Pwned! - Find the Backdoor

In this lab, you will analyze the files of a web server that has been compromised with a hidden reverse shell. Your mission as a threat hunter is to discover where the payload is hidden and validate your finding to reveal a secret flag.

In this lab you will learn:

• Basic analysis of malicious PHP files
• Exploring the file system of a web server
• Identifying a covert reverse shell

⚠️ Note: All suspicious comments, hidden files, and the malicious payload were intentionally planted by a fictitious attacker as part of this educational scenario. They do not represent real system flaws, but a simulation to train your analysis skills.

🌱 How to start this lab

Follow these steps to get started:

1. Download the lab files from this link:

1    https://storage.googleapis.com/cybersecurity-machines/web-threats-lab.ova

1. Import the virtual machine into VirtualBox or VMware.
2. Start the VM, log in as the user student:4geeks-lab, and open the website in your browser at:

1    http://<ip_machine>/pwned/

📄 Instructions

TerraSafe is a cybersecurity consultancy with international clients. But someone on the team—possibly a disgruntled former employee—has infiltrated malicious code into the web server. Your job as a threat hunter is to investigate the site, identify the suspicious file, obtain its exact path, and validate it to uncover evidence of the attack.

Your mission: find the exact path of the malicious file

1. Investigate the PHP files of the website.

2. Look for possible reverse shells (hint: check /assets/).

3. When you think you have found the file:

   • Copy its absolute path
   • Run the following command in the virtual machine:

1validate-malicious-path

Enter the discovered path when prompted. If correct, the challenge flag will be revealed.

1✅ Correct path!
2🎁 Flag: 4GEEKS{EXAMPLE_FLAG}

💡 Tips

• Use find, cat, less, or grep to help you search in the terminal.
• Some files are not linked from the website, but are present on the system.
• Pay attention to suspicious names like .logs.php, session.inc.php, debug.php etc.
• Look for comments in the code that may give you subtle hints.

Good luck!