{Code::Blue.Development}: OverTheWire - Natas

Natas teaches the basics of server-side web-security.

each level of natas consists of its own website located at http://natasX.natas.labs.overthewire.org, where X is the level number. This is no SSH logging. To access a level, enter the username for that level (e.g. natas0 for level 0) and its password.

Each level has access to the password of the next level. Your job is to somehow obtain that next password and level up. All passwords are also stored in /etc/natas_webpass/. E.g. the password for natas5 is stored in the file /etc/natas_webpass/natas5 and only readable by natas4 and natas5.

After logging in to natas8 we'll see an input box looking for the secret and a link to view the source code.

When you click the source code you'll get the server side PHP that should look something like this:

$encodedSecret = "3d3d516343746d4d6d6c315669563362";

function encodeSecret($secret) {
    return bin2hex(strrev(base64_encode($secret)));
}

if(array_key_exists("submit", $_POST)) {
    if(encodeSecret($_POST['secret']) == $encodedSecret) {
    print "Access granted. The password for natas9 is ";
    } else {
    print "Wrong secret";
    }
}

The code checks if the form was submitted and checks for a POST value of 'secret' - however, it also encrypts that value and compares it to the $encodedSecret variable. The encoding function is conveniently provided for us so we should just have to decode the $encodedSecret variable to determine what input to provide to get the password for natas9. To do this we will need an online PHP compiler (such as http://sandbox.onlinephpfunctions.com/) or a machine with the ability to write PHP code.

We can break the encodeSecret out into a series of steps to be able to determine how to reverse it. Since all the calls are nested we must do the inner-most (base64_encode) first to provide it to the second operation and take the result from that and provide it to the third operation.

function encodeSecret($secret) {
    $encoded = base64_encode($secret);
    $reversed = strrev($encoded);
    return bin2hex($reversed);
}

Since we know the operation, we must do the reverse of each of the functions laid out above. Now we can write the decode function like this:

function decodeSecret($secret) {
    $dehexed = hex2bin($secret);
    $reversed = strrev($dehexed);
    return base64_decode($reversed);
}

or like this:

function decodeSecret($secret) {
    return base64_decode(strrev(hex2bin($secret)));
}

Call the function and pass in the $encodedSecret to get the form input and submit it in the form field to have the password display for natas9.

{Code::Blue.Development}

Tuesday, November 10, 2015

OverTheWire - Natas - Level 8

No comments:

Post a Comment