The LFI Escalation lab presents a multi-stage web application compromise investigation that escalates from a simple directory brute-force scan into full system takeover with persistence. Analysts are provided with KAPE-collected forensic artifacts from a Windows web server running XAMPP, including Apache access logs, the NTFS Master File Table ($MFT), the USN Journal ($J), Windows Event Logs, Prefetch files, Amcache, and registry hives. These artifacts collectively tell the story of a methodical attacker who discovered and exploited a Local File Inclusion (LFI) vulnerability in a legacy web application, leveraged exposed database credentials to gain deeper access, deployed a webshell through SQL injection, and ultimately established a persistent reverse shell using advanced evasion techniques.
The target system hosts a VTuber music website built on XAMPP (Apache + MySQL + PHP) and belongs to a user named "hoshisora." The attacker's campaign spans two days: the first day focuses on reconnaissance, vulnerability discovery, credential theft, and database exfiltration, while the second day escalates to webshell deployment, reverse shell delivery, UAC bypass attempts, lateral tool deployment, and registry-based persistence. The investigation touches on several critical forensic disciplines web log analysis, NTFS artifact examination, Windows event log correlation, Prefetch and Amcache analysis, and registry forensics making it an excellent exercise in connecting evidence across disparate data sources to reconstruct a complete attack narrative.
The forensic artifacts are located under C:\\Users\\Administrator\\Desktop\\Start Here\\Artifacts\\, with the collected filesystem rooted at the C\\ subdirectory. Key tools used throughout this investigation include Eric Zimmerman's suite (MFTECmd, EvtxECmd