Home Hack The Box - ExploitedStream pwned!
Post
Cancel

Hack The Box - ExploitedStream pwned!

Description

An npm stream compromised dependencies long ago. Help us recover what this script is hiding.

Solution

If we extract he ExploitedStream.zip file we only found one file: exploitedstream.js

exploitedstream.js is a javascript obfuscated file.

The first thing I have to say is that I have no idea about javascript, but this is a easy challenge.

This challenge is very interesting because it’s based on a real case: Analysis of a Supply Chain Attack

The first thing we have to do is deobfuscate the script. Once deobfuscated we will find an interesting note “for future me” ;)

Once we have read the note we will need a list with all the npm package names in order to bruteforce the password and get the flag and the correct package name.

We can find a list of all the npm package names in all-the-package-names. So, now, we only have to do a loop to bruteforce the password and wait for our flag.

To solve this challenge I deobfuscated the original script and added the loop to bruteforce the flag. You can see my js file at exploitedstream_deobfuscated.js

Challenge results ExploitedStream has been Pwned

Enjoy! ;)

This post is licensed under CC BY 4.0 by the author.