Nested JavaScript Obfuscation - GuidePoint Security CTF Challenge

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone my name is john hammond welcome back another youtube video and in this video we're going to be taking a look at the last challenge that we've got on the november 16th rendition of the guidepoint security ctf the capture the flag competition that went on this past week so i am connected to their vpn i am logged in on the scoreboard at 10 10 100 100 and i can hop on over to the challenges page here we finished the jeffrey box and we finished the bell box so all we have left is this 500 point challenge challenge in the challenge category nice it says ready for a challenge this one doesn't have a walkthrough and we are given a downloadable file so i'll copy the link location and then hop on over to my terminal where i've already created a challenge directory for this challenge and i can w get this down so uh it whines about a certificate so let's go ahead and supply that argument that it specifies no check certificate and then we can download this it downloads it with the token here so it looks kind of messy i'm going to go ahead and move that challenge and rename it to just simply challenge.zip as the file name should originally be and of course it is a zip archive indicated by the file extension and we can just check it with file to see those file signatures let's go ahead and extract this i'm going to run unzip on this challenge and now we're given a spot flag129833.js file this is present here in our current directory so i will open this up in a text editor and it looks like it takes a little bit of time to load we have this thing which is a variable being defined and a lot of hexadecimal character is kind of encoded in a string here and i'm scrolling with my horizontal scroll bar and this is absolutely ginormous right you can see there is a lot of stuff here so this seems to be obfuscated javascript we can try and de-obfuscate it with an online tool so let me hop over to our web browser and i'll clear out all the stuff from the previous video there we go and now let's look up how we can de-obfuscate javascript in google right so we have js nice which will work for us and let's try that looks like that failed actually weird i'm not running a proxy or anything i guess we'll just totally ignore that then let's go on to this de-obfuscate javascript and we'll paste this in this will take a long time to de-obfuscate it actually is already slowing down our browser if i try and click that d obfuscate button it finally gets it but the problem here is that this whole file is like la tech ah this whole file is literally three megabytes so even that j a j s nice location would yell at us because like hey we can't process a file over two megabytes in size so this one de-obfuscate javascript.com does actually behave but it gets a lot of output so we're gonna have to copy this in to a file that i'll go ahead and call deobfuscated.js for javascript now i'll paste all this in and we can start to examine what this does looks like it creates a var ws652 and that's creating a new object or an activex object that allows us to use wscript.shell that's kind of peculiar because that language an activex object isn't really pertinent to javascript as we traditionally know it in the realm of client-side code that can run in your browser actually activex object and using the wscript.shell component there is native to jscript or kind of the microsoft and the windows dialect rendition of javascript interesting and peculiar maybe we're probably looking at some sort of code that will run commands or do things specific to a windows target then we create this var 0x683c or 638c and that has a lot more of hex encoded stuff as a string and apparently this de-obfuscator didn't do a very good job of actually de-obfuscating this because this still seems really messy and hard to understand with the random variable names and all but um it we have this function it looks like that's being created in line and passed and called with all these arguments stuff into an eval so that's interesting to me because the eval command is going to try and execute code that's passed into it as if it were a string or let me reword that it will take a parameter it'll take an argument and that may often times be a string and it will interpret that string as code and execute it or evaluate it right eval so that tells me and it can tell us kind of as analysts that what is being passed into this function is going to be something that is more code so if we're trying to understand this if we're just trying to know what it does and figure out what's happening behind this layer of obfuscation we just want to see what that code is so rather than actually executing it and like letting this potential malware or badness kick off right we can display out what it's doing so i can change this eval to a console.log function and now we can just try and tell the javascript like interpreter right whatever we toss this into our web browser maybe just throw it into development tools see if it handles it well or we could give it to node or node.js that server side kind of run time environment for running javascript code so let me go ahead and try that i'll just simply have node.js which i have installed and can by default give you a little interpreter but we'll pass a file as an argument here we'll use node.js on our de-obfuscated script here now if i run this it immediately whines and complains it gets an error because this activex object is not defined remember what i was saying this activex object is pertinent and kind of