Post

HackTheBox ChromeMiner Challenge

Posted
By x3ric
1 min read

Explore the basics of cybersecurity in the ChromeMiner Challenge on Hack The Box. This easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

https://app.hackthebox.com/challenges/399

Description

Discurd has filed a DMCA violation regarding a popular browser extension claiming to be conducting VIP giveaways on the company’s product. The addon store has since taken down the extension to prevent any potential browser cryptomining malware from being distributed in the marketplace. Could you investigate what the ‘Discurd Nitro Giveaway’ addon does exactly?

Exploitation

Downloading the executable and decompiling it with ILSpy reveals the URL /c2VjcmV0/archive.zip?k=ZGlzY3VyZG5pdHJ1

Deobfuscating the JavaScript downloaded from that endpoint allows us to craft the final payload and analyze its functionality.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

(async () => {
    const secretKey = "_NOT_THE_SECRET_";
    const hexEncodedData = "E242E64261D21969F65BEDF954900A995209099FB6C3C682C0D9C4B275B1C212BC188E0882B6BE72C749211241187FA8";
    const hexToBytes = (hex) => new Uint8Array(hex.match(/../g).map(byte => parseInt(byte, 16)));
    const textEncoder = new TextEncoder();
    const keyData = textEncoder.encode(secretKey);
    const importedKey = await crypto.subtle.importKey(
        "raw",
        keyData,
        { name: "AES-CBC" },
        false,
        ["decrypt"]
    );
    const iv = keyData;
    const encryptedData = hexToBytes(hexEncodedData);
    const decryptedData = await crypto.subtle.decrypt(
        { name: "AES-CBC", iv: iv },
        importedKey,
        encryptedData
    );
    const decodedData = new TextDecoder("utf-8").decode(decryptedData);
    console.log("Decrypted Data (Flag):", decodedData);
})();

Summary

The ChromeMine Challenge on Hack The Box introduces the fundamentals of .NET decompilation, Chrome extension analysis, and JavaScript deobfuscation. By analyzing a malicious executable with tools like ILSpy, you uncover a base64-encoded URL pointing to a ZIP file containing a Chrome extension. Extracting and deobfuscating the extension’s background.js script reveals obfuscated functionality, such as cryptographic operations and encoded payloads. This challenge provides hands-on experience in reversing malware, unpacking Chrome extensions, and analyzing obfuscated JavaScript to retrieve the HTB flag.

challenge
htb challenge writeup linux rev
This post is licensed under CC BY 4.0 by the author.