Natas Level 11
28 Sep 2015 • LeanderThis is a solution guide to the Natas11 Level at overthewire. This write-up was created on 28 September 2015.
First connect to the website
- http://natas11.natas.labs.overthewire.org
- Enter the following as the username natas11 and password U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK
Let’s begin first by clicking on view source and examining the code for this level.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
<?php
$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");
function xor_encrypt($in) {
$key = '<censored>';
$text = $in;
$outText = '';
// Iterate through each character
for($i=0;$i<strlen($text);$i++) {
$outText .= $text[$i] ^ $key[$i % strlen($key)];}
return $outText;
}
function loadData($def) {
global $_COOKIE;
$mydata = $def;
if(array_key_exists("data", $_COOKIE)) {
$tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true);
if(is_array($tempdata) && array_key_exists("showpassword", $tempdata) && array_key_exists("bgcolor", $tempdata)) {
if (preg_match('/^#(?:[a-f\d]{6})$/i', $tempdata['bgcolor'])) {
$mydata['showpassword'] = $tempdata['showpassword'];
$mydata['bgcolor'] = $tempdata['bgcolor'];
}}}
return $mydata;
}
function saveData($d) {
setcookie("data", base64_encode(xor_encrypt(json_encode($d))));}
$data = loadData($defaultdata);
if(array_key_exists("bgcolor",$_REQUEST)) {
if (preg_match('/^#(?:[a-f\d]{6})$/i', $_REQUEST['bgcolor'])) {
$data['bgcolor'] = $_REQUEST['bgcolor'];}}
saveData($data);
?>
--snip--
<?php
if($data["showpassword"] == "yes") {
print "The password for natas12 is <censored><br>";}?>
This challenge is similar to the Natas8 level in that we are going to have to reverse an encryption routine. However, our first hint tells us that they used XOR to encrypt cookies. First, let’s examine our code.
- Line 2 tells us that we have default data
- Lines 3 - 12 is the encryption mechanism
- Lines 14-25 give us the restrictions for input into the background color box, and also the conditions which when met show us the flag
- Lines 27 and 28 provides information on how the default data is saved as a cookie
Let’s begin my looking at the encryption mechanism. We need a key, but don’t have one. However, we do have the original data. Fortunately, the properties for XOR will allow us to recover the key. The original data xored with the key produces the ciphertext, but the original data xored with the ciphertext will also produce the key!
P = Data, K = Key, C = Ciphertext
P ^ K = C
P ^ C = KTherefore we need to pass the original data to the xor function in place of the key and the cookie sitting in our browser as the input text. This will produce the key. After getting the key, place the real value for the key into the encryption function and pass it a slightly modified json encoded array. Both versions are shown together below inside one php script.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php
$defaultdata = json_encode(array( "showpassword"=>"yes", "bgcolor"=>"#ffffff"));
function xor_decrypt($in) {
if ($in != ''){
$text = $in;
$key = json_encode(array( "showpassword"=>"no", "bgcolor"=>"#ffffff"));}
else{
$text = json_encode(array( "showpassword"=>"yes", "bgcolor"=>"#ffffff"));
$key = "qw8J";}
// Iterate through each character
$outText = '';
for($i=0;$i<strlen($text);$i++) {
$outText .= $text[$i] ^ $key[$i % strlen($key)];
}
return $outText;
}
print "Key is currently unknown.\n OriginalData ^ Key = CipherText\n\t";
print " so that also means,\n OriginalData ^ Ciphertext = Key\n Therefore the key will repeat itself: ";
print xor_decrypt(base64_decode("ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw="));
print "\nNow that we know the key lets create a new cookie to display the password: \n";
print base64_encode(xor_decrypt(""));
print "\n";
?>
After retrieving our newly created cookie, go back to the browser, update your cookie, and then receive the password for level 12.
Next Password: natas12:EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3