Challenge Description

We want to update our website but we are unable to because the developer who coded this left today. Can you take a look?

Provided Files

$ ls -R 
.:
css  dashboard.html  index.html  js

./css:
style.css

./js:
login.js

Solution

The login.js file has been obfuscated:

$ cat js/login.js 
var _0x4e0b=['\x74\x6f\x53\x74\x72\x69\x6e\x67','\x75\x73\x65\x72\x6e\x61\x6d\x65','\x63\x6f\x6e\x73\x6f\x6c\x65','\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x42\x79\x49\x64','\x6c\x6f\x67','\x62\x69\x6e\x64','\x64\x69\x73\x61\x62\x6c\x65\x64','\x61\x70\x70\x6c\x79','\x61\x64\x6d\x69\x6e','\x70\x72\x6f\x74\x6f\x74\x79\x70\x65',
<SNIP>

Code obfuscation is the process of making code difficult to understand for humans, often with the goal of making it harder for attackers to reverse engineer software or for competitors to copy it.

Once the we deobfuscate the code, at the end of the file we find this variable:

var res = String.fromCharCode(72, 84, 66, 123, 87, 51, 76, 99, 48, 109, 51, 95, 55, 48, 95, 74, 52, 86, 52, 53, 67, 82, 49, 112, 55, 95, 100, 51, 48, 98, 70, 117, 53, 67, 52, 55, 49, 48, 78, 125, 10);

Converting the String.fromCharCode() static function parameters from ASCII codes to text characters gives us the flag:

HTB{W3L************************10N}

Challenge Description#

Provided Files#

Solution#

Challenge Description

Provided Files

Solution