Client-side-again

Point: 200

Category

Web Exploitation

Question

Can you break into this super secure portal? https://2019shell1.picoctf.com/problem/21886/ (link) or http://2019shell1.picoctf.com:21886

Hint

What is [obfuscation](https://en.wikipedia.org/wiki/Obfuscation_(software))?

Solution

Check the source code, we have a obfuscation JS file.

<html>
<head>
<title>Secure Login Portal V2.0</title>
</head>
<body background="barbed_wire.jpeg" >
<!-- standard MD5 implementation -->
<script type="text/javascript" src="md5.js"></script>

<script type="text/javascript">
  var _0x5a46=['9f266}','_again_1','this','Password\x20Verified','Incorrect\x20password','getElementById','value','substring','picoCTF{','not_this'];(function(_0x4bd822,_0x2bd6f7){var _0xb4bdb3=function(_0x1d68f6){while(--_0x1d68f6){_0x4bd822['push'](_0x4bd822['shift']());}};_0xb4bdb3(++_0x2bd6f7);}(_0x5a46,0x1b3));var _0x4b5b=function(_0x2d8f05,_0x4b81bb){_0x2d8f05=_0x2d8f05-0x0;var _0x4d74cb=_0x5a46[_0x2d8f05];return _0x4d74cb;};function verify(){checkpass=document[_0x4b5b('0x0')]('pass')[_0x4b5b('0x1')];split=0x4;if(checkpass[_0x4b5b('0x2')](0x0,split*0x2)==_0x4b5b('0x3')){if(checkpass[_0x4b5b('0x2')](0x7,0x9)=='{n'){if(checkpass[_0x4b5b('0x2')](split*0x2,split*0x2*0x2)==_0x4b5b('0x4')){if(checkpass[_0x4b5b('0x2')](0x3,0x6)=='oCT'){if(checkpass[_0x4b5b('0x2')](split*0x3*0x2,split*0x4*0x2)==_0x4b5b('0x5')){if(checkpass['substring'](0x6,0xb)=='F{not'){if(checkpass[_0x4b5b('0x2')](split*0x2*0x2,split*0x3*0x2)==_0x4b5b('0x6')){if(checkpass[_0x4b5b('0x2')](0xc,0x10)==_0x4b5b('0x7')){alert(_0x4b5b('0x8'));}}}}}}}}else{alert(_0x4b5b('0x9'));}}
</script>
<div style="position:relative; padding:5px;top:50px; left:38%; width:350px; height:140px; background-color:gray">
<div style="text-align:center">
<p>New and Improved Login</p>

<p>Enter valid credentials to proceed</p>
<form action="index.html" method="post">
<input type="password" id="pass" size="8" />
<br/>
<input type="submit" value="verify" onclick="verify(); return false;" />
</form>
</div>
</div>
</body>
</html>

Go to Chrome Developer Tools and then move to source tab. Then click to index.html and click to {} in the left of bottom to show pretty print. Then we have this code below.

<html>
    <head>
        <title>Secure Login Portal V2.0</title>
    </head>
    <body background="barbed_wire.jpeg">
        <!-- standard MD5 implementation -->
        <script type="text/javascript" src="md5.js"></script>
        <script type="text/javascript">
            var _0x5a46 = ['9f266}', '_again_1', 'this', 'Password\x20Verified', 'Incorrect\x20password', 'getElementById', 'value', 'substring', 'picoCTF{', 'not_this'];
            (function(_0x4bd822, _0x2bd6f7) {
                var _0xb4bdb3 = function(_0x1d68f6) {
                    while (--_0x1d68f6) {
                        _0x4bd822['push'](_0x4bd822['shift']());
                    }
                };
                _0xb4bdb3(++_0x2bd6f7);
            }(_0x5a46, 0x1b3));
            var _0x4b5b = function(_0x2d8f05, _0x4b81bb) {
                _0x2d8f05 = _0x2d8f05 - 0x0;
                var _0x4d74cb = _0x5a46[_0x2d8f05];
                return _0x4d74cb;
            };
            function verify() {
                checkpass = document[_0x4b5b('0x0')]('pass')[_0x4b5b('0x1')];
                split = 0x4;
                if (checkpass[_0x4b5b('0x2')](0x0, split * 0x2) == _0x4b5b('0x3')) {
                    if (checkpass[_0x4b5b('0x2')](0x7, 0x9) == '{n') {
                        if (checkpass[_0x4b5b('0x2')](split * 0x2, split * 0x2 * 0x2) == _0x4b5b('0x4')) {
                            if (checkpass[_0x4b5b('0x2')](0x3, 0x6) == 'oCT') {
                                if (checkpass[_0x4b5b('0x2')](split * 0x3 * 0x2, split * 0x4 * 0x2) == _0x4b5b('0x5')) {
                                    if (checkpass['substring'](0x6, 0xb) == 'F{not') {
                                        if (checkpass[_0x4b5b('0x2')](split * 0x2 * 0x2, split * 0x3 * 0x2) == _0x4b5b('0x6')) {
                                            if (checkpass[_0x4b5b('0x2')](0xc, 0x10) == _0x4b5b('0x7')) {
                                                alert(_0x4b5b('0x8'));
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                } else {
                    alert(_0x4b5b('0x9'));
                }
            }
        </script>
        <div style="position:relative; padding:5px;top:50px; left:38%; width:350px; height:140px; background-color:gray">
            <div style="text-align:center">
                <p>New and Improved Login</p>
                <p>Enter valid credentials to proceed</p>
                <form action="index.html" method="post">
                    <input type="password" id="pass" size="8"/>
                    <br/>
                    <input type="submit" value="verify" onclick="verify(); return false;"/>
                </form>
            </div>
        </div>
    </body>
</html>

So We've writen some code to translate it. Then run this code in console.

split = 0x4
console.log('%d, %d:\t%s', 0x0, split * 0x2, _0x4b5b('0x3'))
console.log('%d, %d:\t%s', 0x7, 0x9, '{n')
console.log('%d, %d:\t%s', split * 0x2, split * 0x2 * 0x2, _0x4b5b('0x4'))
console.log('%d, %d:\t%s', 0x3, 0x6, 'oCT')
console.log('%d, %d:\t%s', split * 0x3 * 0x2, split * 0x4 * 0x2, _0x4b5b('0x5'))
console.log('%d, %d:\t%s', 0x6, 0xb, 'F{not')
console.log('%d, %d:\t%s', split * 0x2 * 0x2, split * 0x3 * 0x2, _0x4b5b('0x6'))
console.log('%d, %d:\t%s', 0xc, 0x10, _0x4b5b('0x7'))

Finally we've got flag.

0, 8:    picoCTF{
7, 9:    {n
8, 16:    not_this
3, 6:    oCT
24, 32:    9f266}
6, 11:    F{not
16, 24:    _again_1
12, 16:    this

Flag

picoCTF{not_this_again_19f266}