Natas8 - natas9

From JaxHax
Jump to navigation Jump to search

Level Goal

Input secret: [____________________________]
[Submit Query]
                               <View sourcecode>

Solution

Decided to click the <View sourcecode> link which goes to http://natas8.natas.labs.overthewire.org/index-source.html

It gave me the following code:

<html>
   <head>
      <!-- This stuff in the header has nothing to do with the level -->
      <link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
      <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
      <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
      <script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
      <script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
      <script src=http://natas.labs.overthewire.org/js/wechall-data.js></script>
      <script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
      <script>var wechallinfo = { "level": "natas8", "pass": "<censored>" };</script>
   </head>
   <body>
      <h1>natas8</h1>
      <div id="content">

<?

$encodedSecret = "3d3d516343746d4d6d6c315669563362";

function encodeSecret($secret) {
    return bin2hex(strrev(base64_encode($secret)));
}

if(array_key_exists("submit", $_POST)) {
    if(encodeSecret($_POST['secret']) == $encodedSecret) {
    print "Access granted. The password for natas9 is <censored>";
    } else {
    print "Wrong secret";
    }
}
?>

         <form method=post>
            Input secret: <input name=secret><br>
            <input type=submit name=submit>
         </form>

         <div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
      </div>
   </body>
</html>


So the PHP code is checking the user submitted value against the $encodedSecret value. The value we use will go through the function encodeSecret() they wrote which is a one-liner:

    return bin2hex(strrev(base64_encode($secret)));


This function will take a string and do the following:

  1. base64 encode the string
  2. Reverse the base64 encoded string
  3. convert it to a hex string


So the value in $encodedSecret likely went through this method. If the value is examined as hex, it is all printable ascii values:

$encodedSecret = "3d3d516343746d4d6d6c315669563362";


Since the encodeSecret() is encoding it is completely reversible. Meaning we can decode the value of $encodedSecret.


We can actually do this just using the bash shell:

  1. Format the string with "\x" every two characters
  2. Run that string through echo -ne (-e makes it aware of escape characters [\x is for hex], -n means no new line)
  3. This gives us ==QcCtmMml1ViV3b which is a backwards base64 encoded string. Pipe it into the 'rev' command to flip it.
  4. This gives us b3ViV1lmMmtCcQ== which is base64, we can decode by piping it into 'base64 -d'
  5. which gives us the final value: oubWYf2kBq


So the entire process in a bash shell one-liner:

$ echo -en "\x3d\x3d\x51\x63\x43\x74\x6d\x4d\x6d\x6c\x31\x56\x69\x56\x33\x62" | rev | base64 -d
oubWYf2kBq
$


This means we want to submit oubWYf2kBq as when that is encode will match $encodedSecret in the form. Doing so gives us:

Access granted. The password for natas9 is W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl 
Input secret: [____________________________]
[Submit Query]
                               <View sourcecode>