Difference between revisions of "Root Me"

Summary

Description what this documentation is about.

Requirements

• Operating system: Ubuntu 18.04 bionic amd64
• Packages: git emacs

In order to complete these steps, you must have followed Some Other Documentation before.

Description

Step 1

Enter these commands in the shell

echo foo
echo bar

Step 2

Make sure to read

• War and Peace
• Lord of the Rings
• The Baroque Cycle

Challenge Write-Up

In this section, the solution to the ”Javascript - Obfuscation 3” challenge from the category Web-Client is presented. By the title of this challenge it is evident, that the prerequisite is intermediate knowledge and understanding of the scripting language Javascript. As Javascript is a client-side web technology, the idea is to use the integrated web browser console to manipulate the code and get the flag. Additionally the challenge contains resources, which might be helpful to understand the JavaScript obfuscation concept used in this challenge and how it is abused to make the code harder to understand and still keep its functionality.

After starting the challenge, a website opens up, which prompts the user to enter the password. At this point we can just try to intuitively enter a common password to see what the output/response is going to be. We are going to try ”admin” as our input and see, that an alert pops up with a ”FAUX PASSWORD HAHA” message, which is French and stands for false password haha. As far as we can see, the website is blank and displays no HTML elements, which does not necessarily mean that there is no hidden content or code on the website. This is why the first of an advanced penetration tester will be, trying to interact with the website via browser by inspecting the content of the page.

While analyzing the code and having the knowledge that this challenge is regarding JavaScript, we will be able to find an inline script in the HTML head element, which exposes the functionality of the password prompt. The inline script contains following content:

function dechiffre(pass_enc){
var pass = "70,65,85,88,32,80,65,83,83,87,79,82,68,32,72,65,72,65" var tab = pass_enc.split(’,’);
var tab2 = pass.split(’,’);var i,j,k,l=0,m,n,o,p = ""; i = 0;j = tab.length;
k = j + (l) + (n=0); n = tab2.length;
for(i = (o=0); i < (k = j = n); i++ ){
  o = tab[i-l];
  p += String.fromCharCode((o = tab2[i])); if(i == 5)break;
}
for(i = (o=0); i < (k = j = n); i++ ){ o = tab[i-l];
if(i > 5 && i < k-1)
  p += String.fromCharCode((o = tab2[i]));
}
p += String.fromCharCode(tab2[17]);
pass = p;return pass;
} String["fromCharCode"](dechiffre("\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31 \x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30"));
h = window.prompt(’Entrez le mot de passe / Enter password’);
alert( dechiffre(h) );

By observing the code we can detect a function dechiffre(pass enc), starting at line 2, which takes a pass enc parameter. By going through the function it is obvious, that it always returns the pass variable, defined on line 3. This means, that trying different promp/function inputs will make no difference, as the default ”FAUX PASSWORD HAHA” message will be displayed. The pass variable is Character Code and as a matter of fact can also be converted back to string format, by using the predefined JavaScript String.fromCharCode(value) function. We can try this by using the built-in web browser console and see the result.

Courses

• A course where this documentation was used (2017, 2018)
• Another one (2018)

References

• https://wikipedia.org
• https://google.com