Skip to main content

Ringzer0 - Java Script - Then obfuscation is more secure

Ringzer0 - Java Script - Then obfuscation is more secure


Objective:  Get that Flag

Solution:

Ok so this is another Java Script challenge so the first thing I did was look in the source code for some java script

Found it!

var _0xc360=["\x76\x61\x6C","\x23\x63\x70\x61\x73\x73","\x61\x6C\x6B\x33","\x30\x32\x6C\x31","\x3F\x70\x3D","\x69\x6E\x64\x65\x78\x4F\x66","\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x27\x65\x72\x72\x6F\x72\x27\x3E\x57\x72\x6F\x6E\x67\x20\x70\x61\x73\x73\x77\x6F\x72\x64\x20\x73\x6F\x72\x72\x79\x2E\x3C\x2F\x64\x69\x76\x3E","\x68\x74\x6D\x6C","\x23\x63\x72\x65\x73\x70\x6F\x6E\x73\x65","\x63\x6C\x69\x63\x6B","\x2E\x63\x5F\x73\x75\x62\x6D\x69\x74"];$(_0xc360[12])[_0xc360[11]](function (){var _0xf382x1=$(_0xc360[1])[_0xc360[0]]();var _0xf382x2=_0xc360[2];if(_0xf382x1==_0xc360[3]+_0xf382x2){if(document[_0xc360[7]][_0xc360[6]][_0xc360[5]](_0xc360[4])==-1){document[_0xc360[7]]=document[_0xc360[7]][_0xc360[6]]+_0xc360[4]+_0xf382x1;} ;} else {$(_0xc360[10])[_0xc360[9]](_0xc360[8]);} ;} );  


Looks like a bunch of hex, Lets see if we can translate any of this to ascii

I used this site    http://ddecode.com/hexdecoder/

which gave me this code

var _0xc360=["val","#cpass","alk3","02l1","?p=","indexOf","href","location","<div class='error'>Wrong password sorry.</div>","html","#cresponse","click",".c_submit"];$(_0xc360[12])[_0xc360[11]](function (){var _0xf382x1=$(_0xc360[1])[_0xc360[0]]();var _0xf382x2=_0xc360[2];if(_0xf382x1==_0xc360[3]+_0xf382x2){if(document[_0xc360[7]][_0xc360[6]][_0xc360[5]](_0xc360[4])==-1){document[_0xc360[7]]=document[_0xc360[7]][_0xc360[6]]+_0xc360[4]+_0xf382x1;} ;} else {$(_0xc360[10])[_0xc360[9]](_0xc360[8]);} ;} );


so some of this was definitely just hex obfuscation

It looks like we are declaring  a list and then doing some if then else statements on the list

Here it is a little cleaned up to format the way I would expect JS ( I have done any java script in about a decade so I'm just using some common sense here to try to map out the code)

var _0xc360=["val","#cpass","alk3","02l1","?p=","indexOf","href","location","<div class='error'>Wrong password sorry.</div>","html","#cresponse","click",".c_submit"];
$(_0xc360[12])[_0xc360[11]](
function ()
{var _0xf382x1=$(_0xc360[1])[_0xc360[0]]();
var _0xf382x2=_0xc360[2];
if(_0xf382x1==_0xc360[3]+_0xf382x2){if(document[_0xc360[7]][_0xc360[6]][_0xc360[5]](_0xc360[4])==-1){document[_0xc360[7]]=document[_0xc360[7]][_0xc360[6]]+_0xc360[4]+_0xf382x1;} ;}
else {$(_0xc360[10])[_0xc360[9]](_0xc360[8]);} ;} );

now I just used a little RE trick to replace variable names with something a bit more meaningful

like for example 0xc360 is a list so I'm going to rename all instances of that with VarList
so I can have an easier time figuring out what is going on


now I got

var VarList=["val","#cpass","alk3","02l1","?p=","indexOf","href","location","<div class='error'>Wrong password sorry.</div>","html","#cresponse","click",".c_submit"];
$(VarList[12])[VarList[11]](
function ()
{var _0xf382x1=$(VarList[1])[VarList[0]]();
var _0xf382x2=VarList[2];
if(_0xf382x1==VarList[3]+_0xf382x2){if(document[VarList[7]][VarList[6]][VarList[5]](VarList[4])==-1){document[VarList[7]]=document[VarList[7]][VarList[6]]+VarList[4]+_0xf382x1;} ;}
else {$(VarList[10])[VarList[9]](VarList[8]);} ;} );

