Introduction
We are provided with two files:
- A PCAP file
- A PHP file
PCAP Analysis
Start by analyzing the PCAP before fully deobfuscating support.php.
Filter for HTTP POST requests:
Only 4 POST requests are present.
Follow the HTTP streams to inspect the payloads. You will observe obfuscated strings such as:
0UlYyJHG87EJqEz66f8af44abea0QKxO/n6DAwXuGEoc5X9/H3HkMXv1Ih75Fx1NdSPRNDPUmHTy351039f4a7b5
These strings will be used as input for the PHP deobfuscation.
PHP Analysis
The provided PHP script performs multiple layers of obfuscation:
- Pattern extraction using
$khand$kf - Base64 decoding
- XOR decryption using key
80e32263 - Gzip decompression
To analyze it:
- Execute the script locally or via an online PHP interpreter
- Replace
$input_stringwith values extracted from the PCAP
You can:
- Manually replicate each decoding step
- Or automate the process using scripts / tools
Deobfuscation Process
Using the extracted POST data as input:
- Run it through the PHP function
- Recover the decoded payload
- The output is still encoded — decode it again (e.g., with CyberChef):
- This results in a downloadable file:
KeePassXC Analysis
The extracted file is a KeePass database.
To recover credentials:
- Use keepass4brute
- Use a common wordlist such as rockyou.txt
After 21444 attempts, the correct password is found.
You can now open the database:
