Inspecting Javascript Codes

web, javascript

Run in browser console #

Bookmark #

In HTB Bitlab, it has this weird bookmark script.

javascript:(function(){ var _0x4b18=["\x76\x61\x6C\x75\x65","\x75\x73\x65\x72\x5F\x6C\x6F\x67\x69\x6E","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6C\x61\x76\x65","\x75\x73\x65\x72\x5F\x70\x61\x73\x73\x77\x6F\x72\x64","\x31\x31\x64\x65\x73\x30\x30\x38\x31\x78"];document[_0x4b18[2]](_0x4b18[1])[_0x4b18[0]]= _0x4b18[3];document[_0x4b18[2]](_0x4b18[4])[_0x4b18[0]]= _0x4b18[5]; })()

I turned out that this code was used to populate user credentials in Gitlab.

Static Code Analysis #

When you where able to grab a copy of the code, here are different ways you can do:

Rabbithole for CTF Machines #

I encountered this cool frontend app in HTB mango that connects to a public elasticsearch server.

At first I though the elasticsearch is running inside the HTB machine, but it turned out it was a public elasticsearch server! In this scenarios, its better to move to another thing to enumerate since the public elasticsearch instance is out of scope of the HTB machine.