HackTheBox - JavaScript Deobfuscation - Skills Assessment Walkthrough


Scenario
During our Penetration Test, we came across a web server that contains JavaScript and APIs. We need to determine their functionality to understand how it can negatively affect our customer.
Walkthrough
Q1 - Try to study the HTML code of the webpage, and identify used JavaScript code within it. What is the name of the JavaScript file being used?
Solution:
First, use curl
to fetch the web application's response, which contains the main page's source code:
curl http://94.237.61.242:49884
** We can also open the target URL in a browser and inspect the source code directly.
After a quick review of the code, we can spot a JavaScript file:
Q2 - Once you find the JavaScript code, try to run it to see if it does any interesting functions. Did you get something in return?
Solution:
As we navigate to the URL and check the browser console, we can see that the flag is printed:
Q3 - As you may have noticed, the JavaScript code is obfuscated. Try applying the skills you learned in this module to deobfuscate the code, and retrieve the 'flag' variable.
Solution:
First, retrieve the source code of the JavaScript file and search for the flag
variable:
curl http://94.237.61.242:49884/api.min.js > js_code.txt
We receive the following obfuscated code:
eval(function (p, a, c, k, e, d) { e = function (c) { return c.toString(36) }; if (!''.replace(/^/, String)) { while (c--) { d[c.toString(a)] = k[c] || c.toString(a) } k = [function (e) { return d[e] }]; e = function () { return '\\w+' }; c = 1 }; while (c--) { if (k[c]) { p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]) } } return p }('t 5(){6 7=\'1{n\'+\'8\'+\'9\'+\'a\'+\'b\'+\'c!\'+\'}\',0=d e(),2=\'/4\'+\'.g\';0[\'f\'](\'i\',2,!![]),0[\'k\'](l)}m[\'o\'](\'1{j\'+\'p\'+\'q\'+\'r\'+\'s\'+\'h\'+\'3}\');', 30, 30, 'xhr|HTB|_0x437f8b|k3y|keys|apiKeys|var|flag|3v3r_|run_0|bfu5c|473d_|c0d3|new|XMLHttpRequest|open|php|n_15_|POST||send|null|console||log|4v45c|r1p7_|3num3|r4710|function'.split('|'), 0, {}))
Deobfuscate the code using this unpacker - https://matthewfl.com/unPacker.html
We can see that the flag
variable contains a series of concatenated strings. By joining these values into one complete string, we obtain the flag !
Q4 - Try to Analyze the deobfuscated JavaScript code, and understand its main functionality. Once you do, try to replicate what it's doing to get a secret key. What is the key?
Solution:
Now, let's dive deeper and reverse-engineer the source code to extract the secret key.
First, it declares a flag
variable with a value.
Next, it performs an asynchronous HTTP POST request to the /keys.php
endpoint.
(The expression []
is an empty array, which is truthy; ![]
negates it to false
and !![]
negates again, resulting in true
)
Send a similar request to the server:
curl -X POST http://94.237.61.242:49884/keys.php
And we receive the secret key:
Q5 - Once you have the secret key, try to decide it's encoding method, and decode it. Then send a 'POST' request to the same previous page with the decoded key as "key=DECODED_KEY". What is the flag you got?
Solution:
The value of the secret key appears to be hex-encoded. Let’s try decoding it:
echo <SECRET_KEY> | xxd -r -p
Looks like a good guess !
Now, take the decoded value and resend the previous POST request, including it as the key
parameter in the request body:
curl -X POST http://94.237.61.242:49884/keys.php -d 'key=<DECODED_SECRET_KEY>'
We got the flag ! 😁
Subscribe to my newsletter
Read articles from Ido Abramov directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
