ExploitedStream

Hi guys! I need your help. What sw can I use to brute force? THX!

socialkas you solved the challenge without brute-forcing. Do you say me something about? please

@anguzmar said:

I liked this challenge, finally forced me to learn some javascript.

This challenge is based on a real world case of a recently compromised npm package. And the technique used to solve this challenge is fairly similar to the first phase of the real one.
There is a very good youtube video about it that helped me find the correct approach.

Exactly!! That is exactly where i based the challenge from! Glad you found the origin :slight_smile:

This was a pretty cool challenge.
Hint: think outside the box and consider that sometimes we may leave notes to self :slight_smile:

I have manually deobfuscated and narrowed down the javascript to one important function which uses a required decipherment method and all parameters are supplied. The important parameter does not seem to be what is computed elsewhere in the script since it would be different each time «cough» it was called. (Yes, did note the encoded hint.)

Before I begin trying to figure out how to brute-force decrypt this, since that really feels like the wrong path, am I simply not guessing the name of something correctly? I have tried using literal hinted key, decoded hinted key, variations on a name.

Trying not to spoiler here, but difficult to ask question.

Basically: given a reasonably deobfuscated and greatly simplified (by many chars) script, and honing in on the decryption… is the key in the script (obfuscated or not) or is it a matter of guessing/brute-forcing after researching what has been affected over the last ~month/~year/???

@f00l8r1t3 I let the script do the heavy job for me, I bruteforced it and maybe it wasn’t the right way, but I saw I could try where I should have failed.

I just solved the challenge by writing another js script to bruteforce the pass, so if the key is in the initial file I didn’t get it

I was hoping to be able to get a data set (ex. json) of malicious npm packages or even all of them, but there doesn’t seem to be an obvious way to do that. (The npm registry deprecated an ‘/-/all’ endpoint a few years ago.)

Just found this, though:

Links to some metadata resources, perhaps better way than brute-forcing?

Oh! Ok. Not sure why I thought that brute-forcing would be so hard. Sheesh. Ignore my whinging here then.

So I’ve found a password with a bruteforce tool but it doesnt work anywhere… Only decrypt gibberish I dont know what to do now but I think Im realy close.

Can I pm someone pls ? cant say much here…

I’m actually trying to write a custom bruteforce script with NodeJs…
Are we supposed to find any “HTB{…}” formated string somewhere ? Or just add it around to validate ?

Finally figured out, learned lot of stuff.
It’s all about deobfuscation.

1 Like

Hi,

can anyone help me here? I manage to de-obfuscate the script and know all the outputs but can not find flag. Thanks in advance.

can anybody help how to de-obfuscate the script and solve the challenge

1 Like

…i quit lol

Javascript always seemed confusing to me - and this is way over my head and not making any sense.

All I’ve been able to do is clean up the code lol tried to follow the hints here and do some extra research to learn how to do things - but this is too much lol completely lost

if using o**l you might need -m*_5 and -n

let 7h4t_d00d = ‘cmlnaHQ5Y3RybA==’

let d()][T_7RU5t _1N= 7h4t_d00d

I’ve used jsbeautify but still limited to hex values and well overall just unsure on how to interact with the js code. The idea of brute forcing seems far off. Anyone have good resources to read up on/practice prior?

1 Like

Type your comment> @johnquadrino said:

I’ve used jsbeautify but still limited to hex values and well overall just unsure on how to interact with the js code. The idea of brute forcing seems far off. Anyone have good resources to read up on/practice prior?

resources to read has been already mentioned here, my post was also related to the real world case.
Even if you don’t know js well, you can always try some debug, the script is obfuscated but it doesn’t mean that’s not working.
I’m currently stuck to the last step, I still have some things to do but not sure to be in the right path.

edit: found it! I was not validating the dict properly. :wink:

Is there anyone I can DM for some help with this challenge please? Have a lot of the pieces, just need some help pulling it together.

I deobfuscated the code, and executed it, but got just an array of bytes. I read about the backdoor discovered in the npm event-stream module (thank you @ue4dai), but still, I don’t understand how to solve this challenge. Any clues, hints?