HBH Javascript 3: HTML Entity Encoded -- Timblog

HBH Javascript 3: HTML Entity Encoded

Hellbound Hackers’ Javascript challenge 3 looks a lot trickier than it actually is. First, you must find the relevant section of the source code. The following is enclosed in SCRIPT tags:

var U<sub>7</sub>=window,W<sub>8</sub>=document;var a1=”<script language="JavaScript1.1">  </script></p> <p><script language="javascript">  </script><br /> <center></p> <table cellpadding="4" border="0"> <tr> <td align="center" height="24" width="84">User ID:</td> <td align="center" height="24" width="170"> <form name="login"> <input name="text1" type="text"></td> </tr> <tr> <td align="center" height="24" width="84">Password:</td> <td align="center" height="24" width="170"> <input name="text3" type="password"></td> </tr> <tr> <td align="center" height="1" width="84"> <input type="button" value="Login" onClick="pasuser(this.form)"></td> <td></td> </tr> </table> <p></center>“;function V<sub>0</sub>(){var V<sub>0</sub>;V<sub>0</sub>=unescape(a1);W<sub>8</sub>.write(V<sub>0</sub>);}V<sub>0</sub>();

Fix the indentation and linebreaks of the above code, and it’s much easier to read. The content of a1 is substitute with “string” in order to keep the code readable.

var U7 = window, W8 = document;
var a1 = "string";
V0() {
  var V0;
  V0 = unescape(a1);
  W8.write(V0);
}
V0();

This code first defines W₈ as the current document, and then a1 as a long, illegible string. The function V₀() creates a variable with the same name and is assigned the unescaped value of a1, after which it is printed to the W₈ (the window). V₀() is then run.

In order to see what is printed, we must decode a1. This can be done in several ways, such as with the PHP function urldecode(). I used an online URL decoder.

The string decodes to an HTML form and two Javascripts, one that negates right-clicking and one that checks the username and password. You should be able to find and extract the password and username without any problems:

function pasuser(form) {
var text2='lolage'
var text4='hahaomgz'
  if (form.text1.value==text2) { 
    if (form.text3.value==text4) {              
      location="index.php?text1=lol&text3=haha" 
    }
    else {
      alert("Invalid Password")
    }
  }
  else {
    alert("Invalid UserID")
  }
}

My username/password combination was lolage/hahaomgz.adverse personal loan unsecured 10k 12 new loan 17 payday payday 12 loan com 18 quick 123 loans 125 loan bad home 13000 loan no credit 1500 loan check 1st loan home horizon Map

Maybe Related?

Posted August 20, 2006 in Guides » Hellbound Hackers.

Okay, i don’t get this, it wont accept the answer, and i have the same stuff as you do

Comment by decrypter — August 22, 2007 @ 10:16 pm

the problem with this seems to say that if your password is correct go to another file in teh same directory that says index.php?text1=lol&text3=haha, and when your redirected there from typing the right answers you can enter the password, so if you dont get it right it says invalid and if you get it right you cant enter it so i dont get how to answer correctly

Comment by 13om13e12 — September 1, 2007 @ 3:05 am

Go to http://ostermiller.org/calc/encode.html and enter is the Javascript and clide URL Decode and it will split it into line breaks making it much easier to decode ! !

Comment by DeathCharge9 — September 1, 2007 @ 11:52 pm

Go to http://ostermiller.org/calc/encode.html and enter in the Javascript and click URL Decode and it will split it into line breaks making it much easier to decode ! !

sorry bout the spelling errors in the original

Comment by DeathCharge9 — September 1, 2007 @ 11:54 pm

You have to see the decoded script and do something with the address.

Comment by Creep — September 11, 2007 @ 1:52 am

HBH Javascript 3: HTML Entity Encoded

Maybe Related?

5 Comments »

Leave a comment