HackTheBox - JavaScript Deobfuscation - Skills Assessment Walkthrough

Scenario

During our Penetration Test, we came across a web server that contains JavaScript and APIs. We need to determine their functionality to understand how it can negatively affect our customer.

Walkthrough

Q1 - Try to study the HTML code of the webpage, and identify used JavaScript code within it. What is the name of the JavaScript file being used?

Solution:

First, use curl to fetch the web application's response, which contains the main page's source code:

curl http://94.237.61.242:49884

** We can also open the target URL in a browser and inspect the source code directly.

After a quick review of the code, we can spot a JavaScript file:

Q2 - Once you find the JavaScript code, try to run it to see if it does any interesting functions. Did you get something in return?

Solution:

As we navigate to the URL and check the browser console, we can see that the flag is printed:

Q3 - As you may have noticed, the JavaScript code is obfuscated. Try applying the skills you learned in this module to deobfuscate the code, and retrieve the 'flag' variable.

Solution:

First, retrieve the source code of the JavaScript file and search for the flag variable:

curl http://94.237.61.242:49884/api.min.js > js_code.txt

We receive the following obfuscated code:

eval(function (p, a, c, k, e, d) { e = function (c) { return c.toString(36) }; if (!''.replace(/^/, String)) { while (c--) { d[c.toString(a)] = k[c] || c.toString(a) } k = [function (e) { return d[e] }]; e = function () { return '\\w+' }; c = 1 }; while (c--) { if (k[c]) { p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]) } } return p }('t 5(){6 7=\'1{n\'+\'8\'+\'9\'+\'a\'+\'b\'+\'c!\'+\'}\',0=d e(),2=\'/4\'+\'.g\';0[\'f\'](\'i\',2,!![]),0[\'k\'](l)}m[\'o\'](\'1{j\'+\'p\'+\'q\'+\'r\'+\'s\'+\'h\'+\'3}\');', 30, 30, 'xhr|HTB|_0x437f8b|k3y|keys|apiKeys|var|flag|3v3r_|run_0|bfu5c|473d_|c0d3|new|XMLHttpRequest|open|php|n_15_|POST||send|null|console||log|4v45c|r1p7_|3num3|r4710|function'.split('|'), 0, {}))

Deobfuscate the code using this unpacker - https://matthewfl.com/unPacker.html

We can see that the flag variable contains a series of concatenated strings. By joining these values into one complete string, we obtain the flag !

Q4 - Try to Analyze the deobfuscated JavaScript code, and understand its main functionality. Once you do, try to replicate what it's doing to get a secret key. What is the key?

Solution:

Now, let's dive deeper and reverse-engineer the source code to extract the secret key.

First, it declares a flag variable with a value.

Next, it performs an asynchronous HTTP POST request to the /keys.php endpoint.
(The expression [] is an empty array, which is truthy; ![] negates it to false and !![] negates again, resulting in true)

Send a similar request to the server:

curl -X POST http://94.237.61.242:49884/keys.php

And we receive the secret key:

Q5 - Once you have the secret key, try to decide it's encoding method, and decode it. Then send a 'POST' request to the same previous page with the decoded key as "key=DECODED_KEY". What is the flag you got?

Solution:

The value of the secret key appears to be hex-encoded. Let’s try decoding it:

echo <SECRET_KEY> | xxd -r -p

Looks like a good guess !

Now, take the decoded value and resend the previous POST request, including it as the key parameter in the request body:

curl -X POST http://94.237.61.242:49884/keys.php -d 'key=<DECODED_SECRET_KEY>'

We got the flag ! 😁