more necessary in the realm of windows when we're running jscript that means that node.js over here on our linux side doesn't know what that is and it won't understand it so we can try to temporarily remove it in fact just to do a simple sanity check let's take a look and see if this ws 652 variable is used anywhere else in the code i'm just going to control f for that variable name and it only has one match that is actually all that it's ever used it just simply defines this object so if it's completely not needed and our little console.log and trying to understand the rest of the code we'll run it just fine let's kind of comment it out maybe the code that comes from this obfuscation technique will end up using it but we'll be able to see that in the future layers that we peel back so now let's try to run our node de-obfuscated js one more time and that had console.log outed again apparently or i mean we've run that and we got all of this noise and nonsense which looks very very similar to the obfuscation that we had just seen originally this is a lot of output and let's redirect this to like 0 0 ran dot j s or something and i'll move that so you can see i'm just redirecting with the greater than symbol there now let's go ahead and examine what that file looks like ah we could try and de-obfuscate this if we wanted to we could pass it to the exact same web page and let's let's do that just for the sake of our learning i suppose but this looks pretty much like the same syntax at least the function a b c d e f g and the eval kind of as we had seen before so if i were to let this d obfuscate it really isn't doing anything else interesting here i am noticing though that it's creating this var ws random number string object one more time with this wscript.shell activex object again let's look for this variable and it's still not being used in the rest of this strange obfuscation here we can see all the way at the very very end of this too that we are again calling an eval based off of a specific function so let's use the same technique one more time let's change this eval to a console.log so we can see what code it's trying to execute and as you've seen now we're actually just getting another abstracted layer of the code and it's slowly peeling off the layers of this onion let's see what comes from this layer well node.js00 ran and again we have to remove that activex object so let's comment that out and let's run our code more output with the exact same kind of functionality here or the exact same trick or gimmick being abused let's redirect this one more time to a zero one dot ran and let's see what we've got here i'll open that up once again new ws object with this activex object wscript.shell that is not in use and another var and another eval function okay i think we have determined that there is a pattern here what we can do is we can try and loop this because we don't know how far down the rabbit hole this goes we've still got a lot of seemingly strange and random hexadecimal characters that are being passed in as a string here and we keep seeing this eval little matroyshka dollar i don't know how to say that i always get that wrong and the internet yells at me but uh this technique with a ws object being created still keeps getting in the way and we're gonna have to remove it so let's try and write a script that will be able to loop through all of this and funnel down or drill down until we get more code that's better than this eval function or how far deep or how many layers do we have to work through so let's do that i'm going to create a simple bash script i'll call this like unravel.sh and let's use the proper shebang line for bin bash trying to type and let's actually supply it as an argument so we can supply the file name right as sort of a parameter to our script let's just test if the supplied argument or dollar sign won and again noting as a string with double quotes there if it's equal to an empty string then we obviously haven't supplied it so let's go ahead and echo the like usage can be our unravel.sh script taking the replace with the dollar sign and then like the file right so after that we can simply exit um let's verify that this will work with the little chmod plus x on our unravel script and dot slash it now we need to supply the file okay so let's pass in the de-obfuscated script but our code doesn't know what to do with it because we haven't written that yet so let's go start to build out the functionality of what this script will do we know that inside of our d obfuscated.js file we have this potential ws652 notion and that is creating this activex object that does not exist when nodejs tries to run it we're also seeing that at every single layer of this obfuscation so we're going to have to remove that let's go ahead and do that let's just check first of all if this is a like new layer of code that we want to try and de-obfuscate by the presence of that eval function because after all that's really what we changed here when we tried to run this so let's simply cat out the file and let's let's kind of create a file variable for it let's say file can equal the value of the argument we supply and let's cat out the file and grep for that eval command let's redirect that output to dev null so we don't have to see it i just want to do this so i can logically test if that grep returned something the way i'm going to check for that is by using the like return code and we can access that as a variable right let's say a dollar sign question mark if that's equal to a zero then that means it did actually find it and had a successful return code then