API 15
This exercise covers how to exploit a leaked encrypted password with an API.
In this challenge, the objective is to retrieve the password for the user admin@libcurl.so
by leveraging leaked API call information. You can either audit the source code or debug the application to understand the encryption method used for the password. Once you identify the encryption routine, you will write a decrypter to convert the encrypted password back to its cleartext form.
The video walks you through using developer tools to set breakpoints and step through the JavaScript code to find the encryption logic. By carefully examining the code, you can locate the encryption and decryption functions. You will then copy these routines and use a tool like CryptoJS
to decrypt the password. Finally, you will run the decryption script in a Docker container to obtain the cleartext password, which is the key for this challenge.
This exercise demonstrates that even if a front end encrypts passwords, the encryption and decryption logic stored in the front end can be reverse-engineered to retrieve the original password.