API 15

This exercise covers how to exploit a leaked encrypted password with an API.

PRO
Tier
Hard
1-2 Hrs.
101
API Badge

Course


In this challenge, the objective is to retrieve the password for the user `admin@libcurl.so` by leveraging leaked API call information. You can either audit the source code or debug the application to understand the encryption method used for the password. Once you identify the encryption routine, you will write a decrypter to convert the encrypted password back to its cleartext form.

The video walks you through using developer tools to set breakpoints and step through the JavaScript code to find the encryption logic. By carefully examining the code, you can locate the encryption and decryption functions. You will then copy these routines and use a tool like `CryptoJS` to decrypt the password. Finally, you will run the decryption script in a Docker container to obtain the cleartext password, which is the key for this challenge.

This exercise demonstrates that even if a front end encrypts passwords, the encryption and decryption logic stored in the front end can be reverse-engineered to retrieve the original password.

Want to learn more? Get started with PentesterLab Pro! GO PRO