we'll do a little check here echo like we have a new layer how about that let's test it and run it and that condition works just fine so now that we know that that's a layer that we want to work with let's try to remove the portion that we know is bad or that activex object in the w script so we should probably do that in a temporary file though we should probably do that and if we know we're going to be looping through this we're going to make the changes to a new file every single time so let's just copy the current file to like a temp one and then we could again proof of concept just cat it out there we go there's all the nonsense now let's try and remove this ws variable that's created and we know that it's going to go through a specific pattern when we've looked through all the other layers manually it's ws some sort of digits that's creating a new activex object interestingly that's the first line that we see every single time so let's use said in this case let's use sed to substitute and replace this activex object ws script.shell semicolon noting the very end of that kind of command there and take it from the very very start of the string we'll go with every single character that matches up until we see this activex object dot shell and then we'll replace it with nothing that way we know that we're removing it that's what this forward slash here is denoting what we can replace it with nice and easy right so now that will return out on standard output let's go ahead and see that here and i'm going to pipe this into head just so i can see the very very top of it and because there are so many lines it's not going to work well for me so i'll pipe that into less now that top line is completely removed i used it with this activex object wscript.shell up to the semicolon purposefully because when we got into these other obfuscation layers remember we saw each of those with this var ws object with a random number all on a new line it was all compressed onto one line so i wouldn't be able to the limit with a new line character i'm going to have to trust that the semicolon will be all that we need so now that we've removed that we want to change that eval that we used to see into a console.log so we can get the next layer of obfuscation let's do that again with said we can use sed tac i do that in place on the temporary file and we can also supply i believe just another substitution that we might want to change so let's replace the eval with a console.log let's actually not use tacy to start with because i want to see if we'll get that output the way that we should see it and let's unravel this here and pipe the output so we can examine it i'll scroll down to the very very bottom okay and our eval has not yet taken place so let's modify this let's take the said output of the original one where we remove it and then pipe it into said and then do our replace that makes a little bit more sense to me and now that output will be redirected to the next iteration that we want to use so let's start to keep track of like an iterator let's do iterator equals zero and then new file can equal the iterator and i'm using the dollar sign in curly braces here to note it because i want to get just another dollar sign variable in there iterator and the original file there we go so now let's copy new file to temp and set this iterator to a new value after we've redirected into this new file that we've created new file now we want to actually increment our iterator so i'll do that with let so i can actually use math in bash let's let our iterator equal the value of iterator plus one and we can't have any spaces because bash is going to tokenize it and it's going to be a little bit sensitive now we'll want to change our file variable to equal the new iterator with that file prefix in there so let's try and change that up let's say file equals the value of new file now when we go through this um i don't think i'm doing a very good job of cleaning this variable actually because um file will equal the obfuscated and the new file will equal zero underscore the obfuscated we'll do the change and replace and then we'll reset file to the value of new file now when we go back to loop through this again once we add in our loop we'll have new file equals one underscore zero underscore de-obfuscated so we're gonna be ending up accidentally staging but i i don't care i think i'm cool with that i just wanna be able to see it build out all the different and peel back all the layers of this so now that we've made that change then we can redirect it into the value of the new file we've created that new file we're iterating and incrementing and we are resetting our loop so let's not loop this just yet let's see if this proof of concept will work let's echo out like iterator iterator with new file being the value of new file there we go now let's run this just once iterator zero with new file creating zero de-obfuscated js do we have 0d obfuscated js we do good now this is the obfuscated rendition though and we need to actually pass that to nodejs so we can get the next layer so maybe our logic isn't quite right just yet we're copying this file to a temporary file and then we're outputting it from temp and redirecting it into this thing so let's make this operate off of the original file right and let's make this re-direct into temp so then we can run node.js on temp and redirect that output to the new file does that make sense let's try it let's see if it'll work let's unravel this de-obfuscated process that worked now de-obfuscated has the original value in here but temp has the modified rendition of it