RingZer0-31 - Then Obfuscation is More Secure?

Javascript

Then obfuscation is more secure?

Once again looking at the source code reveals us that the code has been obfuscated.

<script>
    // Look's like weak JavaScript auth script :)
    var _0xc360 = ["\x76\x61\x6C", "\x23\x63\x70\x61\x73\x73", "\x61\x6C\x6B\x33", "\x30\x32\x6C\x31", "\x3F\x70\x3D", "\x69\x6E\x64\x65\x78\x4F\x66", "\x68\x72\x65\x66", "\x6C\x6F\x63\x61\x74\x69\x6F\x6E", "\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x27\x65\x72\x72\x6F\x72\x27\x3E\x57\x72\x6F\x6E\x67\x20\x70\x61\x73\x73\x77\x6F\x72\x64\x20\x73\x6F\x72\x72\x79\x2E\x3C\x2F\x64\x69\x76\x3E", "\x68\x74\x6D\x6C", "\x23\x63\x72\x65\x73\x70\x6F\x6E\x73\x65", "\x63\x6C\x69\x63\x6B", "\x2E\x63\x5F\x73\x75\x62\x6D\x69\x74"];
    $(_0xc360[12])[_0xc360[11]](function() {
        var _0xf382x1 = $(_0xc360[1])[_0xc360[0]]();
        var _0xf382x2 = _0xc360[2];
        if (_0xf382x1 == _0xc360[3] + _0xf382x2) {
            if (document[_0xc360[7]][_0xc360[6]][_0xc360[5]](_0xc360[4]) == -1) {
                document[_0xc360[7]] = document[_0xc360[7]][_0xc360[6]] + _0xc360[4] + _0xf382x1;
            };
        } else {
            $(_0xc360[10])[_0xc360[9]](_0xc360[8]);
        };
    });
</script>

It clearly looks like hex. If we pass the code into a beautify javascript we get something more readable.

<script>
    // Look's like weak JavaScript auth script :)
var _0xc360 = ["76616C", "236370617373", "616C6B33", "30326C31", "3F703D", "696E6465784F66", "68726566", "6C6F636174696F6E", "3C64697620636C6173733D276572726F72273E57726F6E672070617373776F726420736F7272792E3C2F6469763E", "68746D6C", "2363726573706F6E7365", "636C69636B", "2E635F7375626D6974"];

$(_0xc360[12])[_0xc360[11]](function() {
        var _0xf382x1 = $(_0xc360[1])[_0xc360[0]]();
        var _0xf382x2 = _0xc360[2];
        if (_0xf382x1 == _0xc360[3] + _0xf382x2) {
            if (document[_0xc360[7]][_0xc360[6]][_0xc360[5]](_0xc360[4]) == -1) {
                document[_0xc360[7]] = document[_0xc360[7]][_0xc360[6]] + _0xc360[4] + _0xf382x1;
            };
        } else {
            $(_0xc360[10])[_0xc360[9]](_0xc360[8]);
        };
    });
</script>

Now if we decode the hex we get, i stopped when i saw the condition for the password.

var _0xc360 = [
"val", 
"#cpass", 
"alk3", 
"02l1", "
?p=", 
"indexOf", 
"href",
"location", 
"<div class='error'>Wrong password sorry.</div>", 
"html",
"#cresponse",
"click",
".c_submit"];

$.c_submit[click](function() {
        var _0xf382x1 = $(#cpass)[val]();
        var _0xf382x2 = alk3;
        if ($(#cpass) == 02l1 + alk3) {
            if (document[_0xc360[7]][_0xc360[6]][_0xc360[5]](_0xc360[4]) == -1) {
                document[_0xc360[7]] = document[_0xc360[7]][_0xc360[6]] + _0xc360[4] + _0xf382x1;
            };
        } else {
            $(_0xc360[10])[_0xc360[9]](_0xc360[8]);
        };
    });

</script>

We found the password here

        if ($(#cpass) == 02l1 + alk3) {

The password being 02l1alk3, once we enter the password we get the flag.

The flag is FLAG-5PJne3T8d73UGv4SCqN44DXj