Difference between revisions of "Root Me"
| Line 39: | Line 39: | ||
While analyzing the code and having the knowledge that this challenge is regarding JavaScript, we will be able to find an inline script in the HTML head element, which exposes the functionality of the password prompt. The inline script contains following content: | While analyzing the code and having the knowledge that this challenge is regarding JavaScript, we will be able to find an inline script in the HTML head element, which exposes the functionality of the password prompt. The inline script contains following content: | ||
1 | 1 function dechiffre(pass_enc){ | ||
2 | 2 var pass = "70,65,85,88,32,80,65,83,83,87,79,82,68,32,72,65,72,65" var tab = pass_enc.split(’,’); | ||
3 | 3 var tab2 = pass.split(’,’);var i,j,k,l=0,m,n,o,p = ""; i = 0;j = tab.length; | ||
4 | 4 k = j + (l) + (n=0); n = tab2.length; | ||
5 | 5 for(i = (o=0); i < (k = j = n); i++ ){ | ||
6 | 6 o = tab[i-l]; | ||
7 | 7 p += String.fromCharCode((o = tab2[i])); if(i == 5)break; | ||
8 | 8 } | ||
9 | 9 for(i = (o=0); i < (k = j = n); i++ ){ o = tab[i-l]; | ||
10 if(i > 5 && i < k-1) | 10 if(i > 5 && i < k-1) | ||
11 | 11 p += String.fromCharCode((o = tab2[i])); | ||
12 } | 12 } | ||
13 p += String.fromCharCode(tab2[17]); | 13 p += String.fromCharCode(tab2[17]); | ||
14 pass = p;return pass; | 14 pass = p;return pass; | ||
15 } String["fromCharCode"](dechiffre("\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31 \x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30")); | 15 } String["fromCharCode"](dechiffre("\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31 \x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30")); | ||
16 h = window.prompt(’Entrez le mot de passe / Enter password’); | 16 h = window.prompt(’Entrez le mot de passe / Enter password’); | ||
17 alert( dechiffre(h) ); | 17 alert( dechiffre(h) ); | ||
By observing the code we can detect a function '''dechiffre(pass enc)''', starting at line 1, which takes a pass enc parameter. By going through the function it is obvious, that it always returns the pass variable, defined on line 2. This means, that trying different promp/function inputs will make no difference, as the default ''”FAUX PASSWORD HAHA”'' message will be displayed. The pass variable is Character Code and as a matter of fact can also be converted back to string format, by using the predefined JavaScript '''String.fromCharCode(value)''' function. We can try this by using the built-in web browser console and see the result. | By observing the code we can detect a function '''dechiffre(pass enc)''', starting at line 1, which takes a pass enc parameter. By going through the function it is obvious, that it always returns the pass variable, defined on line 2. This means, that trying different promp/function inputs will make no difference, as the default ''”FAUX PASSWORD HAHA”'' message will be displayed. The pass variable is Character Code and as a matter of fact can also be converted back to string format, by using the predefined JavaScript '''String.fromCharCode(value)''' function. We can try this by using the built-in web browser console and see the result. | ||
| Line 61: | Line 61: | ||
[[File:Console faux.png|600px]] | [[File:Console faux.png|600px]] | ||
At this point, we are familiar with the '''String.fromCharCode(value)''' function and therefore line | At this point, we are familiar with the '''String.fromCharCode(value)''' function and therefore line 15 seems odd. It is a fact that the code has been obfuscated, ’uglified’ or in other words purposely harder to understand. Line 15 can be interpreted as a hint as the value passed to the '''dechiffre()''' function is in HEX. We already learned that the JavaScript console is a useful tool, which can also be used to perform the HEX to ASCII characters conversion. This can be done, by simply pasting the HEX string into the console as following: | ||
[[File:Console hex.png|1200px]] | [[File:Console hex.png|1200px]] | ||
Revision as of 19:12, 19 December 2021
Summary
Description what this documentation is about.
