Obfuscation — The Egg Shell File | Advent of Cyber 2025 Day 18 | Writeup

kidnapshadowKidnapshadow -December 18, 2025

Access the room: https://tryhackme.com/room/obfuscation-aoc2025-e5r8t2y6u9

WareVille has not felt right since the wormhole appeared. Everyone in TBFC is on high alert: Systems are going haywire, dashboards are spiking, and SOC alerts have been firing nonstop. Amid the chaos, McSkidy keeps her focus on a particular alert that caught her interest: an email posing as northpole-hr. It’s littered with carrot emojis, but the weird thing is this: there is no North Pole human resources department. TBFC’s HR is at theSouth Pole.

Digging further she found a tiny PowerShell file from that email was downloaded. Among the code are random strings of characters, all gibberish, nothing readable at a glance.

McSkidy knows malicious actors often hide code and data using a technique called obfuscation. But what is it, really? And how can we decipher it?

Learning Objectives

Learn about obfuscation, why and where it is used.
Learn the difference between encoding, encryption, and obfuscation.
Learn about obfuscation and the common techniques.
Use CyberChef to recover plaintext safely.

What is Obfuscation?

Obfuscation is the practice of making data hard to read and analyze. Attackers use it to evade detection and delay investigations. Unlike encryption, obfuscation is not designed for security but for compatibility and usability.

Types of Obfuscation Techniques

ROT1/ROT13: Simple cipher that shifts letters forward by 1 or 13 positions in the alphabet. Common words become “one letter off” or “gur” for “the” in ROT13.
XOR: Each character is represented as a byte, and each byte is combined with a key using the XOR mathematical operation. This can produce non-readable characters.
Base64: Converts binary data into ASCII using a 64-character set. Often used for transmitting binary data over text protocols.
Layered Obfuscation: Combining multiple techniques (e.g., compressing, XOR-ing, Base64-encoding) to make deobfuscation more challenging.

Practical Steps and Analysis

Identify Obfuscation Techniques

Visual Clues:

ROT1: Common words look “one letter off.”
ROT13: Look for three-letter words like “gur” for “the.”
Base64: Long strings with mostly alphanumeric characters, often ending in “=” or “==.”
XOR: Random symbols, same length as the original, possible repeats if a short key is reused.

Use CyberChef for Deobfuscation

Open CyberChef: Paste the obfuscated string into the Input box.
Apply Operations: Drag and drop operations like “From Base64,” “From Hex,” “From ROT13,” and “XOR” into the Recipe area.
Chain Operations: For layered obfuscation, apply operations in reverse order (e.g., Base64-decode, XOR with key, decompress gzip).
Magic Operation: Use the “Magic” operation to automatically guess and try common decoders. This can provide hints but may not catch everything, especially with custom keys or unusual layers.

Analyze the Deobfuscated Script

PowerShell Script: Open the script in Visual Studio and navigate to the “Start here” section.
Follow Instructions: Follow the code’s comments to deobfuscate the C2 URL and obfuscate the API key.
Run the Script: Execute the script from a PowerShell terminal to get the flags.

Step by Step walkthrough

Initial Setup

Start the target machine as instructed to access the lab environment.

Locate the SantaStealer.ps1 file in the desktop

Open the SantaStealer file to check out what’s inside

Our task is split into two parts: in part 1, we need to deobfuscate the string stored in the variable $C2B64, and in part 2, we have to obfuscate the API key using the XOR single-byte key 0x37 and then convert it to hexadecimal.