Just another JavaScript Credentials Leak Write-up.

Want to be a part of the elite club of CyberHeroes? Prove your merit by finding a way to log in!

CTF Link.

Footprinting

Open ports

Nmap scan:

$ sudo nmap -sS -Pn -v10 -oA syn_full 10.10.45.211
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 60
80/tcp open  http    syn-ack ttl 59

$ sudo nmap -v10 -sC -sV -p80 -oA nse 10.10.45.211
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 60 OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 ed:52:5a:8d:2e:a3:76:b3:13:0b:53:30:78:1d:91:61 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCZWY5PGvLuZs/Bicyko/m/wlK9ugmih5hCl6w00q6w43lLdM43GZN7fHYjeO6oITWgY8zhJlrnUC30TBlUPFFEHAZSxHcIE0z5jdvnxmP7xVfFV70ILRnb8gYyvuzsZ4ijzV69aE+12Zc0CGPUWBxyBi7WiJt+gJNRGnrIV2wgOjhhmfGiMjY3NNV8KSqxwWripEKBYIzGrAqV6xRpf41hL0YOXqWAs2D8YCzuZHDAsPXfcf9h9KVuGYNF6VTqK2ynse+lQ64ke00Jha98nskD46PLmtpgQTpM6eO3S3Ps1XJrqrMgEwXFhFUadSkgInhgXqqNhub+TkAvPppBzKWFJhkFx6cMj0jPlQniG1AZkDBqBSTBdJQdMvq6xtSOW/ID/5Dpvt9UydONws9M9T8DhM60US+CwNn+M8HnKj0L09cQfy1+C7Q4+XSz9PAEt0pv8gXo5lyr933xRFtM+k6Z+6Cfj9PgOXgSbeCkjo0T91kabdqcFk+0UhmKvrZ1ny0=
|   256 2b:62:0e:ca:e1:be:f8:cc:e2:35:ef:5c:4e:cb:95:bf (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIc8gkSkjdJZ15xv1n0Rk7wEUcG7tFeHfNXgDxdiUfooYGbIFQYwWqa4ghhxdmGI00IkPtQj5E879/7JEwaMgjk=
|   256 91:5d:b2:3c:f8:cd:26:32:8d:28:b9:2b:53:86:94:1a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCuAk2NNN0DtSylh0JNKR5Vh9gFXiOua4dDYyULD/oH
80/tcp open  http    syn-ack ttl 59 Apache httpd 2.4.48 ((Ubuntu))
|_http-server-header: Apache/2.4.48 (Ubuntu)
| http-methods:
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-title: CyberHeros : Index
|_http-favicon: Unknown favicon MD5: 03983666D3C4B72ECAAB464BD200E6FA
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP

Login form

The website contains a login form:

>>>
GET /login.html HTTP/1.1
Host: 10.10.45.211

<<<
<form id="todel" class="">
  <div class="section-title">
    <h2>Login</h2>
    <h4>Show your hacking skills and login to became a CyberHero ! :D</h4>
  </div>
  <input type="text" id="uname" placeholder="username" />
  <input type="password" id="pass" placeholder="password" />
</form>
<button id="rm" onclick="authenticate()">login</button>

But no request is logged in the Burp's HTTP history when submitting credentials. Then, the login/password are likely to be in the JavaScript code. And indeed, the authenticate() function is declared in the response:

<script>
  function authenticate() {
    a = document.getElementById('uname')
    b = document.getElementById('pass')
    const RevereString = str => [...str].reverse().join('');
    if (a.value == "h[...]oi" & b.value == RevereString("54[...]uS")) {
      var xhttp = new XMLHttpRequest();
      xhttp.onreadystatechange = function() {
        if (this.readyState == 4 && this.status == 200) {
          document.getElementById("flag").innerHTML = this.responseText;
          document.getElementById("todel").innerHTML = "";
          document.getElementById("rm").remove();
        }
      };
      xhttp.open("GET", "RandomLo0o0o0o0o0o0o0o0o0o0gpath12345_Flag_" + a.value + "_" + b.value + ".txt", true);
      xhttp.send();
    } else {
      alert("Incorrect Password, try again.. you got this hacker !")
    }
  }
</script>

The username is h3[...]oi, and the password Su[...]45:

$ const RevereString = str => [...str].reverse().join('');
$ RevereString("54[...]uS");
Su[...]45

The flag is revealed once logged in:

>>>
GET /RandomLo0o0o0o0o0o0o0o0o0o0gpath12345_Flag_h3[...]oi_Su[...]45.txt HTTP/1.1
Host: 10.10.45.211

<<<
Congrats Hacker, you made it !!
Go ahead and nail other challenges as well :D

    flag{ed[...]6e}

Well, I wasn't expecting the CTF to be that easy ^^

But I'm a Cyber Hero, that's fine.