There are a couple more variable declarations I can rename to help clear it up a bit more

I'll rename 0xf382x1 to VarVar1
and oxf382x2 to VarVar2

ok now with all that ugly hex and crazy variables out of the way I can kind of start to see whats going here

var VarList=["val","#cpass","alk3","02l1","?p=","indexOf","href","location","<div class='error'>Wrong password sorry.</div>","html","#cresponse","click",".c_submit"];
$(VarList[12])[VarList[11]](
function ()
{var VarVar1=$(VarList[1])[VarList[0]]();
var _VarVar2=VarList[2];
if(VarVar1==VarList[3]+_VarVar2){if(document[VarList[7]][VarList[6]][VarList[5]](VarList[4])==-1){document[VarList[7]]=document[VarList[7]][VarList[6]]+VarList[4]+VarVar1;} ;}
else {$(VarList[10])[VarList[9]](VarList[8]);} ;} );


next I'm going to replace the VarList[*] with their corresponding values in the list to see if we can figure out exactly whats going on


var VarList=["val","#cpass","alk3","02l1","?p=","indexOf","href","location","<div class='error'>Wrong password sorry.</div>","html","#cresponse","click",".c_submit"];
$(.c_submit)[click](
function ()
{var VarVar1=$(#cpass)[val]();
var _VarVar2=alk3;
if(VarVar1==02l1+_VarVar2)
{if(document[Location][href][indexof](?p=)==-1){document[Location]=document[Location][href]+?p=+VarVar1;} ;}
else {$(#cresponse)[html](<div class='error'>Wrong password sorry.</div>);} ;} );

I'm going to focus on that first If statement because it looks like its checking to see if we are supplying the correct password

if VarVar1 == 02l1 + VarVar2

lets parse that out a bit more

if VarVar1 = 02l1 + alk3

if VarVar1 = 02l1alk3



so its comparing the password to 02l1alk3

lets see if that works


that got us the flag

FLAG-5PJne3T8d73UGv4SCqN44DXj  









Labels:

Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar...
Post a Comment
Read more

Hack The Box - Retired - Laboratory

HackTheBox - Laboratory - Retired Starting off with a quick scan using threader6000 /opt/threader3000/threader6000.py 10.10.10.216 Ports 22,80,443 came back. Run nmap against these ports. nmap -p22,80,443 -sV -sC -T4 -Pn -oN 10.10.10.216 10.10.10.216 nmap -p22,80,443 -sV -sC -Pn -T4 -oN 10.10.10.216 10.10.10.216 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-13 17:43 EDT Nmap scan report for laboratory.htb (10.10.10.216) Host is up (0.060s latency). PORT    STATE SERVICE  VERSION 22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA) |   256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA) |_  256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519) 80/tcp  open  http     Apache httpd 2.4.41 |_...
Post a Comment
Read more

A collection of online Security CTF and Learning sites

 Hellbound Hackers    Embedded Security CTF Arizona Cyber Warfare Range Over The Wire - Bandit Pico CTF 2018 Hack The Box.eu Root Me: Challenges/Forensic RingZero CTF Vulnerable By Design - Vulnerable VMs Murder Mystery SQL Challenge Incident Response Challenge Authentication Lab Walkthroughs Defcon CTF Archives Matrix Holiday Hack Cyber Defenders | Blue Team and CTF Crypto Hack - learning Crypto Video Learning Zero to Hero Pentesting by The Cyber Mentor
Post a Comment
Read more