CyberChef Challenge #1


Welcome to the CyberChef Challenge.  In this hands-on session, you will use the CyberChef tool to decode a variety of example texts.  You should be able to complete this tutorial in under 30 minutes with no prior CyberChef experience.


Image result for cyberchef

CyberChef was originally created by the British intelligence agency GCHQ and released as open source.  CyberChef is a Swiss Army Knife type of tool with a variety of small useful components that can be used individually or chained together.  Instead of talking more about what it does and how it works, let's dive right in.  Access CyberChef in your browser by clicking the link below - this will even load with some data already in the Input pane.

Link - Base64 Data in CyberChef

Next drag the "From Base64" recipe from the Operations pane on the left into the "Recipe" pane.  On the bottom of your screen, make sure the Auto Bake box is checked or hit "Bake".

(If you don't see readable text in the Output pane, you may have accidentally chosen the "To Base64" recipe instead of "From Base64".  Click the trash can icon in the recipe pane to toss out your recipe and try again.)  In the "Output" pane on the bottom right you should see the decoded text (taken from https://www.gchq.gov.uk/news/cyberchef-cyber-swiss-army-knife )

Congratulations!  You've completed your first task in CyberChef.  This task demonstrated the basic pattern of using CyberChef - drag and drop to reformat or decode a block of text.  If you don't know how a text is encoded, you can cycle through various decoding operations quickly.  You can also see examples of various encodings by hovering over the operations:

If a text has a nested encoding, you can create a complex recipe with multiple operations.  For this tutorial we will often use Hex and then an additional transformation on top of that.  Let's try it:

Click this link where I've loaded some new input text:

Link - Base64 and Hex data in CyberChef

Build a recipe that starts with "From Base64" and then the "From Hex".  You should get a YouTube url in the Output pane.  Enjoy a short movie clip (about Hex encoding) as a reward for your work so far!

I've found uses in my daily work for a variety of CyberChef operations:

  • "URL Decode" to convert Splunk earches from the url format that is used in Splunk's index=_internal back into SPL.
  • "From UNIX Timestamp" and "To UNIX Timestamp" to convert timestamps into the format that I need them in.
  • "Diff" to compare two pasted text selections and highlight any differences.
To increase your familiarity with the tool, and find operations that will be useful to you, try the following challenge problems.  These are blobs of encoded text that will decode into youtube video links.  It's up to you to find the operation that will decode each.  (Each can be decoded by either a single operation or a single operation followed by a "From Hex" operation.  I haven't used any additional nested encodings or anything that would require you to guess a key.)  If you get stuck, try the "Magic" operation where CyberChef will try to guess the encodings for you.  


 Challenge #1

 Challenge #2

 Challenge #3

 Challenge #4

 Challenge #5

Comments

Post a Comment

Popular Posts