ExploitedStream

Type your comment> @bipolarmorgan said:

@ysf why a dictionary?

Because a clue makes me think so :slight_smile:

ok, sorry to bother you, was just trying to understand your thinking.

I can update, solved it: You definitly need a special dictionary!

1 Like

I solved this via a dictionary/list as well. Was this the intended method?

I liked this challenge, finally forced me to learn some javascript.

This challenge is based on a real world case of a recently compromised npm package. And the technique used to solve this challenge is fairly similar to the first phase of the real one.
There is a very good youtube video about it that helped me find the correct approach.

Good one. Had to learn a few things about js and node. Used brute force for final step but that only took a few minutes.

Happy to help via PM if anyone is stuck.

As for me it was a little dumb task. Several strings for bruteforce and that’s it.

Did someone get it without brute?

I could use some help with the challenge. I can debug the script, I think I know where the different “outputs” are stored, but I can’t extract the text. Would anyone PM me so I could explain what I have done so far and what I am struggling against?
Thank you in advance.

EDIT: solved the challenge. Thanks to anyone who helped!

this challenge really great , force you to do some researches

Deobfuscate the script and lost my mind…any clues?

It looks like you need to have strong JS level to fix the bruteforce script as it is outdated.
Any other possibility to brute force ? (I mean without a JS script) I have all the data needed (dictionary + cipher).

I just used a shell script and openssl, not [node]js, to bruteforce.

Solved it. I have to admit that I was trying to brute-force the key by means of using some well-known dates. Finally, I understood that it should be easier and just solved it without brute-forcing really.

As someone has already said, node.js is not necessary AT all to solve this challenge.

Hi guys! I need your help. What sw can I use to brute force? THX!

socialkas you solved the challenge without brute-forcing. Do you say me something about? please

@anguzmar said:

I liked this challenge, finally forced me to learn some javascript.

This challenge is based on a real world case of a recently compromised npm package. And the technique used to solve this challenge is fairly similar to the first phase of the real one.
There is a very good youtube video about it that helped me find the correct approach.

Exactly!! That is exactly where i based the challenge from! Glad you found the origin :slight_smile:

This was a pretty cool challenge.
Hint: think outside the box and consider that sometimes we may leave notes to self :slight_smile:

I have manually deobfuscated and narrowed down the javascript to one important function which uses a required decipherment method and all parameters are supplied. The important parameter does not seem to be what is computed elsewhere in the script since it would be different each time «cough» it was called. (Yes, did note the encoded hint.)

Before I begin trying to figure out how to brute-force decrypt this, since that really feels like the wrong path, am I simply not guessing the name of something correctly? I have tried using literal hinted key, decoded hinted key, variations on a name.

Trying not to spoiler here, but difficult to ask question.

Basically: given a reasonably deobfuscated and greatly simplified (by many chars) script, and honing in on the decryption… is the key in the script (obfuscated or not) or is it a matter of guessing/brute-forcing after researching what has been affected over the last ~month/~year/???

@f00l8r1t3 I let the script do the heavy job for me, I bruteforced it and maybe it wasn’t the right way, but I saw I could try where I should have failed.

I just solved the challenge by writing another js script to bruteforce the pass, so if the key is in the initial file I didn’t get it

I was hoping to be able to get a data set (ex. json) of malicious npm packages or even all of them, but there doesn’t seem to be an obvious way to do that. (The npm registry deprecated an ‘/-/all’ endpoint a few years ago.)

Just found this, though:

Links to some metadata resources, perhaps better way than brute-forcing?