g., md5 of user fields), delete that directory and create a junction to a sensitive target (e.g., webroot). Re-uploading writes attacker-controlled files into the target path, enabling code execution if the target executes server-side scripts (mklink /J <upload_md5> → C:\xampp\htdocs).

Restoring dropped token privileges (FullPowers): Some services run with restricted tokens lacking SeImpersonatePrivilege. FullPowers registers and runs a scheduled task that spawns a child with the account’s default full privileges, restoring SeI...

🤖 Agent Actions

I analyzed the blog and updated HackTricks with the technical techniques that were not yet fully covered:

What I added/updated

  1. Phishing Methodology – added Windows Media Player .ASX/.WAX NTLM leak technique
  • File modified: src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md
  • Changes:
    • New subsection “Windows Media Player playlists (.ASX/.WAX) to coerce NTLM” under Forcing NTLM Authentication, including:
      • Example .asx payload with UNC file:// path
      • Responder/hashcat use to capture and crack Net-NTLMv2
      • Note about ntlm_theft and environment considerations
    • Updated References with:
      • 0xdf’s HTB: Media post
      • Morphisec article
      • ntlm_theft and Responder
  1. NTLM “places to steal creds” – added a dedicated WMP playlist technique
  • File modified: src/windows-hardening/ntlm/places-to-steal-ntlm-creds.md
  • Changes:
    • Added “Windows Media Player playlists (.ASX/.WAX)” section with example, Responder/hashcat flow, and notes/mitigations
    • Added References (blog + tool links)
  1. Web File Uploads – added NTFS junction abuse to redirect uploads to webroot (Windows)
  • File modified: src/pentesting-web/file-upload/README.md
  • Changes:
    • New section “Escaping upload directory via NTFS junctions (Windows)” with:
      • mklink /J flow to replace per-user upload folder with a junction to webroot
      • Example commands and curl verification
      • Notes/defenses
    • Updated References with 0xdf blog and Microsoft mklink docs
  1. Windows LPE (SeImpersonate/Potato) – practical FullPowers usage note
  • File modified: src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md
  • Changes:
    • In “Operational notes” added a bullet about using FullPowers when a restricted token lacks SeImpersonatePrivilege (e.g., Local Service), including a quick example command
    • Updated References to include FullPowers repo and the 0xdf blog

Why these changes

  • The WMP .ASX/.WAX NTLM coercion vector was not specifically documented. I added it in both the Phishing Files & Documents page (as a concrete phishable file trick) and in “places to steal NTLM creds” for findability from Windows/NTLM content.
  • The NTFS junction trick (mklink /J) to redirect uploads to an executable webroot path was missing from web file upload attacks and is a common Windows-specific escalation from arbitrary write → RCE. I documented this technique there.
  • FullPowers usage was already linked in Windows LPE README, but I added a practical note and reference on the Potato-focused page to help readers bridge from Local Service restricted token → SeImpersonate → GodPotato.

References added

  • HTB: Media — WMP NTLM leak → NTFS junction to webroot RCE → FullPowers + GodPotato to SYSTEM
  • Morphisec: 5 NTLM vulnerabilities article
  • Tools: ntlm_theft, Responder, FullPowers
  • Microsoft: mklink command reference

If you want further cross-linking (e.g., from the general NTLM README), I can add that, but the current placements already provide clear navigation paths from both phishing and NTLM pages and from web file uploads into Windows-specific reparse point abuse.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

🗑️ File Cleanup

  • searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

Build master and others added 2 commits September 4, 2025 09:18
@carlospolop
Copy link
Collaborator Author

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2025/09/04/htb-media.html

Content Categories: Based on the analysis, this content was categorized under "Phishing Methodology/Phishing Files & Documents (add: WMP .ASX/.WAX NTLM leak) and cross-link from Windows Privilege Escalation (SeImpersonate/Potato family) and a Windows NTFS Reparse Points/Junctions page under Generic Hacking or Web File Upload Attacks".

Repository Maintenance:

  • MD Files Formatting: 874 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

@github-actions github-actions bot force-pushed the master branch 8 times, most recently from 710e03a to 4966f6d Compare September 7, 2025 20:07
@carlospolop
Update phishing-documents.md
9a95bc8
@carlospolop
Remove obsolete NTLM references from phishing-documents
4424650 
Removed outdated references related to NTLM vulnerabilities and tools.
@carlospolop
Copy link
Collaborator Author

merge

@github-actions github-actions bot force-pushed the master branch 7 times, most recently from 4b54ccf to 74cc86a Compare September 8, 2025 06:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@carlospolop