JavaScript Deobfuscation - Skills Assessment#

During our Penetration Test, we came across a web server that contains JavaScript and APIs. We need to determine their functionality to understand how it can negatively affect our customer.

1. Try to study the HTML code of the webpage, and identify used JavaScript code within it. What is the name of the JavaScript file being used?

2. Once you find the JavaScript code, try to run it to see if it does any interesting functions. Did you get something in return?

3. As you may have noticed, the JavaScript code is obfuscated. Try applying the skills you learned in this module to deobfuscate the code, and retrieve the ‘flag’ variable.

4. Try to Analyze the deobfuscated JavaScript code, and understand its main functionality. Once you do, try to replicate what it’s doing to get a secret key. What is the key?

5. Once you have the secret key, try to decide it’s encoding method, and decode it. Then send a ‘POST’ request to the same previous page with the decoded key as “key=DECODED_KEY”. What is the flag you got?

Opening dev tools to analyze source code we see there’s an js file:

api.min.js

Also in dev tools we see a message in the console:

HTB{j4v45cr1p7_3num3r4710n_15_k3y}

When opening the js file we can beautify it and unpack it using UnPacker
The flag variable is:

HTB{n3v3r_run_0bfu5c473d_c0d3!}

The js file makes an AJAX Request: It executes an asynchronous POST request to the server path /keys.php using the XMLHttpRequest object.

After doing a post request we get:

┌──(kali㉿kali)-[~]
└─$ curl -s -X POST "http://94.237.57.221:39717/keys.php"

4150495f70336e5f37333537316e365f31355f66756e

We decode that using CyberChef, and we get:

API_p3n_73571n6_15_fun

We make a POST request again, using that key.
┌──(kali㉿kali)-[~]
└─$ curl -s -X POST "http://94.237.57.221:39717/keys.php" -d "key=API_p3n_73571n6_15_fun"

HTB{r34dy_70_h4ck_my_w4y_1n_2_HTB}