Forum Discussion
Bronze IPowerShell Deobfuscation: Ep 8 help
Bronze IInetcat Were you able to solve this? Can you elaborate your Hint 1 and 2 pls?
Silver IIIYes, I solved it.
Hint 1: You're not done with the deobfuscation - until you see the domain.
Hint 2: It was an error I received, and assumed others might get it as well.
- PRABAKARANRAMAMURTHY
Hi netcat, mind to explain on how we can further work on the deobfuscation for this?
mhmthello,
any update will be greatly appreciated.
- autom8on
Bronze III
Hola,
So - my notes for this date back to when it was an Xmas 2021 Challenge & Scenarios lab - "Xmas 2021: Day 8 - Maids a Milking". Though I think they've modified the script slightly, I'm hoping my approach still works...
So - having used CyberChef to un-base64 and decompress stuff, I eventually ended up with a horribly un-readable script which is just lots and lots of $ symbols (similar to yours)... My notes then read:
* Start powershell from the desktop, enable debugging - and then cut/paste the previous string in…
* Set-PSDebug -Trace 1
* ^^ do that in powershell before attempting to run your code. Before it reports an error, it spits this out:
... I then have the next bit of script to analyse, which should contain a lot of "[Char]101 + [Char]86 + [Char]56..." type code (how to decode that, I'll leave as an exercise for the reader ;-))
As a random aside, I also found the following script quite useful in this series of labs: Deobfuscate a powershell script with re-ordering obfuscation · GitHub
Hope that's of some help...
