JS Safe 1 is a challenge from the beginner's quest of Google CTF 2018.

The challenge text reads:


Well it's definitely the 90s. Using what was found in the mysterious .ico file, you extract the driver for the Aluminum-Key Hardware password storage device. Let's see what it has in store.

The file, js_safe_1.html is a JavaScript virtual safe.

The HTML comment in the header of the file explains more.

<!--
Advertisement:
Looking for a hand-crafted, browser based virtual safe to store your most
interesting secrets? Look no further, you have found it. You can order your own
by sending a mail to js_safe@example.com. When ordering, please specify the
password you'd like to use to open and close the safe and the content you'd
like to store. We'll hand craft a unique safe just for you, that only works
with your password of choice and contains your secret. (We promise we won't
peek when handling your data.)
-->

example.com is a domain meant for illustrative purposes, so they won't get any of the emails their customers send them. Weird.

const alg = { name: 'AES-CBC', iv: Uint8Array.from([211,42,178,197,55,212,108,85,255,21,132,210,209,137,37,24])};
const secret = Uint8Array.from([26,151,171,117,143,168,228,24,197,212,192,15,242,175,113,59,102,57,120,172,50,64,201,73,39,92,100,64,172,223,46,189,65,120,223,15,34,96,132,7,53,63,227,157,15,37,126,106]);
async function open_safe() {
  keyhole.disabled = true;
  password = /^CTF{([0-9a-zA-Z_@!?-]+)}$/.exec(keyhole.value);
  if (!password || !(await x(password[1]))) return document.body.className = 'denied';
  document.body.className = 'granted';
  const pwHash = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(password[1]));
  const key = await crypto.subtle.importKey('raw', pwHash, alg, false, ['decrypt']);
  content.value = new TextDecoder("utf-8").decode(await crypto.subtle.decrypt(alg, key, secret))
}

The open_safe method is called when the password is entered in the interface. If it matches the format CTF{...}, it is passed on to the x function for validation.

If it's valid, decrypt an AES-CBC-encrypted secret using the supplied password and display it to the user.

Makes you wonder why you wouldn't just try to decrypt the secret with the supplied password and skip the validation step. If the password is wrong then the user is no better off anyway, and you're as secure as your encryption algorithm (very secure) and not your obfuscation mechanism (very insecure).

Even though this is a challenge and not the real world, it's still a painful reminder of a pattern seen all too often. The belief that obfuscation is a reasonable substitute for good security.

Anyway, the validation function is where the interesting stuff happens!

