CTFtime.org

Bad JS

by N0t_a_C0p / Not_C0ps

Tags: encoding javascript 

Rating:

## Bad JS (Web 100)

“There is a bad JS which hides flag inside. Capture it.”

First thing is to download and extract the 7-zip archive into the directory of your choosing. Once extracted, open up index.html (I am using Chrome). We are greeted with a simple flag check application.

![Flag Form](https://imgur.com/lVyjkaD.png)

![Popup](https://imgur.com/gWbqn50.png)

No matter what I entered, the result was the same (A popup with the word "wrong"). So let's take a quick look at the source code.

![Source](https://imgur.com/IFKi2LH.png)

We now know why we always get the same alert, no matter what we enter. The form input is not actually checked against anything. The next logical place to look would be the javascript source file JS.js.

Really ugly ofuscated javacsript:

![Ofuscated JS](https://imgur.com/1l2sEi6.png)

The entire file seems to be stripped of symbols. After a quick and painful look through, I had no leads on how to deal with it, but I had a feeling the solution was a little easier than reversing stripped javascript. That is when I noticed the first line of the file, var_0x1b00. The odd thing was, that every bytes string in the array ended in \x3d (which I knew was hex for ‘=’). That may mean that the byte strings were base64 encoded, then hex encoded, so all we would have to do is decode them.

Here we can see that is is the case. That the strings are base64 encoded.

![Quick POC](https://imgur.com/ntSNTi1.png)

So I wrote a python script that takes the byte array and converts each string in it into plain text. I wrote these plain text values to a file for reading.

![Script](https://imgur.com/2rwOrgd.png)

The results were just as I hoped for. It seemed that the byte strings were one of two things. 1.) A missing symbol from the javascript source. 2.) Random strings of 5 characters

Output File:

![Output](https://imgur.com/2JBaR0y.png)

Now we know that the flag is the MD5 hash of 127.0.0.1. Plenty of websites can find this hash in a jiffy, but I opted for bash.

![Hash](https://imgur.com/BYOpqQS.png)

The -n flag is needed, otherwise md5 will think the \n is part of the string. That hash (without spaces and - at the end) wrapped inside UUTCTF{} is the flag. I was happy I thought to decode those strings early on, or I may still be looking at that stripped JS code at this moment. This is my first writeup I tried to format for this site, so I hope it does not look like complete trash formatting wise.

[PDF Version](https://github.com/frank-cerny/CTFs/blob/master/UUTCTF/Web/BadJS_100.pdf)

Comments