Forum Discussion

m1zt3rIL's avatar
m1zt3rIL
Icon for Bronze II rankBronze II
21 days ago

Powershell Deobsfuscation Ep.7

Hello can anybody help me or give some hints how to solve this lab? I can notice some URL encoding. I did try in Cyberchef below recipe but still stuck

url decode > from hex > from charcode

Next thing I was left with are bunch of 2s with random spacing.

 

Appreciate any hints or help? :)

 

 

 

  • Firstly great detail. The last one seems like we've missed something.

    The easier thing to do with this lab is remove any way of detonating (removable of shell commands or IEX or Invoke expression and so on) and use powershell to return the data then pipe it to an 'Add-Content -Path command or > NewLayer1.ps1 and continue that way

    Happy to jump on a discord chat Mr Hand Grenade#6321 

    Honestly I learnt so much from this 12 days of Deobfs but there is also another Powershell Deobs that actually shows you how to do it... I wish I had of done that first but learnt so much this way


  • Firstly great detail. The last one seems like we've missed something.

    The easier thing to do with this lab is remove any way of detonating (removable of shell commands or IEX or Invoke expression and so on) and use powershell to return the data then pipe it to an 'Add-Content -Path command or > NewLayer1.ps1 and continue that way

    Happy to jump on a discord chat Mr Hand Grenade#6321 

    Honestly I learnt so much from this 12 days of Deobfs but there is also another Powershell Deobs that actually shows you how to do it... I wish I had of done that first but learnt so much this way


    • luketap's avatar
      luketap
      Icon for Bronze I rankBronze I

      Hey CyberSharpe , I greatly appreciate your help! I've been stuck on this lab for weeks now.

      I tried the method you outlined above and with GhatGPT's help with no luck. Would you mind attaching a screenshot of an example to guide me in the right direction? 

      • CyberSharpe's avatar
        CyberSharpe
        Icon for Bronze III rankBronze III

        luketapeach lab has a different learning objective or at least it felt that way. Which one are you doing and what is the main issue. I can then jump on that lab and attempt to assist. Removing the executing factors and running it as a new .ps1 can really help. 
        But there are also some really good deobs labs that can prelude this. 

  • Hello guys

    Sorry late reply got a chance to  came back to this lab agree there is randomization but I notice I replayed the lab many times there are consistency on the deobfuscation layers the randomization is on how the url path which form part of the answer. So appreciate any help guys

     

    here is the first layer so I did this recipe (notice multiple split I replace them with extra space)

     

    Next I just copied all the hex values and convert them using from hex

    at the bottom we can see this

     

     

    So I took all the int values and convert them using from charcode and removed null bytes but this is all I am left with

     

     

    Appreciate any hints or point me in right direction? Can somebody just retry the lab and gave hints how they managed to solved it regardless of the randomization factor that would be a big help. :) Thanks.

  • The lab doesn’t let you copy either but maybe supporting this question with a screenshot could let us know how you came to your conclusion and help you tweak your attempts. 

  • I found each time the lab is reset it’s a different deobsfuscation. Which isn’t helpful after you go away and research and come back and it’s completely different. I managed 7 but now need to work on 8. That’s a problem for a future CybrSharpe