Question 1
Q: Try to study the HTML code of the webpage, and identify used JavaScript code within it. What is the name of the JavaScript file being used?
Searched .js in the source code and found api.min.js.
Question 2
Q: Once you find the JavaScript code, try to run it to see if it does any interesting functions. Did you get something in return?
Ran it with jsconsole.
Question 3
Q: As you may have noticed, the JavaScript code is obfuscated. Try applying the skills you learned in this module to deobfuscate the code, and retrieve the ‘flag’ variable.
Used JS Nice but didn’t give a good result. I used UnPacker.
Output:
function apiKeys()
{
var flag='HTB
{
n'+'3v3r_'+'run_0'+'bfu5c'+'473d_'+'c0d3!'+'
}
',xhr=new XMLHttpRequest(),_0x437f8b='/keys'+'.php';
xhr['open']('POST',_0x437f8b,!![]),xhr['send'](null)
}
console['log']('HTB
{
j'+'4v45c'+'r1p7_'+'3num3'+'r4710'+'n_15_'+'k3y
}
');
Ran this in jsconsole:
var flag = "HTB{n" + "3v3r_" + "run_0" + "bfu5c" + "473d_" + "c0d3!" + "}";
console.log(flag)
Question 4
Q: Try to Analyze the deobfuscated JavaScript code, and understand its main functionality. Once you do, try to replicate what it’s doing to get a secret key. What is the key?
Examined this part:
xhr=new XMLHttpRequest(),_0x437f8b='/keys'+'.php';
xhr['open']('POST',_0x437f8b,!![]),xhr['send'](null)
This sends a POST request to /keys.php so I sent one using curl:
curl -s -X POST http://94.237.61.97:48107/keys.php
Got a key.
Question 5
Q: Once you have the secret key, try to decide it’s encoding method, and decode it. Then send a ‘POST’ request to the same previous page with the decoded key as “key=DECODED_KEY”. What is the flag you got?
The key was 4150495f70336e5f37333537316e365f31355f66756e and it only used a-f and 0-9, so I guessed it was hex encoded.
Decode hex:
echo 4150495f70336e5f37333537316e365f31355f66756e | xxd -p -r
Output:
API_p3n_73571n6_15_fun
Sent it with curl:
curl -s -X POST http://94.237.61.97:48107/keys.php -d key=API_p3n_73571n6_15_fun
and got the final flag.