Obscure - HackTheBox Forensics Challenge

Challenge Information

Field	Value
Event	HackTheBox
Challenge	Obscure
Category	Forensics
Difficulty	Medium
Flag	HTB{pr0tect_y0_shellZ}

Description

An attacker has found a vulnerability in our web server that allows arbitrary PHP file upload in our Apache server. The hacker has uploaded what seems to be an obfuscated shell (support.php). We monitor our network 24/7 and generate logs from tcpdump (we provided the log file for the period of two minutes before we terminated the HTTP service for investigation). We need help analyzing and identifying commands the attacker wrote to understand what was compromised.

Files Provided

File	Description
19-05-21_22532255.pcap	Network capture file containing HTTP traffic
support.php	Obfuscated PHP webshell uploaded by attacker
to-do.txt	Task description

---

Solution

Step 1: Deobfuscate the PHP Webshell

The support.php file contained heavily obfuscated PHP code. The obfuscation used multiple layers of string replacement techniques to hide the actual functionality.

Obfuscation techniques observed:

• str_replace('u)','',...) - Removes obfuscation characters scattered throughout strings
• str_replace('FD','','FDcreFDateFD_fFDuncFDFDtion') - Reconstructs create_function

After careful deobfuscation, the code revealed a Weevely3-style webshell with the following encryption parameters:

Parameter	Value	Purpose
XOR Key	80e32263	Encryption/decryption key
Key Header (kh)	6f8af44abea0	Marks start of encrypted data
Key Footer (kf)	351039f4a7b5	Marks end of encrypted data
Prefix	0UlYyJHG87EJqEz6	Session identifier

Webshell Communication Flow:

...