ExploitedStream

edited October 2019 in Challenges

Hello!
I have very simple question: Do i need a dictionary to finish this challenge?
Or i need carefully read a challenge description?
Regards for all :)

If you need help with something, PM me how far you've got already and what you've tried. I won't respond to profile comments. And remember to +respect me if I helped you <3

«1

Comments

  • I'm just wondering your thought process on needing a dictionary @Kucharskov ? I haven't solved it, so I dont know, but I'm curious why you were thinking that.

  • ysfysf
    edited October 2019

    Actually, I tried several things with a very specific dictionary so far and did not receive anything printable yet. I still think that this should be how it's solved.

  • Type your comment> @bipolarmorgan said:

    @ysf why a dictionary?

    Because a clue makes me think so :)

  • ok, sorry to bother you, was just trying to understand your thinking.

  • I can update, solved it: You definitly need a special dictionary!

  • I solved this via a dictionary/list as well. Was this the intended method?

    snuggles

  • I liked this challenge, finally forced me to learn some javascript.

    This challenge is based on a real world case of a recently compromised npm package. And the technique used to solve this challenge is fairly similar to the first phase of the real one.
    There is a very good youtube video about it that helped me find the correct approach.

  • Good one. Had to learn a few things about js and node. Used brute force for final step but that only took a few minutes.

    Happy to help via PM if anyone is stuck.

  • As for me it was a little dumb task. Several strings for bruteforce and that's it.

    Did someone get it without brute?

  • edited October 2019

    I could use some help with the challenge. I can debug the script, I think I know where the different "outputs" are stored, but I can't extract the text. Would anyone PM me so I could explain what I have done so far and what I am struggling against?
    Thank you in advance.

    EDIT: solved the challenge. Thanks to anyone who helped!

  • this challenge really great , force you to do some researches

    Hack The Box

  • Deobfuscate the script and lost my mind...any clues?

  • It looks like you need to have strong JS level to fix the bruteforce script as it is outdated.
    Any other possibility to brute force ? (I mean without a JS script) I have all the data needed (dictionary + cipher).

  • I just used a shell script and openssl, not [node]js, to bruteforce.

  • Solved it. I have to admit that I was trying to brute-force the key by means of using some well-known dates. Finally, I understood that it should be easier and just solved it without brute-forcing really.

    As someone has already said, node.js is not necessary AT all to solve this challenge.

    Sociaslkas

  • edited November 2019

    Hi guys! I need your help. What sw can I use to brute force? THX!

    socialkas you solved the challenge without brute-forcing. Do you say me something about? please

  • @anguzmar said:

    I liked this challenge, finally forced me to learn some javascript.

    This challenge is based on a real world case of a recently compromised npm package. And the technique used to solve this challenge is fairly similar to the first phase of the real one.
    There is a very good youtube video about it that helped me find the correct approach.

    Exactly!! That is exactly where i based the challenge from! Glad you found the origin :)

  • This was a pretty cool challenge.
    Hint: think outside the box and consider that sometimes we may leave notes to self :)

  • I have manually deobfuscated and narrowed down the javascript to one important function which uses a required decipherment method and all parameters are supplied. The important parameter does not seem to be what is computed elsewhere in the script since it would be different each time «cough» it was called. (Yes, did note the encoded hint.)

    Before I begin trying to figure out how to brute-force decrypt this, since that really feels like the wrong path, am I simply not guessing the name of something correctly? I have tried using literal hinted key, decoded hinted key, variations on a name.

    Trying not to spoiler here, but difficult to ask question.

    Basically: given a reasonably deobfuscated and greatly simplified (by many chars) script, and honing in on the decryption... is the key in the script (obfuscated or not) or is it a matter of guessing/brute-forcing after researching what has been affected over the last ~month/~year/???

  • edited December 2019

    @f00l8r1t3 I let the script do the heavy job for me, I bruteforced it and maybe it wasn't the right way, but I saw I could try where I should have failed.

  • I just solved the challenge by writing another js script to bruteforce the pass, so if the key is in the initial file I didn't get it

    amra13579l

  • edited December 2019

    I was hoping to be able to get a data set (ex. json) of malicious npm packages or even all of them, but there doesn't seem to be an obvious way to do that. (The npm registry deprecated an '/-/all' endpoint a few years ago.)

    Just found this, though:
    https://medium.com/@hkparker/analysis-of-a-supply-chain-attack-2bd8fa8286ac

    Links to some metadata resources, perhaps better way than brute-forcing?

  • Oh! Ok. Not sure why I thought that brute-forcing would be so hard. Sheesh. Ignore my whinging here then.

  • edited December 2019

    So I've found a password with a bruteforce tool but it doesnt work anywhere... Only decrypt gibberish I dont know what to do now but I think Im realy close.

    Can I pm someone pls ? cant say much here...

  • I'm actually trying to write a custom bruteforce script with NodeJs...
    Are we supposed to find any "HTB{...}" formated string somewhere ? Or just add it around to validate ?

    Hack The Box

  • Finally figured out, learned lot of stuff.
    It's all about deobfuscation.

    Jugulairel

  • Hi,

    can anyone help me here? I manage to de-obfuscate the script and know all the outputs but can not find flag. Thanks in advance.

  • can anybody help how to de-obfuscate the script and solve the challenge

  • ....i quit lol

    Javascript always seemed confusing to me - and this is way over my head and not making any sense.

    All I've been able to do is clean up the code lol tried to follow the hints here and do some extra research to learn how to do things - but this is too much lol completely lost

Sign In to comment.