Deobfuscation & Decode

Beautify

For example, if we were using Firefox, we can open the browser debugger with [ CTRL+SHIFT+Z ], and then click on our script secret.js. This will show the script in its original formatting, but we can click on the '{ }' button at the bottom, which will Pretty Print the script into its proper JavaScript formatting:

Furthermore, we can utilize many online tools or code editor plugins, like Prettier or Beautifier. Let us copy the secret.js script:

Code: javascript

eval(function (p, a, c, k, e, d) { e = function (c) { return c.toString(36) }; if (!''.replace(/^/, String)) { while (c--) { d[c.toString(a)] = k[c] || c.toString(a) } k = [function (e) { return d[e] }]; e = function () { return '\\w+' }; c = 1 }; while (c--) { if (k[c]) { p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]) } } return p }('g 4(){0 5="6{7!}";0 1=8 a();0 2="/9.c";1.d("e",2,f);1.b(3)}', 17, 17, 'var|xhr|url|null|generateSerial|flag|HTB|flag|new|serial|XMLHttpRequest|send|php|open|POST|true|function'.split('|'), 0, {}))

We can see that both websites do a good job in formatting the code:

We can find many good online tools to deobfuscate JavaScript code and turn it into something we can understand. One good tool is UnPacker. Let's try copying our above-obfuscated code and run it in UnPacker by clicking the UnPack button.

Tip: Ensure you do not leave any empty lines before the script, as it may affect the deobfuscation process and give inaccurate results.

POST Request

To send a POST request, we should add the -X POST flag to our command, and it should send a POST request:

eldeim@htb[/htb]$ curl -s http://SERVER_IP:PORT/ -X POST

Tip: We add the "-s" flag to reduce cluttering the response with unnecessary data

However, POST request usually contains POST data. To send data, we can use the "-d "param1=sample"" flag and include our data for each parameter, as follows:

eldeim@htb[/htb]$ curl -s http://SERVER_IP:PORT/ -X POST -d "param1=sample"

Now that we know how to use cURL to send basic POST requests, in the next section, we will utilize this to replicate what server.js is doing to understand its purpose better.

Base64 Encode

eldeim@htb[/htb]$ echo https://www.hackthebox.eu/ | base64

aHR0cHM6Ly93d3cuaGFja3RoZWJveC5ldS8K

Base64 Decode

eldeim@htb[/htb]$ echo aHR0cHM6Ly93d3cuaGFja3RoZWJveC5ldS8K | base64 -d

https://www.hackthebox.eu/

Hex Encode

eldeim@htb[/htb]$ echo https://www.hackthebox.eu/ | xxd -p

68747470733a2f2f7777772e6861636b746865626f782e65752f0a

Hex Decode

eldeim@htb[/htb]$ echo 68747470733a2f2f7777772e6861636b746865626f782e65752f0a | xxd -p -r

https://www.hackthebox.eu/

Rot13 Encode

eldeim@htb[/htb]$ echo https://www.hackthebox.eu/ | tr 'A-Za-z' 'N-ZA-Mn-za-m'

uggcf://jjj.unpxgurobk.rh/

Rot13 Decode

eldeim@htb[/htb]$ echo uggcf://jjj.unpxgurobk.rh/ | tr 'A-Za-z' 'N-ZA-Mn-za-m'

https://www.hackthebox.eu/

Last updated