 Hello everyone, my name is John Hammond welcome back to their YouTube video and in this video We're gonna be taking a look at the last challenge that we've got on the November 16th rendition of the guide point security CTF the capture the flag competition that went on this past week So I am connected to their VPN I am logged in on the scoreboard at 10 10 100 100 and I can hop on over to the challenges page here We've finished the Jeffrey box and we finished the bell box So all we have left is this 500 point challenge challenge in the challenge category Nice. It says ready for a challenge. This one doesn't have a walkthrough and we are given a downloadable file So I'll copy the link location and then hop on over to my terminal where I've already created a challenge directory For this challenge and I can W get this down. So It whines about a certificate. So let's go ahead and supply that argument that it specifies No check certificate and then we can download this it downloads it with the token here. So it looks kind of messy I'm gonna go ahead and move that challenge and rename it to just simply Challenge.zip as the file name should originally be and of course it is a zip archive Indicated by the file extension and we can just check it with file to see those file signatures Let's go ahead and extract this I'm gonna run unzip on this challenge And now we're given a spot flag one two nine eight three three Dot j s file. This is present here in our current directory. So I will open this up in a text editor and Looks like it takes a little bit of time to load. We have this thing Which is a variable being defined and a lot of hexadecimal character is kind of encoded in a string here And I'm scrolling with my horizontal scroll bar and this is absolutely ginormous, right? You can see there is a lot of stuff here. So this seems to be obfuscated JavaScript We can try and de obfuscated with an online tool So let me hop over to our web browser and I'll clear out all the stuff from the previous video There we go. And now let's look up. How do we can de obfuscate JavaScript in Google, right? So we have JS and nice which will work for us and let's try that looks like that failed actually Weird, I'm not running a proxy or anything. I guess we'll just totally ignore that then let's go on to this de obfuscate JavaScript and we'll paste this in This will take a long time to de obfuscate and actually is already slowing down our browser If I try and click that de obfuscate button, it finally gets it But the problem here is that this whole file is like La tech a h this whole file is literally three megabytes So even that jjs nice location would yell at us because like hey, we can't process a file over two megabytes in size so This one at de obfuscate JavaScript comm does actually behave, but it gets a lot of output So we're gonna have to copy this into a file that I'll go ahead and call de obfuscated Dot JS for JavaScript now I'll paste all this in and we can start to examine what this does Looks like it creates a var Ws 652 and that's creating a new object or an active x object that allows us to use Wscript dot shell hmm That's kind of peculiar because that language an active x object isn't really Pertinent to JavaScript as we traditionally know it in the realm of client side code that can run in your browser actually Active x object and using the w script dot shell component there is native to J script or kind of the Microsoft and the Windows dialect rendition of JavaScript Interesting and peculiar maybe we're probably looking at some sort of code that will run commands or do things specific to a Windows target then we create this var 0x 6 8 3 c or 6 3 8 c and that has a lot more of hex encoded stuff as a string and Apparently this de obfuscator didn't do a very good job of actually de obfuscating this because this still seems really messy and hard to understand with the random variable names at all, but It we have this function It looks like it's being created in line and passed and called with all these arguments stuff into an eval so That's interesting to me because the eval command is going to try and execute code That's passed into it as if it were a string Or let me reword that it will take a parameter. It'll take an argument and that May oftentimes be a string and it will interpret that string as code and executed or evaluate it right eval so That tells me and it can tell us kind of as analysts that What is being passed into this function is going to be something that is more code So if we're trying to understand this if we're just trying to know what it does and figure out what's happening behind this layer of obfuscation We just want to see what that code is so rather than actually executing it and like letting this Potential malware or badness kick off right we can display out what it's doing So I can change this eval to a console dot log function And now we can just try and tell the JavaScript like interpreter right whatever we toss this into our web browser Maybe just throw it in a development tool see if it handles it Well, or we could give it to node or node.js that server side kind of runtime environment for running JavaScript code So, let me go ahead and try that I'll just simply have node.js, which I have installed and can by default give you a