I have manually deobfuscated and narrowed down the javascript to one important function which uses a required decipherment method and all parameters are supplied. The important parameter does not seem to be what is computed elsewhere in the script since it would be different each time «cough» it was called. (Yes, did note the encoded hint.)
Before I begin trying to figure out how to brute-force decrypt this, since that really feels like the wrong path, am I simply not guessing the name of something correctly? I have tried using literal hinted key, decoded hinted key, variations on a name.
Trying not to spoiler here, but difficult to ask question.
Basically: given a reasonably deobfuscated and greatly simplified (by many chars) script, and honing in on the decryption… is the key in the script (obfuscated or not) or is it a matter of guessing/brute-forcing after researching what has been affected over the last ~month/~year/???
@f00l8r1t3 I let the script do the heavy job for me, I bruteforced it and maybe it wasn’t the right way, but I saw I could try where I should have failed.
I was hoping to be able to get a data set (ex. json) of malicious npm packages or even all of them, but there doesn’t seem to be an obvious way to do that. (The npm registry deprecated an ‘/-/all’ endpoint a few years ago.)
Just found this, though:
Links to some metadata resources, perhaps better way than brute-forcing?
So I’ve found a password with a bruteforce tool but it doesnt work anywhere… Only decrypt gibberish I dont know what to do now but I think Im realy close.
I’m actually trying to write a custom bruteforce script with NodeJs…
Are we supposed to find any “HTB{…}” formated string somewhere ? Or just add it around to validate ?
Javascript always seemed confusing to me - and this is way over my head and not making any sense.
All I’ve been able to do is clean up the code lol tried to follow the hints here and do some extra research to learn how to do things - but this is too much lol completely lost
I’ve used jsbeautify but still limited to hex values and well overall just unsure on how to interact with the js code. The idea of brute forcing seems far off. Anyone have good resources to read up on/practice prior?
I’ve used jsbeautify but still limited to hex values and well overall just unsure on how to interact with the js code. The idea of brute forcing seems far off. Anyone have good resources to read up on/practice prior?
resources to read has been already mentioned here, my post was also related to the real world case.
Even if you don’t know js well, you can always try some debug, the script is obfuscated but it doesn’t mean that’s not working.
I’m currently stuck to the last step, I still have some things to do but not sure to be in the right path.
edit: found it! I was not validating the dict properly.
I deobfuscated the code, and executed it, but got just an array of bytes. I read about the backdoor discovered in the npm event-stream module (thank you @ue4dai), but still, I don’t understand how to solve this challenge. Any clues, hints?