> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/vulnerability-discovery/source-code-analysis/trick-0351.md).

# Api Discovery Via Deobfuscated Javascript And Decoding

***

Analyzing deobfuscated JavaScript client-side code can reveal hidden API endpoints and required interaction sequences.

Often, responses from discovered APIs contain further instructions or data encoded using schemes like ROT13 or Base64.

First, analyze the JS to find the initial endpoint. A POST request to this endpoint might return an encoded string guiding the next step:

```bash
curl -X POST http://2million.htb/api/v1/invite/how/to/generate
# Output reveals ROT13: Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb /ncv/i1/vaivgr/trarengr
```

Decode the ROT13 string to discover the actual endpoint needed to generate the code (`/api/v1/invite/generate`). This can be done using the `tr` command:

```bash
echo "Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb /ncv/i1/vaivgr/trarengr" | tr 'A-Za-z' 'N-ZA-Mn-za-m'
# Output: In order to generate the invite code, make a POST request to /api/v1/invite/generate
```

Make a POST request to this new endpoint:

```bash
curl -X POST http://2million.htb/api/v1/invite/generate
# Output reveals Base64: WkhOeGMybG5hWFJvWVc1amJHMXZKUSUzRA==
```

Decode the Base64 string:

```bash
echo "WkhOeGMybG5hWFJvWVc1amJHMXZKUSUzRA==" | base64 -d
# Output: ThNxNc2lnaXRvYW5jZkQ%3D
```

The output `ThNxNc2lnaXRvYW5jZkQ%3D` is the next encoded string. This appears to be URL encoded and requires one final decoding step to obtain the actual invite code. This can be done using Python:

```bash
echo "ThNxNc2lnaXRvYW5jZkQ%3D" | python3 -c 'import sys, urllib.parse; print(urllib.parse.unquote(sys.stdin.read()))'
# Output: ThNxNc2lnaXRvYW5jZkQ=
```

Use this final decoded code (`ThNxNc2lnaXRvYW5jZkQ=`) as required by the challenge, typically on an invite or registration page.
