HackQuest: JavaScript: Jedi Mindtricks

Name: Jedi mindtricks.
Place: Mexico City, Mexico
Target: Twilight Security Company

At least five major MSA agents came from here. Take them off the internet for good.

The source code is obfuscated, through URL-encoding it and then fixing it with JavaScript. Generalizing the code, we have:

1
2
3

m = '%3C%21...html%3E';
d = unescape(m);
document.write(d);

If we could only get hold of d, this challenge would be a lot easier. The formerly mentioned JavaScript injection comes in handy. However, trying to inject the intuitive javascript:alert(d) would end up with nothing but a hard-to-manage alert-box. Instead, we will put it on the page. Just using document.write(d) will result in the tags being interpreted by your browser. Therefore, we put it all inside a textarea.

javascript:document.write('<textarea>'+d+'</textarea>')

This will give you the whole source code inside a nice textarea field. Put your cursor in it, select everything with ctrl+A and then paste it into a text editor for an easy overview. As always, start by finding the form.

67
68
69
70
71
72

      <form name="LayoutBereich1FORM" action="" method="post">
        <input id="Eingabefeld1" type="TEXT" name="Eingabefeld1"
        value="" size="30" maxlength="30"> <input type="BUTTON"
        name="Schaltflächen1" value="Enter Password" id=
        "Schaltflaechen1" onclick="return PassConfirm()">
      </form>

Only one field this time, “Eingabefeld1″. Submitting calls PassConfirm().

25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

function PassConfirm() {
 
  var y="alphabravocharliedeltax";
  var x="lidocaineadrenalineekel";
  var z="sidewinderamraamphoenix";
 
  var s = "";
  for (Count=0; Count < y.length; Count++) {
 
		var t1 = y.substring (Count, Count+1);
		var t2 = z.substring (Count, Count+1);
		var t3 = x.substring (Count, Count+1);
 
		if (t1 * t2 * t3 >= 5 || t3^t1 >= 3)
  	  s=s+t1;
		else {
	  	if (t3 == t2)
				 s=s+t3;
	  	if (t2 == t1)
				 s=s+t2;
	  	if (t1 == t3)
				 s=s+t3;
		}
  }
 
  var x=document.LayoutBereich1FORM.Eingabefeld1.value
  if (x==s) {
    y = s + ".php"
    window.open(y,"_self")
  } else {
    alert("Dooh, try again!")
  }
}

First, x, y and z are set to some strings. A for-loop then starts. It increments Count and is run from 0 until Count < y.length. y.length is the amount of characters in "alphabravocharliedeltax", which is 23.

In the for loop, the three variables t1, t2 and t3 are first initialised using the substring() function. substring() is a built-in JavaScript function that extracts a part of a string. In this case, it only takes one character, the one at position Count (remember that the first character is character 0).

The following condition check is just bogus. The product of strings (t1*t2*t3 or t3^t1) will never be of a numerical value, and thus only the else-block will be executed. What the else-block effectively does is that it appends the character to s if two of the three strings have the same character at that position With this information, we can go through x, y and z and find the password. The first one is at Count==1, where the x and z substrings are equal and thus "i" is added to s. The next is at Count==2, and the at Count==8. In my case, the final s was ideaeex.

Next s is checked to be equal to the password entered, and if it was right, the challenge is cleared.

Maybe Related?

• HackQuest: JavaScript: Ok, finally it's secure. Or?
• HackQuest: JavaScript: Sir, could you pop me?
• HackQuest: JavaScript: What you mean its not THAT easy?
• HackQuest: JavaScript: I am a JavaScript. Abuse me.
• HackQuest: JavaScript: It's simple if you see it