Natas11 - natas12

From JaxHax
Jump to navigation Jump to search

Level Goal

Cookies are protected with XOR encryption

Background color: [_#ffffff____________________] [Set color]

                               <View sourcecode>


Solution

Decided to click the <View sourcecode> link which goes to http://natas11.natas.labs.overthewire.org/index-source.html. It gave me the following code:

<html>
   <head>
      <!-- This stuff in the header has nothing to do with the level -->
      <link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
      <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
      <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
      <script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
      <script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
      <script src=http://natas.labs.overthewire.org/js/wechall-data.js></script>
      <script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
      <script>var wechallinfo = { "level": "natas11", "pass": "<censored>" };</script>
   </head>
<?

$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");

function xor_encrypt($in) {
    $key = '<censored>';
    $text = $in;
    $outText = '';

    // Iterate through each character
    for($i=0;$i<strlen($text);$i++) {
    $outText .= $text[$i] ^ $key[$i % strlen($key)];
    }

    return $outText;
}

function loadData($def) {
    global $_COOKIE;
    $mydata = $def;
    if(array_key_exists("data", $_COOKIE)) {
    $tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true);
    if(is_array($tempdata) && array_key_exists("showpassword", $tempdata) && array_key_exists("bgcolor", $tempdata)) {
        if (preg_match('/^#(?:[a-f\d]{6})$/i', $tempdata['bgcolor'])) {
        $mydata['showpassword'] = $tempdata['showpassword'];
        $mydata['bgcolor'] = $tempdata['bgcolor'];
        }
    }
    }
    return $mydata;
}

function saveData($d) {
    setcookie("data", base64_encode(xor_encrypt(json_encode($d))));
}

$data = loadData($defaultdata);

if(array_key_exists("bgcolor",$_REQUEST)) {
    if (preg_match('/^#(?:[a-f\d]{6})$/i', $_REQUEST['bgcolor'])) {
        $data['bgcolor'] = $_REQUEST['bgcolor'];
    }
}

saveData($data);

?>

   <h1>natas11</h1>
   <div id="content">
      <body style="background: <?=$data['bgcolor']?>;">
         Cookies are protected with XOR encryption<br/><br/>

<?
if($data["showpassword"] == "yes") {
    print "The password for natas12 is <censored><br>";
}

?>

         <form>
            Background color: <input name=bgcolor value="<?=$data['bgcolor']?>">
            <input type=submit value="Set color">
         </form>

         <div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
      </div>
   </body>
</html>


So the PHP code is taking the array object 'data' and json encoding it, then xor'ing it, then base64 encoding it. It takes that value and sets that as the cookie value 'data' which it reads from. The data object has two values; bgcolor and showpassword. If showpassword is yes then we get the password. So it seems we need to set that in our cookie which is XOR encrypted.


The code above censors the key for the XOR encryption but it's easy to retrive in XOR. If you can XOR the cipher text against the known clear-text you will get the key used to generate the cipher text.


Our current default cookie value is "ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw=". So we will we will set the decoded base64 value as our key and xor the normal default 'data' array. For this you will want to have a system with PHP installed. For that I can give two suggestions:

  1. Kali linux already ships with PHP.
  2. PHP scripts can be executed from the command line with the php command. A web server isn't needed.


This code should get that value for us:

<?
function xor_encrypt($text) {
    $key = base64_decode('ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw=');
    $outText = '';

    for($i=0;$i<strlen($text);$i++) {
       $outText .= $text[$i] ^ $key[$i % strlen($key)];
    }

    return $outText;
}

$data = array("showpassword"=>"no", "bgcolor"=>"#ffffff");
print xor_encrypt(json_encode($data));
?>


When run we get the following:

$ php test.php 
qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jq


We see it's just repeating the value 'qw8J'. So let's set that as the key, add base64 and see if it generates the default cookie value:

<?
function xor_encrypt($text) {
    $key = 'qw8J';
    $outText = '';

    for($i=0;$i<strlen($text);$i++) {
       $outText .= $text[$i] ^ $key[$i % strlen($key)];
    }

    return $outText;
}

$data = array("showpassword"=>"no", "bgcolor"=>"#ffffff");
print base64_encode(xor_encrypt(json_encode($data)));
?>


This gives us the following when run:

$ php test.php 
ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw=


Success!!! That was our default value! One small tweak to the script and we can get a cookie with showpassword = yes!

<?
function xor_encrypt($text) {
    $key = 'qw8J';
    $outText = '';

    for($i=0;$i<strlen($text);$i++) {
       $outText .= $text[$i] ^ $key[$i % strlen($key)];
    }

    return $outText;
}

$data = array("showpassword"=>"yes", "bgcolor"=>"#ffffff");
print base64_encode(xor_encrypt(json_encode($data)));
?>


$ php test.php
ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK


That should be it!!! Let's use the cookie tab in Firebug to set it in the 'data' cookie value and refresh the page to get:

Cookies are protected with XOR encryption

The password for natas12 is EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3

Background color: [_#ffffff____________________] [Set color]

                               <View sourcecode>


we get our password: EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3


Done Son!