I have a problem with the last question of the skill assessment.
I reversed the code to a readable and short version and I do input sanitation and all, like something like this:
// my clean code here
<SNIP>
// validation
if(inputs_are_ok) {
check()
}
From the validator script I get the message that my code is not working because it is not calling the check method. But why should I call the check method if the input is bad? I would really like to get a nudge here.
Or maybe this has something to do with the second hint:
Note 2: Remember, it’s ok for passwords to have special characters, right?!
I unpacked the code and made it readable as well (deobfuscate.io and jsnice), but when i run through the web checker it throws an error saying i should be able to run the script with “node vuln.js” even thought i run it through the terminal with the same command.
When i upload the ‘check.js’ with a few ip regex validation it says that i should also call the check method.
It took me a couple of days busting my head against the wall, but finally did it.
For people who got stuck like me… a couple of hints:
Unpack the script and reverse it to a really small size. After you understand what it’s doing, try running it and test it with a couple of arguments to see its behavior.
Don’t try to create functions, use the built-in one from JavaScript.
Don’t validate, just sanitize.
Try escaping from what you don’t want; and
Regular Expressions are your friends
Don’t focus on format but the characters you need in each time you are running the script.
You can test a couple of different regex patterns in https://regexr.com/ to check if it’s getting what you want;
And its really one of those never give up
Hello guys, I am a bug bounty hunter(novice) gotten some bounties but sadly they have not been enough to help subscribe on hackthebox. Is there anyone with a generous to help me with the subscription. I know everyone’s got their own problems, but I would really appreciate this help as I no longer want to be a Noob in the bug hunting community.
If anyone can help me out, I would send my htb login details so you can help me directly subscribe.