Hack This Site — Javascript Missions

This is a writeup for javascript missions from hack this site.

Challenge 1 — Idiot Test

This was just a basic challenge which required to see the javascript code below using developer tools of your browser. The code is :

function check(x){
if (x == "cookies"){
alert("win!");
window.location += "?lvl_password="+x;
}
else{
alert("Fail D:");
}
}

Using this you can now see the correct password.

Challenge 2 — Disable Javascript

This was an easy challenge. You just have to disable js of your browser. You can google about it or you can refer this.

Challenge 3 — Math Time!

In this challenge we find a simple js code which performs some mathematical operator.

var foo = 5 + 6 * 7 
var bar = foo % 8
var moo = bar * 2
var rar = moo / 3
function check(x)
{
if (x.length == moo)
{
alert("win!");
window.location += "?lvl_password="+x;
} else {
alert("fail D:");
}
}

So basically this code takes the length of variable x and checks if that value is equal to value of moo.So you can use any password which has same length as that of moo

Challenge 4 — Var ?

For this challenge you can see the code in inspector tab.

RawrRawr = "moo";
function check(x){
"+RawrRawr+" == "hack_this_site"
if (x == ""+RawrRawr+""){
alert("Rawr! win!");
window.location = "../../../missions/javascript /4/?lvl_password="+x;
}
else {
alert("Rawr, nope, try again!");
}
}

So this challenge basically takes the value of variable RawrRawr and checks it with the one you provided.

Challenge 5 — Escape

This is the code for this challenge. It uses a function called unescape which is predefined in js and is used to decode an encoded string. You can read more about it here.
So this type of encoding is url encoding and it can be decode using online tools. I used cyberchef to decode this. After decoding this you will have your password.

Challenge 6 — go go away .js

This is the code I got for this. This code checks the pass variable with concatenation of ‘rawr’ and ‘moo’. So the password is the join of values these variables.

Challenge 7 — JS Obfuscation. FTW!

For this after viewing the inspector tab I found this code.

onclick='javascript:if (document.getElementById("pass").value=="j00w1n"){alert("You WIN!");window.location += "?lvl_password="+document.getElementById("pass").value}else {alert("WRONG! Try again!")}'

So the password is given in this code only.

Summary

These challenges were pretty good for a beginner. A person who knows just the basics of js can do these challenges without any difficulty.

CEH v11 , scripting , cyber security