async function x(password) {
    // TODO: check if they can just use Google to get the password once they understand how this works.
    var code = 'icffjcifkciilckfmckincmfockkpcofqcoircqfscoktcsfucsivcufwcooxcwfycwiAcyfBcwkCcBfDcBiEcDfFcwoGcFfHcFiIcHfJcFkKcJfLcJiMcLfNcwwOcNNPcOOQcPORcQNScRkTcSiUcONVcUoWcOwXcWkYcVkЀcYiЁcЀfЂcQoЃcЂkЄcЃfЅcPNІcЅwЇcІoЈcЇiЉcЈfЊcPkЋcЊiЌcІiЍcЌfЎcWoЏcЎkАcЏiБcІkВcБfГcNkДcГfЕcЇkЖcЕiЗcЖfИcRwЙcИoКcЙkЛcUkМcЛiНcМfОcИkПcОiРcПfСcUwТcСiУcQkФcУiХcЃiЦcQwЧcЦoШcЧkЩcШiЪcЩfЫcRiЬcЫfЭcКiЮcЭfЯcСoаcЯiбcГiвcЙiгcRoдcгkеcдiжdТaзcЛfиdзaжcжийcСkкdйaжcжклcйfмdлaжcжмнdТaжcжноdЀaжcжопdNaжcжпрcUiсcрfтdсaуdЁaтcтутcтофcТfхdфaтcтхтcтктcтнтcтмцdсaтcтцтcтктcтутcтнчaaтшdЯaщcйiъcщfыdъaьcжыэcVfюdэaьcьюьcьояdЛaьcьяьcьуьcьыѐчшьёѐшшђcOfѓdђaѓcѓнѓcѓнєcUfѕdєaѓcѓѕіcЯfїdіaѓcѓїјaёѓљaaтњcжшћcЎiќcћfѝdќaњcњѝњcњeўcЏfџdўaњcњџѠdАaњcњѠњcњшњcњѝњcњfњcњџѡљшњѢaaтѣcжшѣcѣѝѣcѣeѣcѣџѤcЯkѥdѤaѣcѣѥѣcѣшѣcѣѝѣcѣfѣcѣџѦѢшѣѧcцнѧcѧїѨdСaѧcѧѨѧcѧкѧcѧуѩaёѧѪcхмѫdрaѪcѪѫѪcѪкѬdYaѪcѪѬѪcѪиѭaѩѪѮcяюѯdНaѮcѮѯѮcѮиѮcѮхѮcѮкѰaѭѮѱdVaѲcхѱѲcѲѕѳcNoѴcѳkѵcѴfѶdѵaѲcѲѶѲcѲiѲcѲlѲcѲmѷјѲgѸјѭѷѹbѰѸѺcXfѻdѺaѻcѻюѻcѻоѻcѻкѻcѻoѼdђaѻcѻѼѻcѻнѻcѻнѻcѻѕѻcѻїѽaёѻѾѽѹшѿceeҀceeҁcee҂ceeѿaѾeҀјѿT҂ѡҀшҁјh҂hѦҁшѿaѾfҀјѿV҂ѡҀшҁјh҂hѦҁшѿaѾiҀјѿU҂ѡҀшҁјh҂hѦҁшѿaѾjҀјѿX҂ѡҀшҁјh҂hѦҁшѿaѾkҀјѿЁ҂ѡҀшҁјh҂hѦҁшѿaѾlҀјѿF҂ѡҀшҁјh҂hѦҁшѿaѾmҀјѿЄ҂ѡҀшҁјh҂hѦҁшѿaѾnҀјѿЉ҂ѡҀшҁјh҂hѦҁшѿaѾoҀјѿЄ҂ѡҀшҁјh҂hѦҁшѿaѾpҀјѿЋ҂ѡҀшҁјh҂hѦҁшѿaѾqҀјѿЍ҂ѡҀшҁјh҂hѦҁшѿaѾrҀјѿА҂ѡҀшҁјh҂hѦҁшѿaѾsҀјѿF҂ѡҀшҁјh҂hѦҁшѿaѾtҀјѿВ҂ѡҀшҁјh҂hѦҁшѿaѾuҀјѿД҂ѡҀшҁјh҂hѦҁшѿaѾvҀјѿЗ҂ѡҀшҁјh҂hѦҁшѿaѾwҀјѿК҂ѡҀшҁјh҂hѦҁшѿaѾxҀјѿН҂ѡҀшҁјh҂hѦҁшѿaѾyҀјѿР҂ѡҀшҁјh҂hѦҁшѿaѾAҀјѿТ҂ѡҀшҁјh҂hѦҁшѿaѾBҀјѿФ҂ѡҀшҁјh҂hѦҁшѿaѾCҀјѿW҂ѡҀшҁјh҂hѦҁшѿaѾDҀјѿХ҂ѡҀшҁјh҂hѦҁшѿaѾEҀјѿЪ҂ѡҀшҁјh҂hѦҁшѿaѾFҀјѿЬ҂ѡҀшҁјh҂hѦҁшѿaѾGҀјѿЮ҂ѡҀшҁјh҂hѦҁшѿaѾHҀјѿа҂ѡҀшҁјh҂hѦҁшѿaѾIҀјѿe҂ѡҀшҁјh҂hѦҁшѿaѾJҀјѿб҂ѡҀшҁјh҂hѦҁшѿaѾKҀјѿв҂ѡҀшҁјh҂hѦҁшѿaѾLҀјѿK҂ѡҀшҁјh҂hѦҁшѿaѾMҀјѿе҂ѡҀшҁјh҂hѦҁш'
    var env = {
        a: (x,y) => x[y],
        b: (x,y) => Function.constructor.apply.apply(x, y),
        c: (x,y) => x+y,
        d: (x) => String.fromCharCode(x),
        e: 0,
        f: 1,
        g: new TextEncoder().encode(password),
        h: 0,
    };
    for (var i = 0; i < code.length; i += 4) {
        var [lhs, fn, arg1, arg2] = code.substr(i, 4);
        try {
            env[lhs] = env[fn](env[arg1], env[arg2]);
        } catch(e) {
            env[lhs] = new env[fn](env[arg1], env[arg2]);
        }
        if (env[lhs] instanceof Promise) env[lhs] = await env[lhs];
    }
    return !env.h;
}

If you scroll along, you'll see that code variable is very long. It's four hundred 4-byte instructions of a tiny VM, whose global (and only) state is the object env. In this limited world, the only operations available are method application and object instantiation with exactly 2 parameters each. And sure, it'll deal with it for you if a Promise ever gets thrown into the mix. That's how kind it is.

