Extend (Forensics)
In a challenge file, I encountered an anime image. Upon inspecting the image, I used ExifTool and discovered a comment containing a link: https://justuser-tmpusage.github.io/BHatCtf.github.io/
I visited the webpage and found it to be the actual briefing for the challenge.
Towards the end of the page, it mentioned, “find more data somewhere here.” To start, I examined the source code and navigated to its GitHub repo, discovering additional details in the fulldata.md file.
The “more data here” anchor tag redirected me to a Pastebin where I found some credentials, indicating that only the mega.nz link would work.
After visiting the mega.nz drive link and unlocking it using the decryption key, I found a Google.7z file.
Real Challenge files
Upon downloading and unzipping the file, it seemed like the real challenge began. I obtained a Chrome userdata folder for the user “jacksmp.”
The challenge, as stated on the briefing webpage, was to identify the reason behind the compromise of jacksmp’s personal data. Initially, I examined the history, bookmarks, and cache, but found no useful information.
Attempting to grep directly for the flag “BHflagy{}” and also converting it to base64. 
From the analysis, I speculated that ‘Qkh’ could be more relevant:
1
find . -type f -exec strings {} \; | grep -i 'Qkh'
However, all grepping attempts failed to find the flag.
Turning attention to the extensions folder, I noticed seven extensions, suggesting potential suspicious activity. I opened VSCode in that directory to navigate through each extension’s source code.
Some extension names seemed suspicious, but one extension code stands out due to obfuscated code—a clear violation of Chrome Web Store policies. 
Now, the focus shifted to deobfuscation since it was evident that this extension was the reason for the compromise.
Deobfuscation of malicious extension
First, I beautified the JavaScript code:
Then, I examined the function returning the array of words, simplifying it for better understanding:
The first function performed hex subtraction on its argument, returning the value of the main array. I simplified it, , assigning the name “randarr” for my convenience (it’s not random), and loaded both(retarray & randarr) into my browser console (this isn’t malicious) simply to facilitate the retrieval of those values through function calls.
The self-invoking function, following the initial function, is accountable for altering the position of elements within the array. 
Essentially, the code snippet below removes the first character from the array and appends it at the end. I couldn’t determine the exact number of iterations for this loop, so I devised an alternative approach.
1
_0x55ac68['push'](_0x55ac68['shift']());
Checking the domag() function and document[_0x52c4ab(0x19b)]:
I utilized the randarr loaded function to retrieve the value from the array. If it didn’t match the name of the document method, I determined the position of that word and then identified the document method, that could accept a string argument, from the main array. Subsequently, after finding that, I located its index and measured the distance from the incorrect word to that method name.
1
2
3
4
_0xe7653c = document[_0x52c4ab(0x19b)](_0x52c4ab(0x192)),
_0x2307c4 = document[_0x52c4ab(0x19b)](_0x52c4ab(0x1b1)),
_0x42cb77 = document[_0x52c4ab(0x19b)]('username'),
_0x22bc84 = document[_0x52c4ab(0x19b)](_0x52c4ab(0x19d));
create a new array and execute the command new_array['push'](new_array['shift']()) eight times; alternatively, a for loop can be employed. Following this step, ensure that the index of ‘getElementsByName’ aligns with our previously identified incorrect word index. 
Subsequently, replace that array with the array in the retarray function and reload to facilitate the deobfuscation process. After this step, everything started to fall into place, and I successfully deobfuscated the domag function.
Now, after deobfuscating the connect function, I obtained a WebSocket URL.
1
wss://Qf2MjYwAzNyIDOjVTZkJTY---1QjY0YGNxEDM1cTMxQ2YjV---WYwIjYzMTM2sXWHFETGhkQ.oast.pro/
Although my attempt to establish a connection with the WebSocket yielded no response, a more thorough examination of the URL jogged my memory about ‘Qkh’ I noticed it was written in reverse. Subsequently, I reversed the base64-encoded text and decoded it, revealing the flag. 
Show some support by following me on Github