JAVASCRIPT DEOBFUSCATION

Completed JavaScript Deobfuscationacademy.hackthebox.com

OBJECTIVE: determine how an organization's web server that contains JavaScript and API functionality can negatively affect its customers.

Try to study the HTML code of the webpage, and identify used JavaScript code within it. What is the name of the JavaScript file being used?

root@oco:~$ curl -s 94.237.59.119:41274
 * api.min.js

Once you find the JavaScript code, try to run it to see if it does any interesting functions. Did you get something in return?

root@oco:~$ curl -s 94.237.59.119:41274/api.min.js
 * eval(function (p, a, c, k, e, d) { e = function (c) { return c.toString(36) }; if (!''.replace(/^/, String)) { while (c--) { d[c.toString(a)] = k[c] || c.toString(a) } k = [function (e) { return d[e] }]; e = function () { return '\\w+' }; c = 1 }; while (c--) { if (k[c]) { p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]) } } return p }('t 5(){6 7=\'1{n\'+\'8\'+\'9\'+\'a\'+\'b\'+\'c!\'+\'}\',0=d e(),2=\'/4\'+\'.g\';0[\'f\'](\'i\',2,!![]),0[\'k\'](l)}m[\'o\'](\'1{j\'+\'p\'+\'q\'+\'r\'+\'s\'+\'h\'+\'3}\');', 30, 30, 'xhr|HTB|_0x437f8b|k3y|keys|apiKeys|var|flag|3v3r_|run_0|bfu5c|473d_|c0d3|new|XMLHttpRequest|open|php|n_15_|POST||send|null|console||log|4v45c|r1p7_|3num3|r4710|function'.split('|'), 0, {}))
root@oco:~$ BROWSER > https://jsconsole.com/
 input: eval(function (p, a, c, k, e, d) { e = function (c) { return c.toString(36) }; if (!''.replace(/^/, String)) { while (c--) { d[c.toString(a)] = k[c] || c.toString(a) } k = [function (e) { return d[e] }]; e = function () { return '\\w+' }; c = 1 }; while (c--) { if (k[c]) { p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]) } } return p }('t 5(){6 7=\'1{n\'+\'8\'+\'9\'+\'a\'+\'b\'+\'c!\'+\'}\',0=d e(),2=\'/4\'+\'.g\';0[\'f\'](\'i\',2,!![]),0[\'k\'](l)}m[\'o\'](\'1{j\'+\'p\'+\'q\'+\'r\'+\'s\'+\'h\'+\'3}\');', 30, 30, 'xhr|HTB|_0x437f8b|k3y|keys|apiKeys|var|flag|3v3r_|run_0|bfu5c|473d_|c0d3|new|XMLHttpRequest|open|php|n_15_|POST||send|null|console||log|4v45c|r1p7_|3num3|r4710|f
 * HTB{j4v45cr1p7_3num3r4710n_15_k3y}

As you may have noticed, the JavaScript code is obfuscated. Try applying the skills you learned in this module to deobfuscate the code, and retrieve the 'flag' variable.

root@oco:~$ curl -s 94.237.59.119:41274/api.min.js
 * eval(function (p, a, c, k, e, d) { e = function (c) { return c.toString(36) }; if (!''.replace(/^/, String)) { while (c--) { d[c.toString(a)] = k[c] || c.toString(a) } k = [function (e) { return d[e] }]; e = function () { return '\\w+' }; c = 1 }; while (c--) { if (k[c]) { p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]) } } return p }('t 5(){6 7=\'1{n\'+\'8\'+\'9\'+\'a\'+\'b\'+\'c!\'+\'}\',0=d e(),2=\'/4\'+\'.g\';0[\'f\'](\'i\',2,!![]),0[\'k\'](l)}m[\'o\'](\'1{j\'+\'p\'+\'q\'+\'r\'+\'s\'+\'h\'+\'3}\');', 30, 30, 'xhr|HTB|_0x437f8b|k3y|keys|apiKeys|var|flag|3v3r_|run_0|bfu5c|473d_|c0d3|new|XMLHttpRequest|open|php|n_15_|POST||send|null|console||log|4v45c|r1p7_|3num3|r4710|function'.split('|'), 0, {}))
root@oco:~$ BROWSER > https://matthewfl.com/unPacker.html
 input: eval(function (p, a, c, k, e, d) { e = function (c) { return c.toString(36) }; if (!''.replace(/^/, String)) { while (c--) { d[c.toString(a)] = k[c] || c.toString(a) } k = [function (e) { return d[e] }]; e = function () { return '\\w+' }; c = 1 }; while (c--) { if (k[c]) { p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]) } } return p }('t 5(){6 7=\'1{n\'+\'8\'+\'9\'+\'a\'+\'b\'+\'c!\'+\'}\',0=d e(),2=\'/4\'+\'.g\';0[\'f\'](\'i\',2,!![]),0[\'k\'](l)}m[\'o\'](\'1{j\'+\'p\'+\'q\'+\'r\'+\'s\'+\'h\'+\'3}\');', 30, 30, 'xhr|HTB|_0x437f8b|k3y|keys|apiKeys|var|flag|3v3r_|run_0|bfu5c|473d_|c0d3|new|XMLHttpRequest|open|php|n_15_|POST||send|null|console||log|4v45c|r1p7_|3num3|r4710|function'.split('|'), 0, {}))
 * HTB{n'+'3v3r_'+'run_0'+'bfu5c'+'473d_'+'c0d3!'+'}
 * HTB{n3v3r_run_0bfu5c473d_c0d3!}