little interpreter But we'll pass a file as an argument here. We'll use node.js on our de-obfuscated script here Now if I run this it immediately winds and complains it gets an error because this active x object is not defined remember what I was saying this active x object is Permanent and kind of more necessary in the realm of windows when we're running J script That means that node.js over here on our Linux side Doesn't know what that is and it won't understand it so We can try to Temporarily remove it in fact just to do a simple sanity check Let's take a look and see if this WS 652 variable is used anywhere else in the code I'm just going to control f for that variable name and it only has one match that is actually all that it's ever used It just simply defines this object. So if it's completely not needed and Our little console.log and trying to understand the rest of the code will run it just fine Let's kind of comment it out Maybe the code that comes from this obfuscation technique will end up using it But we'll be able to see that in the future layers that we peel back. So Now let's try to run our node the obfuscated.js one more time and That had console.log outed again Apparently or I mean we've run that and we got all of this noise and nonsense Which looks very very similar to the obfuscation that we had just seen originally This is a lot of output and let's redirect this to like 00 RAN.js or something and I'll move that so you can see I'm just redirecting with the greater than symbol there Now let's go ahead and examine what that file looks like. Ah We could try and de-obfuscate this if we wanted to we could pass it to the exact same Web page and let's let's do that just for the sake of our learning I suppose but this looks pretty much like the same syntax at least the function a bcdefg and the eval kind of as we had seen before so If I were to let this de-obfuscate it really isn't doing anything else interesting here I am noticing though that it's creating this var Ws random number string object one more time with this Wscript.shell active x object again, let's look for this variable and It's still not being used in the rest of this strange obfuscation here We can see all the way at the very very end of this too that we are again calling an eval based off of a specific function So let's use the same technique one more time Let's change this eval to a console.log so we can see what code it's Trying to execute and as you've seen now, we're actually just getting another abstracted layer of the code and it's Slowly peeling off the layers of this onion. Let's see what comes from this layer We'll node.js 00 ran and Again, we have to remove that active x object. So let's comment that out and let's run our code More output with the exact same kind of functionality here or the exact same trick or gimmick being abused Let's redirect this one more time to a 01.ran and let's see what we've got here. I'll open that up Once again, new ws object with this active x object Wscript.shell that is not in use and another var and another eval function Okay, I think we have determined that there is a pattern here What we can do is we can try and loop this because we don't know how far down the rabbit hole this goes We've still got a lot of seemingly strange and random hexadecimal characters that are being passed in as a string here And we keep seeing this eval little Matroyska dollar. I don't know how to say that I always get that wrong and the internet yells at me but this technique with a ws object being created still keeps getting in the way and we were gonna have to remove it so let's try and write a script that will be able to loop through all of this and Funnel down or drill down until we get more code. That's better than this eval function or how far deep are How many layers do we have to work through? So let's do that. I'm gonna create a simple bash script I'll call this like unravel.sh and Let's use the proper shebang line for bin bash Trying to type and let's actually supply it as an argument So we can supply the file name right as sort of a parameter to our script Let's just test if the supplied argument or dollar sign one and again noting as a string with double quotes there If it's equal to an empty string, then we obviously haven't supplied it. So let's go ahead and echo the like usage Can be our unravel.sh script taking the replace with the dollar sign and then like the file Right. So after that we can simply exit Let's verify that this will work with a little chmod plus x on our unravel script and dot slash it now We just supply the file. Okay, so let's pass in the de obfuscated script But our code doesn't know what to do with it because we haven't written that yet. So Let's go start to build out the functionality of what this script will do We know that inside of our de obfuscated.js file we have this potential Ws652 notion and That is creating this active x object that does not exist when no JS tries to run it We're also seeing that at every single layer of this obfuscation. So we're gonna have to remove that Let's go ahead and do that. Let's just check first of all if this is a Like new layer of code that we want to try and de obfuscate by the presence of that eval function Because after all that's really what we changed here when we tried