Phantom Script Intrusion [Forensics]

The challenge provided us with a PHP script which has been obfuscated.

<?php
goto Ls6vZ;
apeWK:
${"\x76\141\x72\61"} = str_rot13(
    "\x24\x7b\x22\134\x78\x34\x37\134\x78\x34\143\x5c\x78\64\x66\x5c\170\x34\x32\134\x78\64\61\x5c\170\x34\x63\134\x78\x35\x33\42\x7d"
);
goto G9fZX;
Ls6vZ:
${"\x47\x4c\x4f\x42\101\114\123"} =
    "\150\x58\x58\x70\x73\72\x2f\57\163\150\x30\162\164\x75\x72\x6c\56\x61\164\x2f\x73\x31\146\x57\62";
goto apeWK;
XT2kv:
if (strlen(${"\x76\141\x72\x32"}) > 0) {
    ${"\166\x61\x72\x33"} = ${"\x76\x61\x72\x32"};
} else {
    ${"\166\141\x72\63"} = "";
}
goto ZYamk;
V2P3O:
foreach (str_split(${"\166\141\x72\x33"}) as ${"\166\x61\x72\x35"}) {
    ${"\166\141\162\x34"} .= chr(ord(${"\166\141\162\65"}) - 1);
}
goto Ly_yq;
G9fZX:
${"\x76\141\162\x32"} = base64_decode(${${"\166\x61\162\x31"}});
goto XT2kv;
Ly_yq:
eval(${${"\x76\x61\x72\x34"}});
goto IFMxz;
ZYamk:
${"\166\141\162\64"} = "";
goto V2P3O;
IFMxz: ?>

Whenever you are faced with an obfuscated script, try to find a deobfuscator online.

UnPHP - The Online PHP Decoder

Deobfuscating the PHP script online, give us this.

<?php
goto Ls6vZ;
apeWK:
${"var1"} = str_rot13("${"GLOBALS"}");
goto G9fZX;
Ls6vZ:
${"GLOBALS"} = "hXXps://sh0rturl.at/s1fW2";
goto apeWK;
XT2kv:
if (strlen(${"var2"}) > 0) {
    ${"var3"} = ${"var2"};
} else {
    ${"var3"} = "";
}
goto ZYamk;
V2P3O:
foreach (str_split(${"var3"}) as ${"var5"}) {
    ${"var4"} .= chr(ord(${"var5"}) - 1);
}
goto Ly_yq;
G9fZX:
${"var2"} = base64_decode(${${"var1"}});
goto XT2kv;
Ly_yq:
eval(${${"var4"}});
goto IFMxz;
ZYamk:
${"var4"} = "";
goto V2P3O;
IFMxz:
?> 

There is one URL which strikes out, a defanged URL.

hXXps://sh0rturl.at/s1fW2

By making small changes to the URL, gives a valid URL which we can go to.

https://shorturl.at/s1fW2

Going to that URL gives us the flag!

flag: OSCTF{M4lW4re_0bfU5CAt3d}