Obfuscation - The Egg Shell File | Advent of Cyber 2025 - Day 18

This guide contains the answer and steps necessary to get to them for the Obfuscation - The Egg Shell File room.

Table of contents

• Obfuscation & Deobfuscation

Obfuscation & Deobfuscation

1. What is the first flag you get after deobfuscating the C2 URL and running the script?

   In the first part of the script we see a variable we need to decode.

   

   Lets add this to Cyberchef and use the recipe "From Base64". This should give us a valid URL. We will paste this back into the script and run the script.

   

   Click for answer

   THM{C2_De0bfuscation_29838}

2. What is the second flag you get after obfuscating the API key and running the script again?

   In the second part of the script is an API key we need to obfuscate using XOR. Then add it back into the script.

   

   We copy the API key into Cyberchef and add the 'XOR' recipe. Set the key to '0x37' HEX. Next, add the 'To HEX' recipe.

   

   Paste back the result and re-run the script.

   

   Click for answer

   THM{API_Obfusc4tion_ftw_0283}

3. If you want to learn more about Obfuscation, check out our Obfuscation Principles room!