https://app.hackthebox.com/challenges/399

Description

Discurd has filed a DMCA violation regarding a popular browser extension claiming to be conducting VIP giveaways on the company’s product. The addon store has since taken down the extension to prevent any potential browser cryptomining malware from being distributed in the marketplace. Could you investigate what the ‘Discurd Nitro Giveaway’ addon does exactly?

Exploitation

Downloading the executable and decompiling it with ILSpy reveals the URL /c2VjcmV0/archive.zip?k=ZGlzY3VyZG5pdHJ1

Deobfuscating the JavaScript downloaded from that endpoint allows us to craft the final payload and analyze its functionality.

(async () => {
    const secretKey = "_NOT_THE_SECRET_";
    const hexEncodedData = "E242E64261D21969F65BEDF954900A995209099FB6C3C682C0D9C4B275B1C212BC188E0882B6BE72C749211241187FA8";
    const hexToBytes = (hex) => new Uint8Array(hex.match(/../g).map(byte => parseInt(byte, 16)));
    const textEncoder = new TextEncoder();
    const keyData = textEncoder.encode(secretKey);
    const importedKey = await crypto.subtle.importKey(
        "raw",
        keyData,
        { name: "AES-CBC" },
        false,
        ["decrypt"]
    );
    const iv = keyData;
    const encryptedData = hexToBytes(hexEncodedData);
    const decryptedData = await crypto.subtle.decrypt(
        { name: "AES-CBC", iv: iv },
        importedKey,
        encryptedData
    );
    const decodedData = new TextDecoder("utf-8").decode(decryptedData);
    console.log("Decrypted Data (Flag):", decodedData);
})();

Summary

ChromeMiner: reverse the validation logic, model the transform, and recover the accepted input.