Requirements
- Operating system: Ubuntu 18.04 bionic amd64
- Packages: git emacs
In order to complete these steps, you must have followed Some Other Documentation before.
Description
Step 1
Enter these commands in the shell
echo foo echo bar
Step 2
Make sure to read
- War and Peace
- Lord of the Rings
- The Baroque Cycle
Challenge Write-Up
In this section, the solution to the ”Javascript - Obfuscation 3” challenge from the category Web-Client is presented. By the title of this challenge it is evident, that the prerequisite is intermediate knowledge and understanding of the scripting language Javascript. As Javascript is a client-side web technology, the idea is to use the integrated web browser console to manipulate the code and get the flag. Additionally the challenge contains resources, which might be helpful to understand the JavaScript obfuscation concept used in this challenge and how it is abused to make the code harder to understand and still keep its functionality.
After starting the challenge, a website opens up, which prompts the user to enter the password. At this point we can just try to intuitively enter a common password to see what the output/response is going to be. We are going to try ”admin” as our input and see, that an alert pops up with a ”FAUX PASSWORD HAHA” message, which is French and stands for false password haha. As far as we can see, the website is blank and displays no HTML elements, which does not necessarily mean that there is no hidden content or code on the website. This is why the first of an advanced penetration tester will be, trying to interact with the website via browser by inspecting the content of the page.
While analyzing the code and having the knowledge that this challenge is regarding JavaScript, we will be able to find an inline script in the HTML head element, which exposes the functionality of the password prompt. The inline script contains following content:
1 function dechiffre(pass_enc){
2 var pass = "70,65,85,88,32,80,65,83,83,87,79,82,68,32,72,65,72,65" var tab = pass_enc.split(’,’);
3 var tab2 = pass.split(’,’);var i,j,k,l=0,m,n,o,p = ""; i = 0;j = tab.length;
4 k = j + (l) + (n=0); n = tab2.length;
5 for(i = (o=0); i < (k = j = n); i++ ){
6 o = tab[i-l];
7 p += String.fromCharCode((o = tab2[i])); if(i == 5)break;
8 }
9 for(i = (o=0); i < (k = j = n); i++ ){ o = tab[i-l];
10 if(i > 5 && i < k-1)
11 p += String.fromCharCode((o = tab2[i]));
12 }
13 p += String.fromCharCode(tab2[17]);
14 pass = p;return pass;
15 } String["fromCharCode"](dechiffre("\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31 \x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30"));
16 h = window.prompt(’Entrez le mot de passe / Enter password’);
17 alert( dechiffre(h) );
By observing the code we can detect a function dechiffre(pass enc), starting at line 1, which takes a pass enc parameter. By going through the function it is obvious, that it always returns the pass variable, defined on line 2. This means, that trying different promp/function inputs will make no difference, as the default ”FAUX PASSWORD HAHA” message will be displayed. The pass variable is Character Code and as a matter of fact can also be converted back to string format, by using the predefined JavaScript String.fromCharCode(value) function. We can try this by using the built-in web browser console and see the result.
At this point, we are familiar with the String.fromCharCode(value) function and therefore line 15 seems odd. It is a fact that the code has been obfuscated, ’uglified’ or in other words purposely harder to understand. Line 15 can be interpreted as a hint as the value passed to the dechiffre() function is in HEX. We already learned that the JavaScript console is a useful tool, which can also be used to perform the HEX to ASCII characters conversion. This can be done, by simply pasting the HEX string into the console as following:
The result of this operation is in a format, we might recognize, from our previous steps. Keyword: Character Code. Now the character code can be passed as an input to the String.fromCharCode(value) and it might return the flag to solve the challenge. The final outcome of the operation is shown below.
Last step was verifying our success on the Root Me platform by validating the challenge with the flag and we mastered the challenge!
Courses
- A course where this documentation was used (2017, 2018)
- Another one (2018)