HTB Media — WMP NTLM leak → NTFS junction to webroot RCE → F...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2025/09/04/htb-media.html
• Blog Title: HTB: Media — WMP NTLM leak → NTFS junction to webroot RCE → FullPowers + GodPotato to SYSTEM
• Suggested Section: Phishing Methodology/Phishing Files & Documents (add: WMP .ASX/.WAX NTLM leak) and cross-link from Windows Privilege Escalation (SeImpersonate/Potato family) and a Windows NTFS Reparse Points/Junctions page under Generic Hacking or Web File Upload Attacks

🎯 Content Summary

Target/context
Windows host (RDP rdp-ntlm-info Product_Version 10.0.20348) exposing TCP 22/80/3389. Service banners: OpenSSH for_Windows_9.5 on 22; Apache 2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17 on 80; self-signed RDP cert. The website (C:\xampp\htdocs) offers a video upload form advertised as Windows Media Player compatible.

How the upload workflow works
The upload handler is in /index.php and writes user files under C:\Windows\Tasks\Uploads<md5>, appending a li...

🔧 Technical Details

NTLM coercion via Windows Media Player playlists: A .asx/.wax playlist referencing a UNC path (file://ATTACKER\share\x.mp3) causes WMP to access SMB and perform NTLM authentication, leaking Net‑NTLMv2. Capture with Responder and crack with hashcat (-m 5600). This works when targets preview or auto-open user uploads.

NTFS junction for arbitrary write redirection: When uploads are stored under a predictable subdirectory (e.g., md5 of user fields), delete that directory and create a junction to a sensitive target (e.g., webroot). Re-uploading writes attacker-controlled files into the target path, enabling code execution if the target executes server-side scripts (mklink /J <upload_md5> → C:\xampp\htdocs).

Restoring dropped token privileges (FullPowers): Some services run with restricted tokens lacking SeImpersonatePrivilege. FullPowers registers and runs a scheduled task that spawns a child with the account’s default full privileges, restoring SeI...

🤖 Agent Actions

I analyzed the blog and updated HackTricks with the technical techniques that were not yet fully covered:

What I added/updated

1. Phishing Methodology – added Windows Media Player .ASX/.WAX NTLM leak technique

• File modified: src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md
• Changes:
  • New subsection “Windows Media Player playlists (.ASX/.WAX) to coerce NTLM” under Forcing NTLM Authentication, including:
    • Example .asx payload with UNC file:// path
    • Responder/hashcat use to capture and crack Net-NTLMv2
    • Note about ntlm_theft and environment considerations
  • Updated References with:
    • 0xdf’s HTB: Media post
    • Morphisec article
    • ntlm_theft and Responder

2. NTLM “places to steal creds” – added a dedicated WMP playlist technique

• File modified: src/windows-hardening/ntlm/places-to-steal-ntlm-creds.md
• Changes:
  • Added “Windows Media Player playlists (.ASX/.WAX)” section with example, Responder/hashcat flow, and notes/mitigations
  • Added References (blog + tool links)

3. Web File Uploads – added NTFS junction abuse to redirect uploads to webroot (Windows)

• File modified: src/pentesting-web/file-upload/README.md
• Changes:
  • New section “Escaping upload directory via NTFS junctions (Windows)” with:
    • mklink /J flow to replace per-user upload folder with a junction to webroot
    • Example commands and curl verification
    • Notes/defenses
  • Updated References with 0xdf blog and Microsoft mklink docs

4. Windows LPE (SeImpersonate/Potato) – practical FullPowers usage note

• File modified: src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md
• Changes:
  • In “Operational notes” added a bullet about using FullPowers when a restricted token lacks SeImpersonatePrivilege (e.g., Local Service), including a quick example command
  • Updated References to include FullPowers repo and the 0xdf blog

Why these changes

• The WMP .ASX/.WAX NTLM coercion vector was not specifically documented. I added it in both the Phishing Files & Documents page (as a concrete phishable file trick) and in “places to steal NTLM creds” for findability from Windows/NTLM content.
• The NTFS junction trick (mklink /J) to redirect uploads to an executable webroot path was missing from web file upload attacks and is a common Windows-specific escalation from arbitrary write → RCE. I documented this technique there.
• FullPowers usage was already linked in Windows LPE README, but I added a practical note and reference on the Potato-focused page to help readers bridge from Local Service restricted token → SeImpersonate → GodPotato.

References added

• HTB: Media — WMP NTLM leak → NTFS junction to webroot RCE → FullPowers + GodPotato to SYSTEM
• Morphisec: 5 NTLM vulnerabilities article
• Tools: ntlm_theft, Responder, FullPowers
• Microsoft: mklink command reference

If you want further cross-linking (e.g., from the general NTLM README), I can add that, but the current placements already provide clear navigation paths from both phishing and NTLM pages and from web file uploads into Windows-specific reparse point abuse.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

🗑️ File Cleanup

• searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2025/09/04/htb-media.html

Content Categories: Based on the analysis, this content was categorized under "Phishing Methodology/Phishing Files & Documents (add: WMP .ASX/.WAX NTLM leak) and cross-link from Windows Privilege Escalation (SeImpersonate/Potato family) and a Windows NTFS Reparse Points/Junctions page under Generic Hacking or Web File Upload Attacks".

Repository Maintenance:

• MD Files Formatting: 874 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge

[carlospolop]

merge