with the w script activex object removed and eval replaced with console.log now we ran that with node.js and saved the output into zero the obfuscated and there we go now we have the next layer and our loop will begin to process that now that we have that decent proof of concept all we need to do is loop this so let's go back to our unravel script and check if we see eval which is kind of the the notion that we've been doing beforehand if we see eval in the file that we're working on we'll do this loop if not we'll fail or break out of our loop so let's add an else statement here and let's just add a break because we didn't see eval in the script and then let's make this a while loop with while true and now let's do and done and let's indent all of this code here okay so now let's try and unravel our de-obfuscated script and let's see how many layers we go down one two three four five six seven and then it breaks okay so we went down the rabbit hole and you can see it has that weird funky appending uh number that i tried to tell you about but if we check out this final script what do we have here ooh var vars equals all this and that looks like something new so let's go use our d obfuscate javascript page and de-obfuscate this de-obfuscate please that's not seemingly doing anything can i run this please okay can i like beautify this beautify javascript just so it's a little bit easier to read online javascript beautifier paste that in beautify code and now we've got this okay so subtle like final.js and what are we looking at here we have var vars set to seemingly a base64 string and we have a dl function var b is set to ip addresses and then some weird number here and then we split on it uh by every single space character okay that's the delimiter and then for i is iterating through each object of b well then we go do ahead we do go ahead and use wscript.shell we create an environment variable with a oh no no we grab an environment variable and add in a random exe name okay so we're probably setting that to fn like a file name dn might be zero for like downloading maybe activex object okay so it is going to download from one of the ip addresses with some specific variable key that might be like something that it's using to keep track of the the client and getting the fr what is fr set to where is fr oh oh that's the that's the string argument passed into it nice okay so this must be downloading specific files from these i guess command and control servers but we have two ip addresses here but this other one is really weird and i have no idea what this is is this just like regular decimal let's try and get into b python so i'm going to use b python so i can do a from crypto.util.number import long to bytes and i'm going to use long to bytes as if it's a decimal string that's actually representing some other data so let's use long to bytes and i'll call it l to b just so i don't have to type that all over and over again let's run l to b with this giant number string in there and let's see what this returns nothing good i can't read any of that that's not our flag that's not really intelligible that's not human readable okay so what else could this be it's not a hash very obviously it's not hex numbers because i don't see any a through f actually i don't see any i don't i don't see any like numbers greater than eight or nine in this maybe this is octal is this octal what if i let's let's zoom back out what if i were to do like that number represented in octal format so python i'm going to use 0 and 0 prefix to denote that's an octal number that's converted to decimal now let's run long two bytes on that i don't have anything there that's really weird so at this point i was kind of struggling i'll be completely honest i was like i wtf i don't know what to do with this number um it's weird so i went to cyber chef for a while and i started to just bump around um i i wish i could give a better clear answer as to how i got to what i got here um but let's let's try and run magic and see if that will actually get anything can i set this to like intensive mode and see if it finds literally anything letting it bake for a little bit no potential things coming through what if i switch the depth to one if i search for like a a crib for flag does it get anything no it tries to xor the option with hex string and it gets nonsense uh again not our flag is there anything else that comes through here i supplied the thing flag and i would have expected that to find something but there's a lot of output from magic just trying different things from base 64 over and again i saw from hex i saw an xor i also saw a rotate blah blah blah but no notion of flag so far is there any actual can i copy and paste like all this copy raw output to the clipboard yeah let's just slap it in okay that's not what i wanted it didn't work so i'll be honest when i was looking through all these i kept trying some of those different things some of those different options that it was giving to see if it could get potential text and i had tried like the rotate right one because i did see that here like there's a rotate seven here and i thought like all right i guess i'll just try to like rotate right and i changed it to different amounts but i had to get this number from decimal right because this is already decimal data let's try to use from decimal and it doesn't have any spaces in there i let's let's like convert that to hex let's take this to hex and let's give it to cyber chef as something that it can easily process and understand so let's do from hex and now we can try to use like magic one more time magic