to run this So let's simply cat out the file and let's let's kind of create a file variable for it Let's say file can equal the value of the argument that we supply and let's cat out the file and grep for that eval command Let's redirect that output To dev null. So we don't have to see it I just want to do this so I can logically test if that grep returns something The way I'm gonna check for that is by using the like return code and we can access that as a variable, right? Let's say dollar sign question mark if that's equal to a zero and that means it did actually find it And it had a successful return code then we'll do a little check here echo like we have a new layer How about that? Let's test it and run it and that condition works just fine so Now that we know that that's a layer that we want to work with let's try to remove the Portion that we know is bad or that active X object in the W script So we should probably do that in a temporary file though We should probably do that and if we know we're going to be looping through this We're gonna make the changes to a new file every single time So let's just copy the current file to like a temp one and then we could again proof of concept just cat it out There we go. There's all the nonsense now. Let's try and remove this WS the variable that's created and We know that's gonna go through a specific pattern when we've looked through all the other layers manually It's WS some sort of digits that's creating a new active X object Interestingly, that's the first line that we see every single time. So let's use said in this case Let's use said to substitute and replace this active X object WS script dot shell Semi colon noting the very end of that kind of command there and take it from the very very start of the string We'll go with every single character that matches up until we see this active X object W Script dot shell and then we'll replace it with nothing that way. We know that we're removing it That's what this forward slash here is denoting what we can replace it with nice and easy, right? So now that will return out on standard output Let's go ahead and see that here and I'm gonna pipe this into head just so I can see the very very top of it and Because there are so many lines it not going to work well for me. So I'll pipe that into less now that top line is completely removed I Used it with this active X object W script dot shell up to the semi colon purposefully Because when we got into these other Obfuscation layers remember we saw each of those with this var WS object with a random number all on a new line It was all compressed onto one line So I wouldn't be able to the limit with a new line character I'm gonna have to trust that the semi colon will be all that we need so Now that we've removed that we want to change that Eval that we used to see into a console log so we can get the next layer of obfuscation Let's do that again with said We can use said tack I to do that in place on the temporary file And we can also supply I believe at just another substitution that we might want to change So let's replace the eval With a console dot log Let's actually not use tack I to start with because I want to see if we'll get that output the way that we should see it and Let's unravel this here and Pipe the output so we can examine it. I'll scroll down to the very very bottom Okay, and our eval has not yet taken place. So let's Modify this let's take the said output of The original one we remove it and then pipe it into said and then do our replace that makes a little bit more sense to me And now that output will be redirected to the next iteration that we want to use So let's start to keep track of like an iterator. Let's do iterator equal zero and then new file can equal the iterator I'm using the dollar sign and curly braces here to denote it because I want to get just another Dollar sign variable in their iterator and the original file. There we go. So now let's copy new file to temp and set this iterator to a New value after we've redirected into this new file that we've created new file Now we want to actually increment our iterator So I'll do that with let so I can actually use math in bash Let's let our iterator equal the value of iterator plus one and we can't have any spaces because bash is going to tokenize it It's going to be a little bit sensitive now We'll want to change our file variable to equal the new iterator with that file prefix in there so Let's try and change that up let's say file equals The value of new file Now when we go through this I don't think I'm doing a very good job of cleaning this variable actually because File will equal the obfuscated and the new file will equal zero underscore the obfuscated We'll do the change and replace and then we'll reset file to the value of new file Now when we go back to loop through this again, once we add in our loop, we'll have new file equals One underscore zero underscore the obfuscated So we're going to be ending up accidentally staging, but I don't care. I think I'm cool with that I just want to be able to see it build out all the different and Peel back all the layers of this so now that we've made that change Then we can redirect it into the value of the new file We've created that new file. We're iterating and incrementing