The world we start with is quite limited.

var env = {
    a: (x,y) => x[y],
    b: (x,y) => Function.constructor.apply.apply(x, y),
    c: (x,y) => x+y,
    d: (x) => String.fromCharCode(x),
    e: 0,
    f: 1,
    g: new TextEncoder().encode(password),
    h: 0,
};

In terms of functions, that's array dereference (getItem), method application (apply), add, and fromCharCode.

As a starting point, we're allowed the numbers 0 and 1, and of course, access to the password we entered (as an array of bytes).

h is the variable that must equal 0 at the end to indicate a valid password.

Where there's contrived bytecode there's room for a contrived disassembler.

class ExpressionDisassembler {
    constructor(lhs, fn, arg1, arg2, env) {
        this.lhs = lhs
        this.fn = fn
        this.arg1 = arg1
        this.arg2 = arg2
        this.env = env

        this.arg1old = env[arg1]
        this.arg2old = env[arg2]

        this.labels = {
            a: 'getItem',
            b: 'apply',
            c: 'add',
            d: 'fromCharCode',
            g: 'passwordBytes',
            ѡ: 'bitwiseXOR',
            Ѧ: 'bitwiseOR',
            ѐ: 'window',
            ј: 'Array',
        }
    }

    getNiceName(symbol) {
        return this.labels[symbol] || symbol
    }

    async logFunctionCall() {
        this.log({ isInstance: false })
    }

    async logClassInstantiation() {
        this.log({ isInstance: true })
    }

    async log({ isInstance }) {
        let lhs = this.lhs
        let fn = this.getNiceName(this.fn)
        let arg1 = this.getNiceName(this.arg1)
        let arg2 = this.getNiceName(this.arg2)
        let arg1old = this.arg1old
        let arg2old = this.arg2old

        let v = this.env[this.lhs]
        if (v instanceof Promise) {
            v = await v
        }
        console.log(`${lhs} = ${isInstance ? 'new ' : ''}${fn}(${arg1}, ${arg2}) = ${fn}(${arg1old}, ${arg2old}) = ${v}`)
    }
}

We alias and give names to some of the more important functions in labels, which should make it easier to understand the disassembly.

var disassembler = new ExpressionDisassembler(lhs, fn, arg1, arg2, env)

try {
    env[lhs] = env[fn](env[arg1], env[arg2]);
    await disassembler.logFunctionCall()
} catch(e) {
    env[lhs] = new env[fn](env[arg1], env[arg2]);
    await disassembler.logClassInstantiation()
}

With our disassembler code interspersed, everything is ready. When we enter our sample password into the interface we'll get a dump of everything that happened.

For reference, view the full disassembly.

If you recall from earlier, we're starting with nothing. The numbers 0 and 1 and some basic functions. What does every good piece of code need? Numbers. Let's make some numbers.

i = add(f, f) = add(1, 1) = 2
j = add(i, f) = add(2, 1) = 3
k = add(i, i) = add(2, 2) = 4
l = add(k, f) = add(4, 1) = 5
m = add(k, i) = add(4, 2) = 6
n = add(m, f) = add(6, 1) = 7
o = add(k, k) = add(4, 4) = 8
p = add(o, f) = add(8, 1) = 9
q = add(o, i) = add(8, 2) = 10
r = add(q, f) = add(10, 1) = 11
s = add(o, k) = add(8, 4) = 12
t = add(s, f) = add(12, 1) = 13

Yes, yes, soon we'll have all the numbers.

