Contents

Obfuscated JavaScript CTF Challenge

Web CTF Challenges

Web Capture The Flag (CTF) challenges typically involve tasks that test a participant’s knowledge and skills in web application security. These challenges often require contestants to identify and exploit vulnerabilities within a web application to capture a “flag,” which is a hidden string that serves as proof of completion.

Challenge Description

We all know security through obscurity is the best way… right? Connection Info: {ip:port}

The Challenge

This challenge was designed to introduce players to the concept of code obfuscation and highlight why “security through obscurity” is generally considered a poor security practice. Let’s break down the challenge and its solution.

Initial Approach

When approaching any web challenge, it’s always a good idea to start with the basics:

  1. Visit the provided URL
  2. Check the page source
  3. Inspect network requests
  4. Look for any JavaScript files

In this case, upon visiting the challenge URL, players were presented with a seemingly plain login page. However, a quick look at the page source revealed an interesting JavaScript file being loaded.

The Obfuscated JavaScript

Opening this JavaScript file revealed a mess of seemingly random characters - a clear sign of obfuscation. Here’s the full obfuscated code players encountered:

(function(_0x473d6f,_0x7f2b69){var _0x1f68c6=_0x30ba,_0x5a1210=_0x473d6f();while(!![]){try{var _0x18ae42=-parseInt(_0x1f68c6(0x108))/0x1+-parseInt(_0x1f68c6(0x111))/0x2*(parseInt(_0x1f68c6(0x107))/0x3)+-parseInt(_0x1f68c6(0x112))/0x4*(parseInt(_0x1f68c6(0x101))/0x5)+-parseInt(_0x1f68c6(0x10a))/0x6+parseInt(_0x1f68c6(0xfb))/0x7*(-parseInt(_0x1f68c6(0x105))/0x8)+parseInt(_0x1f68c6(0x115))/0x9*(parseInt(_0x1f68c6(0x104))/0xa)+parseInt(_0x1f68c6(0xf8))/0xb;if(_0x18ae42===_0x7f2b69)break;else _0x5a1210['push'](_0x5a1210['shift']());}catch(_0x24ed87){_0x5a1210['push'](_0x5a1210['shift']());}}}(_0x55b0,0x859c2));function resetPassword(){alert('Coming\x20soon\x20to\x20a\x20login\x20page\x20near\x20you\x20:(^)');}function tryLogin(){var _0x1ab356=_0x30ba,_0x16b548=document['getElementById']('email')[_0x1ab356(0xfa)],_0x3df0c=document[_0x1ab356(0x102)](_0x1ab356(0xff))[_0x1ab356(0xfa)];fetch(_0x1ab356(0x10b),{'method':_0x1ab356(0x10c),'headers':{'Content-Type':_0x1ab356(0x114)},'body':JSON[_0x1ab356(0x103)]({'email':_0x16b548,'password':_0x3df0c})})[_0x1ab356(0xfe)](_0x7ad2aa=>_0x7ad2aa[_0x1ab356(0x10e)]())[_0x1ab356(0xfe)](_0x5ed233=>{var _0x3bb127=_0x1ab356;_0x5ed233['success']?(console[_0x3bb127(0xfd)](_0x3bb127(0xfc)),login('1')):(console[_0x3bb127(0x109)]('uhhhhhhhhhhhh:',_0x5ed233[_0x3bb127(0x106)]),login(0x0));})['catch'](_0x3255d0=>{var _0x16931a=_0x1ab356;console['error'](_0x16931a(0x113),_0x3255d0),alert(_0x16931a(0x10f));});}function login(_0x2ca40b){var _0x25351d=_0x30ba;_0x2ca40b===0x1?window['location'][_0x25351d(0xf9)]=_0x25351d(0x110):window[_0x25351d(0x10d)][_0x25351d(0xf9)]=_0x25351d(0x100);}function _0x30ba(_0x382a30,_0x301e1d){var _0x55b0aa=_0x55b0();return _0x30ba=function(_0x30ba5b,_0x2fa0e3){_0x30ba5b=_0x30ba5b-0xf8;var _0x117e9a=_0x55b0aa[_0x30ba5b];return _0x117e9a;},_0x30ba(_0x382a30,_0x301e1d);}function _0x55b0(){var _0x18a08c=['log','then','password','/fail','5eVxrKp','getElementById','stringify','10vbdaNm','7210824RHbULX','message','33519oWZFTz','368128QyNChN','error','4257348MSEMWF','/login','POST','location','json','oops\x20something\x20went\x20wwong,\x20twy\x20again\x20^w^','/ZnVuY3Rpb24=','132hYtnXY','1119348JDCnUc','Error:','application/json','8833095hmkZSo','28183155CPwFWI','href','value','7KljZrX','uhhh'];_0x55b0=function(){return _0x18a08c;};return _0x55b0();}