Try to Analyze the deobfuscated JavaScript code, and understand its main functionality. Once you do, try to replicate what it's doing to get a secret key. What is the key?

root@oco:~$ BROWSER > https://matthewfl.com/unPacker.html
 input: eval(function (p, a, c, k, e, d) { e = function (c) { return c.toString(36) }; if (!''.replace(/^/, String)) { while (c--) { d[c.toString(a)] = k[c] || c.toString(a) } k = [function (e) { return d[e] }]; e = function () { return '\\w+' }; c = 1 }; while (c--) { if (k[c]) { p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]) } } return p }('t 5(){6 7=\'1{n\'+\'8\'+\'9\'+\'a\'+\'b\'+\'c!\'+\'}\',0=d e(),2=\'/4\'+\'.g\';0[\'f\'](\'i\',2,!![]),0[\'k\'](l)}m[\'o\'](\'1{j\'+\'p\'+\'q\'+\'r\'+\'s\'+\'h\'+\'3}\');', 30, 30, 'xhr|HTB|_0x437f8b|k3y|keys|apiKeys|var|flag|3v3r_|run_0|bfu5c|473d_|c0d3|new|XMLHttpRequest|open|php|n_15_|POST||send|null|console||log|4v45c|r1p7_|3num3|r4710|function'.split('|'),
 output: 
  function apiKeys(){
    var flag='HTB{n'+'3v3r_'+'run_0'+'bfu5c'+'473d_'+'c0d3!'+'}',
    xhr=new XMLHttpRequest(),_0x437f8b='/keys'+'.php';
    xhr['open']('POST',_0x437f8b,!![]),xhr['send'](null)
  }
  console['log']('HTB{j'+'4v45c'+'r1p7_'+'3num3'+'r4710'+'n_15_'+'k3y}');
root@oco:~$ curl -s 94.237.59.119:41274/keys.php -X POST -d "param=j4v45cr1p7_3num3r4710n_15_k3y"
 * 4150495f70336e5f37333537316e365f31355f66756e

Once you have the secret key, try to decide it's encoding method, and decode it. Then send a 'POST' request to the same previous page with the decoded key as "key=DECODED_KEY". What is the flag you got?

root@oco:~$ BROWSER > https://www.boxentriq.com/code-breaking/cipher-identifier
 input: 4150495f70336e5f37333537316e365f31355f66756e
root@oco:~$ echo 4150495f70336e5f37333537316e365f31355f66756e | xxd -p -r
 * API_p3n_73571n6_15_fun
 
root@oco:~$ find / -iname *burp-parameter* -type f 2>/dev/null
 * /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
root@oco:~$ cp /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt .
root@oco:~$ ffuf -w burp-parameter-names.txt:FUZZ -u http://94.237.59.119:41274/keys.php/ -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded'
root@oco:~$ ffuf -w burp-parameter-names.txt:FUZZ -u http://94.237.59.119:41274/keys.php/ -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs 44
 * produced no results - param key not on burp-parameter list
root@oco:~$ curl -s 94.237.59.119:41274/keys.php -X POST -d "key=API_p3n_73571n6_15_fun"
 * HTB{r34dy_70_h4ck_my_w4y_1n_2_HTB}

PreviousWEB FUZZING NextCROSS-SITE SCRIPTING (XSS)

Last updated 24 days ago