u = add(s, i) = add(12, 2) = 14
v = add(u, f) = add(14, 1) = 15
w = add(o, o) = add(8, 8) = 16
x = add(w, f) = add(16, 1) = 17
y = add(w, i) = add(16, 2) = 18
A = add(y, f) = add(18, 1) = 19
B = add(w, k) = add(16, 4) = 20
C = add(B, f) = add(20, 1) = 21
D = add(B, i) = add(20, 2) = 22
E = add(D, f) = add(22, 1) = 23
F = add(w, o) = add(16, 8) = 24
G = add(F, f) = add(24, 1) = 25
H = add(F, i) = add(24, 2) = 26
I = add(H, f) = add(26, 1) = 27
J = add(F, k) = add(24, 4) = 28
K = add(J, f) = add(28, 1) = 29
L = add(J, i) = add(28, 2) = 30
M = add(L, f) = add(30, 1) = 31
N = add(w, w) = add(16, 16) = 32
O = add(N, N) = add(32, 32) = 64
P = add(O, O) = add(64, 64) = 128
Q = add(P, O) = add(128, 64) = 192
R = add(Q, N) = add(192, 32) = 224
S = add(R, k) = add(224, 4) = 228
T = add(S, i) = add(228, 2) = 230
U = add(O, N) = add(64, 32) = 96
V = add(U, o) = add(96, 8) = 104
W = add(O, w) = add(64, 16) = 80
X = add(W, k) = add(80, 4) = 84
Y = add(V, k) = add(104, 4) = 108
Ѐ = add(Y, i) = add(108, 2) = 110
Ё = add(Ѐ, f) = add(110, 1) = 111
Ђ = add(Q, o) = add(192, 8) = 200
Ѓ = add(Ђ, k) = add(200, 4) = 204
Є = add(Ѓ, f) = add(204, 1) = 205
Ѕ = add(P, N) = add(128, 32) = 160
І = add(Ѕ, w) = add(160, 16) = 176
Ї = add(І, o) = add(176, 8) = 184
Ј = add(Ї, i) = add(184, 2) = 186
Љ = add(Ј, f) = add(186, 1) = 187
Њ = add(P, k) = add(128, 4) = 132
Ћ = add(Њ, i) = add(132, 2) = 134
Ќ = add(І, i) = add(176, 2) = 178
Ѝ = add(Ќ, f) = add(178, 1) = 179
Ў = add(W, o) = add(80, 8) = 88
Џ = add(Ў, k) = add(88, 4) = 92
А = add(Џ, i) = add(92, 2) = 94
Б = add(І, k) = add(176, 4) = 180
В = add(Б, f) = add(180, 1) = 181
Г = add(N, k) = add(32, 4) = 36
Д = add(Г, f) = add(36, 1) = 37
Е = add(Ї, k) = add(184, 4) = 188
Ж = add(Е, i) = add(188, 2) = 190
З = add(Ж, f) = add(190, 1) = 191
И = add(R, w) = add(224, 16) = 240
Й = add(И, o) = add(240, 8) = 248
К = add(Й, k) = add(248, 4) = 252
Л = add(U, k) = add(96, 4) = 100
М = add(Л, i) = add(100, 2) = 102
Н = add(М, f) = add(102, 1) = 103
О = add(И, k) = add(240, 4) = 244
П = add(О, i) = add(244, 2) = 246
Р = add(П, f) = add(246, 1) = 247
С = add(U, w) = add(96, 16) = 112
Т = add(С, i) = add(112, 2) = 114
У = add(Q, k) = add(192, 4) = 196
Ф = add(У, i) = add(196, 2) = 198
Х = add(Ѓ, i) = add(204, 2) = 206
Ц = add(Q, w) = add(192, 16) = 208
Ч = add(Ц, o) = add(208, 8) = 216
Ш = add(Ч, k) = add(216, 4) = 220
Щ = add(Ш, i) = add(220, 2) = 222
Ъ = add(Щ, f) = add(222, 1) = 223
Ы = add(R, i) = add(224, 2) = 226
Ь = add(Ы, f) = add(226, 1) = 227
Э = add(К, i) = add(252, 2) = 254
Ю = add(Э, f) = add(254, 1) = 255
Я = add(С, o) = add(112, 8) = 120
а = add(Я, i) = add(120, 2) = 122
б = add(Г, i) = add(36, 2) = 38
в = add(Й, i) = add(248, 2) = 250
г = add(R, o) = add(224, 8) = 232
д = add(г, k) = add(232, 4) = 236
е = add(д, i) = add(236, 2) = 238

Numbers are the building blocks for everything, so it makes sense that there would be a lot of them. Numbers can become characters, characters can become words and words can become executable code.

