Advent of Cyber 2025 Day 18

๐Ÿงฉ Day 18 – Obfuscation & Deobfuscation Explained (TryHackMe)

Introduction

Since the wormhole appeared in WareVille, systems have been misbehaving, dashboards spiked, and SOC alerts continuously fired. Amid this chaos, McSkidy spotted a suspicious email claiming to be from northpole-hr.

The problem? There is no HR department at the North Pole — TBFC’s HR operates from the South Pole.

A small PowerShell script was attached to the email. The script contained random-looking, unreadable characters — a classic case of obfuscation.

This challenge explores what obfuscation is, why attackers use it, and how to safely reverse it using tools like CyberChef.

๐ŸŽฏ Learning Objectives

By completing this task, you will learn:

  • What obfuscation is and why attackers use it

  • The difference between encoding, encryption, and obfuscation

  • Common obfuscation techniques

  • How to safely recover plaintext using CyberChef

  • Real-world PowerShell malware analysis

๐Ÿ” What Is Obfuscation?

Obfuscation is the process of making code or data difficult to read or analyze without changing its functionality.

Why Attackers Use It

  • Evade detection by security tools

  • Delay incident response

  • Hide malicious intent

Simple Example – ROT Cipher

If a security tool blocks the word carrot, attackers might use ROT1:

carrot coins go brr

Becomes →

dbsspu dpjot hp css

ROT1 shifts each letter by one. ROT13 is another common variant, shifting letters by 13 positions.

๐ŸŒ Real-World Obfuscation Techniques

Modern malware uses more advanced methods:

XOR Obfuscation

  • Converts each character into bytes

  • Combines bytes with a key using XOR logic

  • Produces unreadable symbols

  • Difficult to reverse manually

CyberChef is particularly useful for safely reversing these transformations.

๐Ÿงช Obfuscating Text Using XOR in CyberChef

Steps:

  1. Open CyberChef

  2. Paste carrot supremacy into the Input box

  3. Search for XOR under Operations

  4. Drag XOR into the Recipe area

  5. Set Key = a and choose HEX

  6. Click BAKE!

Output:

ikxxe~*yzxogkis!

๐Ÿ” Detecting Obfuscation Patterns

TechniqueHow It Appears
ROT1Letters “shifted” by one; spaces unchanged
ROT13Common words replaced (thegur, andnaq)
Base64Long alphanumeric strings, often ending with =
XORRandom symbols, same length as original

Once identified, apply the reverse operation in CyberChef.

๐Ÿช„ When You Don’t Know the Technique

Use CyberChef’s Magic operation:

  • Automatically tries common decoders

  • Displays multiple readable outputs

  • Intensive Mode improves accuracy

Magic may not solve everything but gives strong hints.

๐Ÿงฑ Layered Obfuscation

Attackers often stack techniques. Example:

  1. Gzip compression

  2. XOR with a key

  3. Base64 encoding

Reversal:

  • Decode from Base64

  • XOR with key

  • Gunzip

CyberChef allows chaining multiple operations easily.

๐Ÿฃ Hands-On: Analyzing SantaStealer.ps1

McSkidy extracted a suspicious PowerShell script and analyzed it in a safe VM:

Steps:

  1. Open the script in Visual Studio or a text editor

  2. Follow inline comments

  3. Save and run the script in PowerShell

cd .\Desktop\
.\SantaStealer.ps1

๐Ÿ Flags Captured

  1. C2 URL Deobfuscation

THM{C2_De0bfuscation_29838}

  1. API Key Obfuscation

THM{API_Obfusc4tion_ftw_0283}

Successfully understanding these techniques confirmed proper use of obfuscation and deobfuscation.

✅ Final Thoughts

This room demonstrates:

  • How attackers hide malicious code

  • Why obfuscation is not encryption

  • How defenders safely analyze malware

  • The power of CyberChef in SOC investigations

For deeper learning, TryHackMe’s Obfuscation Principles room is highly recommended.

Comments

Post a Comment

Popular Posts