Web Application Exploitation Challenge 3 - JS Vault

Prompt

Super Secure Vault Corp has released a new top-of-the-line client side vault, reinforced with industry grade obfuscation and debugging protections! Can you crack the code and extract the secrets hidden within?

Answers

Q1 (5 pts) - Are there any tools that can automatically reverse JavaScript obfuscations (Y/N)?
Y

Q2 (10 pts) - What three characters prefix every function?
cs_

Q3 (15 pts) - What digits will never be part of the combination, regardless of the flag value? Enter digits separated with commas, ex: 1,2,3
8,9

Q4 (15 pts) - Which function returns the SKY- prefix for the flag?
cs_V

Q5 (15 pts) - There is a function that reaches out to the server. What file does it retrieve?
favicon.png

Q6 (40 pts) - What is the flag for this challenge?
SKY-LOMA-6959

Steps I Took

Q1 — I searched for JavaScript deobfuscation tools and confirmed that several automatic options exist.

Q2 — I checked Inspect Element, opened the debugger, and worked through vault.js. The functions all used the cs_ prefix.

This was the point where I needed extra help interpreting the obfuscated code, so I used AI assistance to understand what the functions were doing.

The explanation showed that cs_f resolves values from a string table in cs_e, which is a common JavaScript obfuscation pattern. It also confirmed that the meaningful functions all shared the cs_ prefix.

From there, I identified that cs_V() returned the SKY- prefix.

The function cs_W() made a network request and retrieved favicon.png. The file was fetched as binary data, converted into a Uint8Array, and then decoded with a self-referential XOR loop followed by a byte-array rotation.

After decoding, cs_X() separated the result into alphabetic and numeric values. The alphabetic portion produced LOMA, and the numeric portion produced 6959.

Those pieces combined into LOMA-6959, and the final validation compared cs_V() + cs_X(), which produced the full flag:

SKY-LOMA-6959