Secure Coding 101: Skill Assessment

HTB Content Academy
1

I have a problem with the last question of the skill assessment.
I reversed the code to a readable and short version and I do input sanitation and all, like something like this:

// my clean code here
<SNIP>

// validation 
if(inputs_are_ok) {
     check()
}

From the validator script I get the message that my code is not working because it is not calling the check method. But why should I call the check method if the input is bad? I would really like to get a nudge here.

Or maybe this has something to do with the second hint:

Note 2: Remember, itā€™s ok for passwords to have special characters, right?!

Thanks for any help!

2

Solved it: But really this second hint is of no help at all. Well I guess its just a never give up and try a lot of seemingly unrelated ideas :slight_smile:

4

Hi @discovolante,

I have the same problem, can you give me a hint how you did it?

Thanks,
Toubster

5

Any hints?

Iā€™ve been busting my ā– ā– ā– ā– ā–  offā€¦

I unpacked the code and made it readable as well (deobfuscate.io and jsnice), but when i run through the web checker it throws an error saying i should be able to run the script with ā€œnode vuln.jsā€ even thought i run it through the terminal with the same command.

When i upload the ā€˜check.jsā€™ with a few ip regex validation it says that i should also call the check method.

6

It took me a couple of days busting my head against the wall, but finally did it.
For people who got stuck like meā€¦ a couple of hints:

  1. Unpack the script and reverse it to a really small size. After you understand what itā€™s doing, try running it and test it with a couple of arguments to see its behavior.
  2. Donā€™t try to create functions, use the built-in one from JavaScript.
  3. Donā€™t validate, just sanitize.
  4. Try escaping from what you donā€™t want; and
  5. Regular Expressions are your friends

Donā€™t focus on format but the characters you need in each time you are running the script.
You can test a couple of different regex patterns in https://regexr.com/ to check if itā€™s getting what you want;
And its really one of those never give up

Have fun!!!

1 Like
7

Hello guys, I am a bug bounty hunter(novice) gotten some bounties but sadly they have not been enough to help subscribe on hackthebox. Is there anyone with a generous to help me with the subscription. I know everyoneā€™s got their own problems, but I would really appreciate this help as I no longer want to be a Noob in the bug hunting community.

If anyone can help me out, I would send my htb login details so you can help me directly subscribe.

Thanks ahead,
Wilson.

8

Hi there,

did somebody solve the ā€œ/Reverseā€ thing (4th question)?

10

i did if you still need some help

11

Would be great to get a nudge, thank you!

Thereā€™s two exercises where I am stuck.

Secure Coding: Proof of Concept

I am trying to solve the extra exercise (ā€œIf you wanted to take it a step furtherā€¦ā€).

First, I was trying to replace the MD5 function by a local implementation, but that didnā€™t help. Next, I tried to concentrate on a Type Manipulation vulnerability because the code is using ā€œ==ā€ instead of ā€œ===ā€. But donā€™t know how to exploit that.

Any ideas?

Skills Assessment

I was able to solve all the exercises except for the following one:

On ā€˜/Reverseā€™ you will find an obfuscated JavaScript code, but it appears to be broken, and doesnā€™t return the flag! Try to reverse it to understand how it should be working, and fix it to get the flag.

I was able to run the code in Codium and could finally set a breakpoint on the flag() function. But when stepping over the code, the ā€œflagā€ variable is set to NaN (Not a Number). Looks like I didnā€™t correctly reverse the code.

Did you run into similar problems?

Thanks for support!

12

The proof of concept doesnā€™t have any question?

The reverse is actually simple when you get it. the first problem is with the variable used with the array. The rest is all within the flag function.

Did you get the last question with the code to fix?

13

Yeah, I got the last one (ā€œ/Patchā€). If youā€™re stuck, I can help you.

14

could you give me a hint about where to start?

i feel like i went the wrong way from the beggining.

btw if you need more hints for the 4th question i can get you that

15

OK, then letā€™s start with helping you first.

If you js-beautify/jsconsole the downloaded vuln.js script, copy & paste it into Codium. Thereā€™s a base64-encoded array with 21 elements. Decrypt these elements, then analyze the custom indexing function (function(_0x45ce4c, _0x39eef9). It uses offset 0xab (=171), so the formula to access entry i is (171+i) mod 21. You can then easily resolve the references to the array 0x581cd9 at the end of the code (take into account that array indexes are zero-based, i.e. when looking at entry #13, you need to select entry #14 which is "argv " e.g.).

Now that you understand what the code is doing, you can run it:
kali@kali:~/patch/vuln$ node vuln.js 127.0.0.1 foo

Check why it is vulnerable, rewrite and upload the code to get the flag.

If you have further questions, just let me know.

I am busy on work this week, will come back regarding /Reverse to you later.

1 Like
16

I have completed the module, if anyone need help, i can provide some.
Donā€™t hesitate to DM me on Discord (Vaniicx).

Vx

17

Thank you! This arguments is what got me for the ā€œ'/Patchedā€ question. I missed the subtle incorporation of the arguments that are passed. This was one of the most frustrating labs I have ever completed for that reason. I even went outside the module to learn more debugging techniques. I understand why now and I look forward to using this in bug bounty hunting.