intensive mode bring this down oh and that finds it with that rotate right function with it with one as the rotation uh i don't understand why i don't understand how that happens rotate one or rotate right sorry bringing this in and just letting it rotate at once works and gets you the flag i'm not extremely sure why that happens and why that works if i were to take that l2b number like from the original and if i were to rotate it by one naturally like within python if i use that shift operator and just move the bits to the right or rotate it it gets the flag but i don't understand how that comes out of what we had in octal so i think if you literally take this value and we shop around with it because you could try to be like okay decode from octal and look for an online tool there's a lot of stuff out there but none of them seem to just straight up get you the flag so input data octal to text submit this nonsense give it to this thing it needs that weird separator representation and nothing comes out of that octal text that can't figure it out uh that tool doesn't work all that well try this one here convert we need to split into groups of three you could do that but this one here octal system base eight will convert an octal to a base n converter and you could slap this in and have it convert to like decimal or binary hexadecimal and i would try some of these and i would get a different number that i got within python which was weird to me so i tried to copy this and then do long to bytes from this and i would paste it in and it would get port of the flag like a portion or half of it but this tool is explicitly telling you like hey look i'm not showing you all of the digits here i think it says like we're we're removing some of these digits and only sharing some of them with you so i try to like recreate this algorithm that they showcase on this conversion link here where is the how to convert a number please see the base and conversion tool so i clicked on base end conversion and then i would try and understand this algorithm but i guess i just didn't get it right or i don't know i'm not a thousand percent positive why i couldn't get it from octal because if it's just octal that would make sense to me and this apparently the decode website says that it is but with everything else i had to rotate it and shift it by one and that's confusing in my mind but either way we have drilled down through this rabbit hole we found some kind of neat stuff it was fun to write that script and kind of parse out the logic of what we can't use this activex object we can just switch our eval to a console.log and that was very very cool because at the end we're seeing legitimate code that uh is very well used by malware like using these techniques for with jscript to greater object and download files and write them with an environment variable location for the temp directory that i think is pretty real world and very very cool so that was a that was a fun challenge but i'm still beating myself up about that stinking octal number so that's it holy cow that uh is the flag right we did we did get the flag so we can go ahead and submit it and we can call this guide point ctf done but that was a blast so hey thank you so much for watching thank you so much for tuning in tolerating this if you did like this video please do check out some of the other ones in this little mini series here if you did like the capture the flag challenges or this event in this competition go play guide points next game they're doing this ctf for like a week every month for like the next six months or five months or four or something but it it's a rolling series and it's super duper fun so i really recommend go jump in expose yourself to new technologies try to solve some clever problems and you're gonna really learn a lot of fun stuff so thanks so much for watching everybody i'll see you in the next video [Music] [Music] with you
Info
Channel: John Hammond
Views: 16,105
Rating: undefined out of 5
Keywords:
Id: UUSztGCp4Sw
Channel Id: undefined
Length: 33min 32sec (2012 seconds)
Published: Mon Nov 30 2020
Related Videos
JScript Deobfuscation - More WSHRAT (Malware Analysis)
John Hammond
54K
Exploiting Tomcat with LFI & Container Privesc - "Tabby" HackTheBox
John Hammond
62K
JS Code Structure Moving Beyond Beginner
Steve Griffith - Prof3ssorSt3v3
12K
Google CTF - BEGINNER Reverse Engineering w/ ANGR
John Hammond
272K
Solving a JavaScript crackme: JS SAFE 2.0 (web) - Google CTF 2018
LiveOverflow
495K
Basic Buffer Overflow - VulnServer TRUN
John Hammond
192K
How To Obfuscate JavaScript Code - Live Blogger
Live Blogger
9.8K
Reverse Engineering Obfuscated JavaScript
LiveOverflow
150K
Async RAT - Batch Obfuscation
John Hammond
139K
GuidePoint Security CTF - Custom Base64 Languages - Kirby & Alphabet
John Hammond
27K
This Website has No Code, or Does it?
PwnFunction
1.1M
OffensiveCon22 - Samuel Gross and Amanda Burnett - Attacking JavaScript Engines in 2022
OffensiveCon
4.9K
Python + JavaScript - Full Stack App Tutorial
Tech With Tim
55K
Uncovering NETWIRE Malware - Discovery & Deobfuscation
John Hammond
88K
Google CTF - Authentication Bypass
John Hammond
115K
XML Object Exfiltration - HackTheBox Cyber Apocalypse CTF "E. Tree"
John Hammond
39K
MALWARE ANALYSIS - VBScript Decoding & Deobfuscating
John Hammond
1M
Reverse Engineer packed JavaScript like a Pro - Using the 'Matching Bracket Method'
cybercdh
67K
JSON Web Keys (JWK & JWT) - "Emergency" - HackTheBox Business CTF
John Hammond
65K
phpMyAdmin Local File Inclusion - GuidePoint Security CTF (Jeffrey)
John Hammond
22K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.