and we are resetting our loop So let's not loop this just yet. Let's see if this proof of concept will work. Let's echo out like iterator iterator With new file being the value of new file. There we go Now let's run this just once Iterator zero with new file creating zero de obfuscated JS. Do we have zero de obfuscated JS? We do Good Now this is the de obfuscated rendition though and we need to actually Pass that To node JS so we can get the next layer So maybe our logic isn't quite right just yet We're copying this file to a temporary file and then we're outputting it from temp and redirecting it into this thing. So Let's make this operate off of the original file right and Let's make this read Direct into temp So then we can run at node JS on temp and redirect that output to the new file Does that make sense? Let's try it. Let's see if it'll work. Let's unravel this de obfuscated process that worked now De obfuscated has the original value in here, but temp has the Modified rendition of it with the W script active X object removed and eval replaced with console log Now we ran that with node JS and save the output into zero de obfuscated And there we go. Now we have the next layer and our loop will begin to process that Now that we have that decent proof of concept. All we need to do is loop this so let's go back to our unravel script and check if we see eval Which is kind of the the notion that we've been doing beforehand If we see eval in the file that we're working on We'll do this loop if not we'll fail or break out of our loop So let's add an else statement here and let's just add a break because we didn't see eval in the script And then let's make this a while loop with while true and now let's do and Done and let's Indent all of this code here Okay, so now Let's try and unravel our de obfuscated script and let's see how many layers we go down one two three four five six seven and then it breaks, okay, so We went down the rabbit hole and you can see it has that weird funky appending number that I tried to tell you about But if we check out this final script, what do we have here? Ooh, var var is equals all this and that looks like something new so let's go use our de obfuscate javascript web page and de obfuscate this De obfuscate, please. That's not seemingly doing anything Can I Run this please Okay, can I like beautify this beautify javascript just so it's a little bit easier to read online javascript beautifier Paste that in beautify code and now we've got this okay, so sub all like final dot j s And what are we looking at here? We have var var set to seemingly a base 64 string and we have a dl a function var b is set to IP addresses and then some Weird number here and then we split on it by every single space character, okay That's a delimiter and then for I is iterating through each object of B Well, then we go do ahead. We do go ahead and use wscript.shell we create an environment variable with a Oh, no, no, no, we grab an environment variable and add in a Random exe name. Okay, so we're probably setting that to fn like a file name Dn might be zero for like downloading maybe ActiveX object. Oh, oh, oh, oh, so okay, so it is going to download from one of the IP addresses With some specific variable key that might be like something that it's using to keep track of the the client and Getting the FR. What is FR set to? Where is FR? Oh, oh, that's the that's the string argument passed into it Nice, okay So this must be downloading specific files From these I guess command and control servers, but we have two IP addresses here But this other one is really weird and I have no idea what this is. Is this just like Regular decimal let's try and get into B Python So I'm gonna use B Python so I can do a from crypto dot util dot number import long to bytes and I'm gonna use long to bytes as if it's a decimal string that's actually representing some other data So let's use long to bytes and I'll call it L to be just so I don't have to type that all over and over again Let's run L to be with this giant number string in there and let's see what this returns Nothing good. I Can't read any of that. That's not our flag. That's not really intelligible. That's not human readable. Okay So what else could this be? It's not a hash very obviously It's not hex numbers because I don't see any a through F. Actually, I don't see any I don't I don't see any like numbers greater than eight Or nine in this Maybe this is octal is this octal What if I Let's let's zoom back out. What if I were to do like That number represented in octal format so Python. I'm gonna use zero and oh prefix to the note That's an octal number. That's converted a decimal now. Let's run long to bytes on that. I don't have anything there That's really weird So at this point, I was kind of struggling. I'll be completely honest. I was like I WTF I don't know what to do with this number It's weird. So I went to Cyberchef for a while and I started to just bump around I Wish I could give a better clear answer as to how I got to what I got here But let's let's try and run magic and see if that will actually get anything And I set this to like intensive mode and see if it finds literally anything Letting it bake for a little bit No potential things coming through if I switch the depth to one if I