Forum Discussion

m1zt3rIL's avatar
m1zt3rIL
Icon for Bronze II rankBronze II
8 months ago
Solved

Powershell Deobsfuscation Ep.7

Hello can anybody help me or give some hints how to solve this lab? I can notice some URL encoding. I did try in Cyberchef below recipe but still stuck url decode > from hex > from charcode Next th...
defensive cyber
  • CyberSharpe's avatar
    CyberSharpe
    7 months ago

    Firstly great detail. The last one seems like we've missed something.

    The easier thing to do with this lab is remove any way of detonating (removable of shell commands or IEX or Invoke expression and so on) and use powershell to return the data then pipe it to an 'Add-Content -Path command or > NewLayer1.ps1 and continue that way

    Happy to jump on a discord chat Mr Hand Grenade#6321 

    Honestly I learnt so much from this 12 days of Deobfs but there is also another Powershell Deobs that actually shows you how to do it... I wish I had of done that first but learnt so much this way


CyberSharpe's avatar
CyberSharpe
Icon for Bronze III rankBronze III
7 months ago

Firstly great detail. The last one seems like we've missed something.

The easier thing to do with this lab is remove any way of detonating (removable of shell commands or IEX or Invoke expression and so on) and use powershell to return the data then pipe it to an 'Add-Content -Path command or > NewLayer1.ps1 and continue that way

Happy to jump on a discord chat Mr Hand Grenade#6321 

Honestly I learnt so much from this 12 days of Deobfs but there is also another Powershell Deobs that actually shows you how to do it... I wish I had of done that first but learnt so much this way


  • luketap's avatar
    luketap
    Icon for Bronze I rankBronze I
    7 months ago

    Hey CyberSharpe , I greatly appreciate your help! I've been stuck on this lab for weeks now.

    I tried the method you outlined above and with GhatGPT's help with no luck. Would you mind attaching a screenshot of an example to guide me in the right direction? 

    • CyberSharpe's avatar
      CyberSharpe
      Icon for Bronze III rankBronze III
      7 months ago

      luketapeach lab has a different learning objective or at least it felt that way. Which one are you doing and what is the main issue. I can then jump on that lab and attempt to assist. Removing the executing factors and running it as a new .ps1 can really help. 
      But there are also some really good deobs labs that can prelude this. 

      • luketap's avatar
        luketap
        Icon for Bronze I rankBronze I
        7 months ago

         CyberSharpe  Thank you for your quick reply!

        Please disregard, I just solved it. I went back and cleaned up some syntax issues. Thank you for your help!