Obscure
hackthebox
Task: Analyze a PCAP and obfuscated PHP webshell to reconstruct attacker commands and find the flag. Solution: Deobfuscate a Weevely3 webshell to extract XOR key and markers, decrypt captured HTTP traffic to reveal attacker exfiltrated a KeePass database, crack it with John the Ripper, and read the flag from the database entry.
$ ls tags/ techniques/
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
Obscure - HackTheBox Forensics Challenge
Challenge Information
| Field | Value |
|---|---|
| Event | HackTheBox |
| Challenge | Obscure |
| Category | Forensics |
| Difficulty | Medium |
| Flag | HTB{pr0tect_y0_shellZ} |
Description
An attacker has found a vulnerability in our web server that allows arbitrary PHP file upload in our Apache server. The hacker has uploaded what seems to be an obfuscated shell (support.php). We monitor our network 24/7 and generate logs from tcpdump (we provided the log file for the period of two minutes before we terminated the HTTP service for investigation). We need help analyzing and identifying commands the attacker wrote to understand what was compromised.
Files Provided
| File | Description |
|---|---|
19-05-21_22532255.pcap | Network capture file containing HTTP traffic |
support.php | Obfuscated PHP webshell uploaded by attacker |
to-do.txt | Task description |
Solution
Step 1: Deobfuscate the PHP Webshell
The support.php file contained heavily obfuscated PHP code. The obfuscation used multiple layers of string replacement techniques to hide the actual functionality.
Obfuscation techniques observed:
str_replace('u)','',...)- Removes obfuscation characters scattered throughout stringsstr_replace('FD','','FDcreFDateFD_fFDuncFDFDtion')- Reconstructscreate_function
After careful deobfuscation, the code revealed a Weevely3-style webshell with the following encryption parameters:
| Parameter | Value | Purpose |
|---|---|---|
| XOR Key | 80e32263 | Encryption/decryption key |
| Key Header (kh) | 6f8af44abea0 | Marks start of encrypted data |
| Key Footer (kf) | 351039f4a7b5 | Marks end of encrypted data |
| Prefix | 0UlYyJHG87EJqEz6 | Session identifier |
Webshell Communication Flow:
...
$ grep --similar
Similar writeups
- [misc][Pro]Who4reu— TaipanByte
- [forensics][free]RedTrails— hackthebox
- [forensics][Pro]exFill— grodno_new_year_2026
- [forensics][free]An unusual sighting— hackthebox
- [forensics][Pro]Baby Exfil— uoftctf2026