ж = fromCharCode(Т) = fromCharCode(114) = r
з = add(Л, f) = add(100, 1) = 101
и = fromCharCode(з) = fromCharCode(101) = e
ж = add(ж, и) = add(r, e) = re
й = add(С, k) = add(112, 4) = 116
к = fromCharCode(й) = fromCharCode(116) = t
ж = add(ж, к) = add(re, t) = ret
л = add(й, f) = add(116, 1) = 117
м = fromCharCode(л) = fromCharCode(117) = u
ж = add(ж, м) = add(ret, u) = retu
н = fromCharCode(Т) = fromCharCode(114) = r
ж = add(ж, н) = add(retu, r) = retur
о = fromCharCode(Ѐ) = fromCharCode(110) = n
ж = add(ж, о) = add(retur, n) = return

Here the word return built up character by character. Using the same technique, the code goes on to create a few more familiar strings such as constructor, window, Array, Uint8Array, and crypto.

These words are used to run code that SHA-256 hashes the input password and stores it in a variable, so that it can later be compared to the hash of the correct password.

ѷ = Array(Ѳ, passwordBytes) = Array(sha-256, 72,101,108,108,111) = [sha-256, 72,101,108,108,111]
Ѹ = Array(ѭ, ѷ) = Array([object SubtleCrypto], [sha-256, 72,101,108,108,111]) = [[object SubtleCrypto], [sha-256, 72,101,108,108,111]]
ѹ = apply(Ѱ, Ѹ) = apply(function digest() { [native code] }, [[object SubtleCrypto], [sha-256, 72,101,108,108,111]]) = [object ArrayBuffer]
Ѿ = new ѽ(ѹ, ш) = ѽ([object ArrayBuffer], x) = 24,95,141,179,34,113,254,37,245,97,166,252,147,139,46,38,67,6,236,48,78,218,81,128,7,209,118,72,38,56,25,105

In crypto one way to mitigate timing attacks is to carry out comparisons in constant time. That is, a successful match takes the same amount of time as an unsuccessful match.

If the passwords were compared via a normal character-by-character comparison, breaking out once the first non-matching character is hit, it would potentially be possible to figure it out via a sidechannel attack.

ѡ = љ(ш, њ) = љ(x, return x[0]^x[1]) = function anonymous(x) { return x[0]^x[1] }
Ѧ = Ѣ(ш, ѣ) = Ѣ(x, return x[0]|x[1]) = function anonymous(x) { return x[0]|x[1] }

These two functions are bitwise OR and XOR.

One of the properties of XOR is that if you XOR two of the same values, the result is 0.

Therefore one way to compare two arrays in constant time is to XOR each value with itself and OR it with another value h that starts at 0. If h is 0 at the end of the comparisons then you can be sure the result of the XOR at each iteration was 0, hence the strings match. Importantly, whether or not they match, the entire array is traversed.

Below is the first iteration of the loop through the hash.

ѿ = getItem(Ѿ, e) = getItem(24,95,141,179,34,113,254,37,245,97,166,252,147,139,46,38,67,6,236,48,78,218,81,128,7,209,118,72,38,56,25,105, 0) = 24
Ҁ = Array(ѿ, T) = Array(24, 230) = [24, 230]
҂ = bitwiseXOR(Ҁ, ш) = bitwiseXOR([24, 230], x) = 254
ҁ = Array(h, ҂) = Array(0, 254) = [0, 254]
h = bitwiseOR(ҁ, ш) = bitwiseOR([0, 254], x) = 254

The important part is bitwiseXOR([24, 230], x) = 254, where it compares 24 (from our incorrect password hash) to 230 (from the correct password hash).

All that's left to do is extract out the second parameter of each call to bitwiseXOR, and convert it to a hex string.

e66860546f18cdbbcd86b35e18b525bffc67f772c650cedfe3ff7a0026fa1dee

The comment from earlier ("check if they can just use Google to get the password") tells us to simply look up this hash in a rainbow table.

In the end, the flag was CTF{Passw0rd!}.

Code