Created
November 20, 2018 15:23
-
-
Save thlor/d5f68cb7c62549687552bb56f0a8d4a7 to your computer and use it in GitHub Desktop.
natas11 walkthrough
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
// See: http://natas11.natas.labs.overthewire.org/ | |
// The color code is stored in a cookie. | |
// Cookie not legible (as we know it's encrypted by XOR) | |
// From the PHP source we see that: | |
// - cookie is also base64 encoded (find: base_encode() and base_decode() in source) | |
// - once decrypted, cookie contents are a json string (find: json_encode() and json_decode() in source) | |
// - this json has (at least) these two keys: "showpassword", "bgcolor" (see $data['bgcolor'] and $data['showpassword'] | |
// - we confirm our suspicion based on from php/html source that "bgcolor" stores the background color we change and "showpassword" value decides whether password is shown (default: no, desired: yes) | |
// | |
// If we change the background color in the web form, we see that the cookie is also changing. | |
$original_cookie = 'ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw%3D'; | |
// ˇˇ content changed here, must be the difference between f and 0 | |
$fffff0_cookie = 'ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxEIaAw%3D'; | |
// Based on this, we create what we think the decrypted json with default values would look like: | |
$original_json = '{"showpassword":"no","bgcolor":"#ffffff"}'; | |
// We know that the cookie is base64 encoded. If we base64_decode the cookie, the content is not legible, but it has the same byte length as our json (41B). We are onto something! | |
echo strlen(base64_decode($original_cookie)) === strlen($original_json); // results TRUE | |
// XOR conversion works both ways: | |
// $encrypted = $source ^ $key; | |
// but also | |
// $key = $source ^ $encrypted; | |
// So what we do is assume that the JSON we created is the source of the encrypted cookie, and therefore XOR the JSON with the cookie (after we base64_decode the cookie): | |
$key = $original_json ^ base64_decode($original_cookie); | |
// $key's value is now "qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jq". | |
// From the xor_encrypt() function we see that during encryption the i-th character of the source is XORed with the i-th character of the key (repeating the key over and over). | |
// Clearly, we had found the key. It's "qw8J". | |
// Now that we know the key, we will create a json that enables password display: | |
$attack_json = '{"showpassword":"yes","bgcolor":"#ffffff"}'; | |
// XOR this with the key we found. For this we repeat until the resulting mask is the same length as our json. We could do it with foreach, but I just did it manually: | |
$attack_json_encrypted = $attack_json ^ "qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw"; | |
// Then we base64 encode it. The result is the cookie we use to attack the system so it would show us the password. | |
$attack_cookie = base64_encode($attack_json_encrypted); | |
echo $attack_cookie; | |
// We copy the attack cookie string and in our browser's dev window we replace the original with the attack one. Then hit refresh | |
// Voila, done. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment