Forum Discussion
Bronze IIPowershell Deobsfuscation Ep.7
Firstly great detail. The last one seems like we've missed something.
The easier thing to do with this lab is remove any way of detonating (removable of shell commands or IEX or Invoke expression and so on) and use powershell to return the data then pipe it to an 'Add-Content -Path command or > NewLayer1.ps1 and continue that way
Happy to jump on a discord chat Mr Hand Grenade#6321
Honestly I learnt so much from this 12 days of Deobfs but there is also another Powershell Deobs that actually shows you how to do it... I wish I had of done that first but learnt so much this way
Bronze IIHello guys
Sorry late reply got a chance to came back to this lab agree there is randomization but I notice I replayed the lab many times there are consistency on the deobfuscation layers the randomization is on how the url path which form part of the answer. So appreciate any help guys
here is the first layer so I did this recipe (notice multiple split I replace them with extra space)
Next I just copied all the hex values and convert them using from hex
at the bottom we can see this
So I took all the int values and convert them using from charcode and removed null bytes but this is all I am left with
Appreciate any hints or point me in right direction? Can somebody just retry the lab and gave hints how they managed to solved it regardless of the randomization factor that would be a big help. :) Thanks.
ray96I am stuck here too. Anyone can help on how to proceed from here?
- ray96
CyberSharpe and GusC were you guys able to solve it?
- CyberSharpe
Silver I
ray96 Apologies for the late reply. Ive been somewhat AFK recently.
remove anything that can run the command. the trim it, and run it without the IEX.