search for like a crib for flag Does it get anything? No, it tries to X or the option with hex string and it gets nonsense Again not our flag is there anything else that comes through here I Supplied the thing flag and I would have expected that to find something but There's a lot of output from magic just trying different things From base 64 over again. I saw from hex. I saw an X or I also saw a rotate But no notion of flag so far Is there any actual can I copy and paste like all this Copy raw output to the clipboard. Yeah, let's just slap it in. Okay. That's not what I wanted it didn't work so I'll be honest when I was looking through all these I kept trying some of those different things some of those different options that it Was giving to see if it could get potential text and I had tried like the rotate right one Because I did see that here like there's a rotate seven here and I thought like all right I guess I'll just try to like rotate Right and I changed it to different amounts, but I had to get this number from decimal right because this is already decimal data let's try to use from decimal and It doesn't have any spaces in there. I let's let's like convert that to hex. Let's take this To hex and let's give it to cyber chef as something that it can easily process and understand So let's do from hex and now we can try to use like magic one more time magic Intensive mode Bring this down. Oh, and that finds it with that rotate right function with it with one as the rotation I don't understand why I don't understand how that happens rotate One or rotate right. Sorry Bringing this in and just letting it rotate it once Works and gets you the flag I'm not Extremely sure why that happens and why that works If I were to take that L2B number like from the original and if I were to rotate it by one Naturally like within Python if I use that shift operator and just move the bits to the right or rotate it It gets the flag, but I don't understand how that comes out of what we had an octal So I think if you literally take this value and we shop around with it Because you could try to be like, okay decode from octal and look for an online tool There's a lot of stuff out there, but none of them seem to just straight up get you the flag So input data octal to text submit this Nonsense give it to this thing. It needs that weird separator Representation and nothing comes out of that octal text that can't figure it out That tool doesn't work all that well Try this one here Convert we need to split it into groups of three You could do that, but this one here octal system base eight Well, it convert an octal to a base and converter and you could slap this in and have it convert to like decimal or binary hexadecimal And I would try some of these and I would get a different number that I got within Python Which was weird to me So I tried to copy this and then do long to bytes from this and I would paste it in and it would get Port of the flag like a portion or half of it, but this tool is explicitly telling you like hey look I'm not showing you all of the digits here. I think it says like Where we're removing some of these digits and only sharing some of them with you So I try to like recreate this algorithm that they showcase on this conversion link here Where is the How to convert a number? Please see the base and conversion tool So I clicked on base and conversion and then I would try and understand this algorithm But I guess I just didn't get it right or I don't know. I I'm not a thousand percent positive Why I couldn't get it from octal because if it's just octal that would make sense to me And this apparently the decode website says that it is but with everything else I had to rotate it and shift it by one and that's confusing in my mind But either way we have drilled down through this rabbit hole We found some kind of neat stuff it was fun to write that script and and kind of parse out the logic of what we can't use this active X Object we can just switch our eval to a console log and that was very very cool because at the end we're seeing legitimate code that is very well used by malware like Using these techniques for with J script to greatly object and download files and write them with an environment variable location for the temp directory That I think is pretty a real world and very very cool So that was a that was a fun challenge, but I'm still beating myself up about that stinking octal number so That's it. Holy cow. That is the flag, right? We did we did get the flag so we can go ahead and submit it and we can call this guide point CTF Done, but that was a blast. So hey, thank you so much for watching Thank you so much for tuning in tolerating this if you did like this video Please do check out some of the other ones in this little mini series here If you did like the capture the flag challenges or this event in this competition go play guide points next game They're doing this CTF for like a week every month for like the next six months or five months or four or something But it it's a rolling series and it's super duper fun So I really recommend go jump in expose yourself to new technologies Try to solve some clever problems and you're gonna really learn a lot of fun stuff. So thanks so much for watching everybody I'll see you in the next video