Forum Discussion
Bronze IIPowershell Deobsfuscation Ep.7
Hello can anybody help me or give some hints how to solve this lab? I can notice some URL encoding. I did try in Cyberchef below recipe but still stuck
url decode > from hex > from charcode
Next thing I was left with are bunch of 2s with random spacing.
Appreciate any hints or help? :)
Firstly great detail. The last one seems like we've missed something.
The easier thing to do with this lab is remove any way of detonating (removable of shell commands or IEX or Invoke expression and so on) and use powershell to return the data then pipe it to an 'Add-Content -Path command or > NewLayer1.ps1 and continue that way
Happy to jump on a discord chat Mr Hand Grenade#6321
Honestly I learnt so much from this 12 days of Deobfs but there is also another Powershell Deobs that actually shows you how to do it... I wish I had of done that first but learnt so much this way
12 Replies
m1zt3rILHi CyberSharpe that did the trick removing the iex able to solve it now thank you so much for the help :)
- CyberSharpe
Silver I
Firstly great detail. The last one seems like we've missed something.
The easier thing to do with this lab is remove any way of detonating (removable of shell commands or IEX or Invoke expression and so on) and use powershell to return the data then pipe it to an 'Add-Content -Path command or > NewLayer1.ps1 and continue that way
Happy to jump on a discord chat Mr Hand Grenade#6321
Honestly I learnt so much from this 12 days of Deobfs but there is also another Powershell Deobs that actually shows you how to do it... I wish I had of done that first but learnt so much this way- luketap
Bronze I
Hey CyberSharpe , I greatly appreciate your help! I've been stuck on this lab for weeks now.
I tried the method you outlined above and with GhatGPT's help with no luck. Would you mind attaching a screenshot of an example to guide me in the right direction?- CyberSharpe
luketapeach lab has a different learning objective or at least it felt that way. Which one are you doing and what is the main issue. I can then jump on that lab and attempt to assist. Removing the executing factors and running it as a new .ps1 can really help.
But there are also some really good deobs labs that can prelude this.
- m1zt3rIL
Hello guys
Sorry late reply got a chance to came back to this lab agree there is randomization but I notice I replayed the lab many times there are consistency on the deobfuscation layers the randomization is on how the url path which form part of the answer. So appreciate any help guys
here is the first layer so I did this recipe (notice multiple split I replace them with extra space)
Next I just copied all the hex values and convert them using from hex
at the bottom we can see this
So I took all the int values and convert them using from charcode and removed null bytes but this is all I am left with
Appreciate any hints or point me in right direction? Can somebody just retry the lab and gave hints how they managed to solved it regardless of the randomization factor that would be a big help. :) Thanks.
ray96I am stuck here too. Anyone can help on how to proceed from here?
- ray96
CyberSharpe and GusC were you guys able to solve it?
- CyberSharpe
The lab doesn’t let you copy either but maybe supporting this question with a screenshot could let us know how you came to your conclusion and help you tweak your attempts.
- CyberSharpe
I found each time the lab is reset it’s a different deobsfuscation. Which isn’t helpful after you go away and research and come back and it’s completely different. I managed 7 but now need to work on 8. That’s a problem for a future CybrSharpe
- KieranRowley
Community Manager
I know CyberSharpe and GusC were recently discussing this one. Can either of you offer any advice?
