Natas8 - natas9

From JaxHax
Jump to navigation Jump to search

Level Goal

Input secret: [____________________________]
[Submit Query]
                               <View sourcecode>


Decided to click the <View sourcecode> link which goes to

It gave me the following code:

      <!-- This stuff in the header has nothing to do with the level -->
      <link rel="stylesheet" type="text/css" href="">
      <link rel="stylesheet" href="" />
      <link rel="stylesheet" href="" />
      <script src=""></script>
      <script src=""></script>
      <script src=></script>
      <script src=""></script>
      <script>var wechallinfo = { "level": "natas8", "pass": "<censored>" };</script>
      <div id="content">


$encodedSecret = "3d3d516343746d4d6d6c315669563362";

function encodeSecret($secret) {
    return bin2hex(strrev(base64_encode($secret)));

if(array_key_exists("submit", $_POST)) {
    if(encodeSecret($_POST['secret']) == $encodedSecret) {
    print "Access granted. The password for natas9 is <censored>";
    } else {
    print "Wrong secret";

         <form method=post>
            Input secret: <input name=secret><br>
            <input type=submit name=submit>

         <div id="viewsource"><a href="index-source.html">View sourcecode</a></div>

So the PHP code is checking the user submitted value against the $encodedSecret value. The value we use will go through the function encodeSecret() they wrote which is a one-liner:

    return bin2hex(strrev(base64_encode($secret)));

This function will take a string and do the following:

  1. base64 encode the string
  2. Reverse the base64 encoded string
  3. convert it to a hex string

So the value in $encodedSecret likely went through this method. If the value is examined as hex, it is all printable ascii values:

$encodedSecret = "3d3d516343746d4d6d6c315669563362";

Since the encodeSecret() is encoding it is completely reversible. Meaning we can decode the value of $encodedSecret.

We can actually do this just using the bash shell:

  1. Format the string with "\x" every two characters
  2. Run that string through echo -ne (-e makes it aware of escape characters [\x is for hex], -n means no new line)
  3. This gives us ==QcCtmMml1ViV3b which is a backwards base64 encoded string. Pipe it into the 'rev' command to flip it.
  4. This gives us b3ViV1lmMmtCcQ== which is base64, we can decode by piping it into 'base64 -d'
  5. which gives us the final value: oubWYf2kBq

So the entire process in a bash shell one-liner:

$ echo -en "\x3d\x3d\x51\x63\x43\x74\x6d\x4d\x6d\x6c\x31\x56\x69\x56\x33\x62" | rev | base64 -d

This means we want to submit oubWYf2kBq as when that is encode will match $encodedSecret in the form. Doing so gives us:

Access granted. The password for natas9 is W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl 
Input secret: [____________________________]
[Submit Query]
                               <View sourcecode>