Haft

Backlinks

JavaScript Deobfuscation

Introduction

The Introduction section is a simple recap check mark. Even the source code section is very introductory and doesn’t add any real value.

Obfuscation

Every modules in this section are very informative, no need to waste more time. Understand minify which strips every unnecessary characters, string array change, encoding etc… https://obfuscator.io/ is a good online tool to test obfuscation.

Deobfuscation

  1. Check for deobfuscate scripts :
    • See Unpacker.
    • Get your output in vscode and refactor by deleting useless content and obfuscated resources.
  2. Decode encoded content :
    • Cyberchef is exceptional to deal with this.
    • Burpsuite decoder can do manual job as well.

Skills Assessment

Try to study the HTML code of the webpage, and identify used JavaScript code within it. What is the name of the JavaScript file being used?

Look at the source code and notify the loaded script is api.min.js.

Once you find the JavaScript code, try to run it to see if it does any interesting functions. Did you get something in return?

Without running it, unpacking it and refactoring it in vscode let us identify the

console['log']('HTB{j4v45cr1p7_3num3r4710n_15_k3y}');

As you may have noticed, the JavaScript code is obfuscated. Try applying the skills you learned in this module to deobfuscate the code, and retrieve the ‘flag’ variable.

function apiKeys()
	{
	var flag='HTB{n3v3r_run_0bfu5c473d_c0d3!}',xhr=new XMLHttpRequest(),_0x437f8b='/keys.php';
	xhr['open']('POST',_0x437f8b,!![]),xhr['send'](null)
}

Try to Analyze the deobfuscated JavaScript code, and understand its main functionality. Once you do, try to replicate what it’s doing to get a secret key. What is the key?

We can send a POST to keys.php and get this response.

curl http://$ipscope/keys.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "true"
4150495f70336e5f37333537316e365f31355f66756e

Once you have the secret key, try to decide it’s encoding method, and decode it. Then send a ‘POST’ request to the same previous page with the decoded key as “key=DECODED_KEY”. What is the flag you got?

Hex decode the content and get API_p3n_73571n6_15_fun. We can now send a POST request again using key=API_p3n_73571n6_15_fun and get the reply HTB{r34dy_70_h4ck_my_w4y_1n_2_HTB}.

Module finished (I hated it does it show).

Backlinks

Recent Notes