Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
30 lines (17 sloc) 1.73 KB

The Flag Within

Solution author: https://twitter.com/1337Moldova

Description: Analyze the obfuscated JavaScript file and extract the flag. Flag looks like: 1337.MD{something_random_or_not}

The obfuscated JS code doesn't seem to contain anything related to the flag.

image

First things first, using a JavaScript beautifier may help, but we should be careful as sometimes important variables/function calls get stripped. Usually we should be using beautifiers to get just a glance at what possibly a script may/may not do.

image

We can see some interesting keywords, like: console, String['fromCharCode']. As mentioned above, this beautifier stripped an important detail:

var _0x4a67=['WOZhE','log'];

This way, we can see that _0x314c('0x1') actually equals to _0x4a67[1] OR log. This means that the obfuscated script prints something out on the console in the browser. However, on executing the script inside VM's browser by copy-pasting it nothing was displayed. This is actually caused by the fact that the entry point into this program does not exist.

image

Let's try and add an entry point by calling _0x311fb5(), the function which contains that console.log(...) method call.

image

Here we go, the flag is ours: 1337.MD{obfuscation_rocks}

You can’t perform that action at this time.