{Code::Blue.Development}: OverTheWire - Natas

Natas teaches the basics of server-side web-security.

each level of natas consists of its own website located at http://natasX.natas.labs.overthewire.org, where X is the level number. This is no SSH logging. To access a level, enter the username for that level (e.g. natas0 for level 0) and its password.

Each level has access to the password of the next level. Your job is to somehow obtain that next password and level up. All passwords are also stored in /etc/natas_webpass/. E.g. the password for natas5 is stored in the file /etc/natas_webpass/natas5 and only readable by natas4 and natas5.

After logging in to natas11 we'll see a message informing us that Cookies are protected with XOR encryption and an input box looking that will allow us to set the background color.

When you click the source code you'll get the server side PHP that should look something like this:

$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");

function xor_encrypt($in) {
    $key = 'censored';
    $text = $in;
    $outText = '';

    // Iterate through each character
    for($i=0;$i < strlen($text);$i++) {
    $outText .= $text[$i] ^ $key[$i % strlen($key)];
    }

    return $outText;
}

function loadData($def) {
    global $_COOKIE;
    $mydata = $def;
    if(array_key_exists("data", $_COOKIE)) {
    $tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true);
    if(is_array($tempdata) && array_key_exists("showpassword", $tempdata) && array_key_exists("bgcolor", $tempdata)) {
        if (preg_match('/^#(?:[a-f\d]{6})$/i', $tempdata['bgcolor'])) {
        $mydata['showpassword'] = $tempdata['showpassword'];
        $mydata['bgcolor'] = $tempdata['bgcolor'];
        }
    }
    }
    return $mydata;
}

function saveData($d) {
    setcookie("data", base64_encode(xor_encrypt(json_encode($d))));
}

$data = loadData($defaultdata);

if(array_key_exists("bgcolor",$_REQUEST)) {
    if (preg_match('/^#(?:[a-f\d]{6})$/i', $_REQUEST['bgcolor'])) {
        $data['bgcolor'] = $_REQUEST['bgcolor'];
    }
}

saveData($data);

This keeps track of what value we have set by encrypting the cookie used. By default show password is set to "no" and the bgcolor is "#ffffff" as seen in the $defaultdata variable. We need to decrypt the cookie, set the value to yes for show password and then re-encrypt the data so when we refresh the page we will see the password displayed.

{Code::Blue.Development}

Monday, January 11, 2016

OverTheWire - Natas - Level 11

No comments:

Post a Comment