Challenge: Obfuscation 0

The login below doesn't use HTTPS, but it obfuscates the credentials so you can't read them in a sniffer.

Reverse-engineer the obfuscation process.

When you have it figured out, examine this pcap file to find the correct credentials and log in.

You can solve it yourself, but if you'd like some guidance, scroll down.

Username

Password

How to Reverse Engineer Javascript Obfuscation

Try putting in credentials of "admin" and "password" and capture the HTTP POST packet with Wireshark.

You should see this:

At the bottom, you see the "Line-based text data" which is sending two parameters:

xi=benjo
xp=qbttxpse
To see how that is happening, view the HTML source code of this page.

Login Form

Here's the login form. The userid is loaded into a field named id and the password into a field named pw.

When the Login button is pressed, the onsubmit method calls a JavaScript function named obfuscate().

Javascript Functions

Here are the two javacript functions used to obfuscate the text.

The scramble function performs a simple Caesar cipher, moving each character forward one step in the ASCII "alphabet", so "a" becomes "b", etc.

The obfuscate function simply scrambles both the UserID and Password and erases the plaintext versions.

So to deobfuscate the credentials, open the pcap file and move each character one letter backwards in the alphabet to find the correct credentials.

When you get it right, you'll be able to log in and see this page:


Posted 7-24-14 by Sam Bowne