In this post, I would like to share a walkthrough of the Analysis Machine from Hack the Box


This room will be considered a Hard machine on Hack the Box

What will you gain from the Analysis machine?


For the user flag, you must exploit a PHP website that utilizes LDAP to query user information from an Active Directory. Initially, I will employ LDAP injection techniques to enumerate user accounts. Subsequently, I will leverage this injection to access a shared account’s description field containing a password. This password will grant access to the admin panel. Within the admin panel, I will exploit an upload feature in two ways: uploading a webshell and executing an HTA file. Further, I will discover credentials for the next user in the autologon registry values and web server logs.


As for the root flag, you need to exploit the Snort dynamic preprocessor feature by crafting a malicious DLL and placing it in a location where Snort will load it.

Information Gathering on Analysis Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start

┌─[darknite@parrot]─[~/Documents/htb]
└──╼ $nmap -sC -sV 10.10.11.250 -oA initial 
Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-01 07:23 EDT
Nmap scan report for 10.10.11.250
Host is up (0.28s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-06-01 11:23:49Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3306/tcp open  mysql         MySQL (unauthorized)
Service Info: Host: DC-ANALYSIS; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-06-01T11:24:07
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.49 seconds
┌─[darknite@parrot]─[~/Documents/htb]
└──╼ $

Let’s access the website interface


There is nothing that I can abuse on the website interface.


Sadly, there is nothing that we can be looking into in the directory


Therefore, let’s enumerate the subdomain on the machine


On the subdomain on the internal, it shows us some error of “403: Forbidden, Access is denied”



We have successfully sighted the PHP file


There is an error saying “missing parameter”


After analyzing the parameter, I managed to find the potential username as a technician


Another potential username that we can use for further progress


We have successfully seen the response as shown above


We have found the login page when accessing the login.php on the employees

Spraying the username and password for the Analysis machine


The screenshot above shows the list of usernames that we can use for our next step


It will take a few minutes depending on the connection of the machine


At last, we managed to obtain the valid login credentials


We are presented with the dashboard as shown above


We can use a simple PHP reverse shell command shown in the screenshot above.


As a result, let’s upload the file on the website function as upload.php


It looks like a successful based on the error


Let’s test our command injection which looks like a success


We should be able to retrieve the reverse shell connection based on inputting the reverse shell command


However, the language of the machine seems something different from the English


After a while, I managed to find the PHP file that we managed to find earlier.


The source code of the list.php looks as shown in the screenshot above.


We also need to look into the employees’ directory


We managed to find a credential which it looks like a MySQL Database


As a result, let’s obtain another shell by using the command above.


Finally, we obtained a new reverse shell connection back to us.


Let’s upload PrivecsCheck.ps1 which can be found here


Therefore, let’s execute the command above


After a while, we managed to get jdoe’s credentials


It looks like the credentials can be used on evil-winrm




We can read the user flag by typing the “type user.txt” command

Escalate to Root Privileges Access


I noticed a suspicious snort directory and hardly any snort has been installed on the victim’s machine.


Two directories have been stored within the snort directory


At least, we can upload any malicious file into the directory


Let’s start our listener on the attacker’s machine


As a result, let’s create a malicious file that saved as dll file format


Therefore, we should be able to upload the file into the victim’s machine


It will take a while for the reverse shell connection to be executed on our attacker’s machine


Boom! At last, we managed to retrieve the root shell


We can read the root flag by typing the “type root.txt” command

Another way to access the root shell on the machine