Understanding Obfuscation

Obfuscation is a technique used to make code difficult for humans to understand. It’s often employed to protect intellectual property or to make reverse-engineering more challenging. However, it’s crucial to understand that obfuscation is not encryption and does not provide real security.

In CTFs and real-world scenarios, encountering obfuscated code is common. As a cybersecurity professional or CTF player, it’s essential to be familiar with deobfuscation techniques.

Why Security Through Obscurity is Flawed

The challenge title, “obscuritySecurity,” is a play on the phrase “security through obscurity.” This approach to security relies on the secrecy of the implementation rather than the strength of the security measures themselves. It’s generally considered a weak security practice because:

  1. Once the secret is discovered, the entire system is compromised.
  2. It doesn’t stand up to thorough testing or peer review.
  3. It often leads to a false sense of security.

In our challenge, the “security” was the obfuscated JavaScript, which, once deobfuscated, revealed the path to the flag.

Solving the Challenge

To solve this challenge, players needed to deobfuscate the JavaScript code. There are several approaches to this:

  1. Manual Deobfuscation: Carefully reading through the code and understanding its logic.
  2. Online Deobfuscators: Tools like Deobfuscate.io or de4js can help beautify and deobfuscate JavaScript.
  3. Browser Developer Tools: Running the code step-by-step in browser dev tools can help understand its functionality.

Once deobfuscated, players needed to carefully examine the code. The key to solving the challenge was hidden in the login(_0x2ca40b) function:

function resetPassword() {
  alert("Coming soon to a login page near you :(^)");
}
function tryLogin() {
  var _0x16b548 = document.getElementById('email').value;
  var _0x3df0c = document.getElementById("password").value;
  fetch("/login", {
    'method': "POST",
    'headers': {
      'Content-Type': "application/json"
    },
    'body': JSON.stringify({
      'email': _0x16b548,
      'password': _0x3df0c
    })
  }).then(_0x7ad2aa => _0x7ad2aa.json()).then(_0x5ed233 => {
    if (_0x5ed233.success) {
      console.log("uhhh");
      login('1');
    } else {
      console.error('uhhhhhhhhhhhh:', _0x5ed233.message);
      login(0x0);
    }
  })['catch'](_0x3255d0 => {
    console.error("Error:", _0x3255d0);
    alert("oops something went wwong, twy again ^w^");
  });
}
function login(_0x2ca40b) {
  if (_0x2ca40b === 0x1) {
    window.location.href = "/ZnVuY3Rpb24=";
  } else {
    window.location.href = "/fail";
  }
}

The crucial line was within the array in the login(_0x2ca40b) function:

"/ZnVuY3Rpb24="

This string is actually the direct URL path to the next step of the challenge. Despite its appearance, it’s not encoded - this is the literal path to be appended to the base URL.

Visiting this newly discovered page (http://{challenge_url}/ZnVuY3Rpb24=) revealed the flag: ltdh{0bfusc4t10n_1s_n0t_s3cur1ty}

Lessons Learned

  1. Always inspect page sources and linked files in web challenges.
  2. Familiarise yourself with common obfuscation techniques and how to combat them.
  3. Remember that security through obscurity is not a reliable security measure.
  4. In both CTFs and real-world scenarios, be prepared to encounter and deobfuscate code.

Wrap Up

This challenge, while simple, introduces players to an important concept in web security. Obfuscation is a technique you’ll encounter both in CTFs and in the wild, so it’s valuable to practice recognising and dealing with it. Remember, if you’re stuck on a web challenge, always start with the basics: check the source, look at the network requests, and don’t forget to actually visit the webpage!