The following solutions were part of the practice challenges for Reply Cyber Security Challenge. These were released on 18/09/2018, with the main event starting on 05/10/2018. I will eventually also release a write-up for the actual event.

WEB ONE: Stranger Code

In this challenge, we were presented with a zip file named “jsp4ck.zip”. Once unzipped, we can find two files:

blob.js & jsp4ck.html

We can open the HTML file in our browser to see:

A simple login form.

Let’s now take a look at the JS to try and find the password:

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('j l(s){m(!s)g\'\';d a=\'\';t(i=s.p-1;i>=0;i--){a+=s.Y(i)}g a};j h(){d a=\'\';d b="1e";b+="1b";b+="1a";b+="Z";b+="17";b+="N";b+="w";b+="w";b+="o";b+="18";b+="e";b+="19";b+="X";b+="r";b+="k";b+="k";b+="r";b+="A";b+="B";b+="o";b+="e";b+="C";b+="y";b+="e";b+="M";b+="J";b+="I";t(d i=0;i<b.p;i+=2){a+=G.F(E(b.H(i,2),16))}g a};j L(){d a=K D();a[14]=\'x\';a[3]=\'u\';a[11]=\'z\';a[0]=\'0\';a[4]=\'5\';a[15]=\'5\';a[7]=\'7\';a[1]=\'b\';a[13]=\'u\';a[8]=\'1\';a[12]=\'5\';a[2]=\'f\';a[6]=\'4\';a[10]=\'n\';a[5]=\'c\';a[9]=\'0\';d b=\'\';d c=v.q("1d").1c;c=l(c);m(c==a.R("")){b="Q! P h O: "+h()}S{b="T W :("}v.q("V").U=b};',62,77,'|||||||||||||var|74||return|flag||function|73|strrev|if||53|length|getElementById|31||for||document|6c||72|_|4f|6e|61|Array|parseInt|fromCharCode|String|substr|7d|64|new|magic|33|41|is|The|Congratulation|join|else|Try|innerHTML|result|again|4d|charAt|47||||||||3a|65|2e|4c|46|value|pw|7b'.split('|'),0,{}))

It looks like we’ve been given some heavily obfuscated JavaScript. We can use an online tool (such as jsnice.org) to help us understand the code.

I’m not going to dump the entire prettified code here, but there are two important functions that we can see; flag() and magic().

Let’s try running these two in the chrome console:

By doing this, we are given the flag: “{FLG:AllSet.M1ss1OnStart3d}”!