Tuesday, 30 September 2014

Wargames - Natas 08

Tags: , , , ,
<< Previous challenge

Recommended reading:
From the credentials discovered from the previous challenge, head up to http://natas8.natas.labs.overthewire.org and take a look at its content. This challenge is very similar to level 06. We have a form that takes a secret and if matches the correct secret, we get the password for the next level. Again they disclose the full source code, let's take a look:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas8", "pass": "<censored>" };</script></head>
<body>
<h1>natas8</h1>
<div id="content">

<?

$encodedSecret = "3d3d516343746d4d6d6c315669563362";

function encodeSecret($secret) {
    return bin2hex(strrev(base64_encode($secret)));
}

if(array_key_exists("submit", $_POST)) {
    if(encodeSecret($_POST['secret']) == $encodedSecret) {
    print "Access granted. The password for natas9 is <censored>";
    } else {
    print "Wrong secret";
    }
}
?>

<form method=post>
Input secret: <input name=secret><br>
<input type=submit name=submit>
</form>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>
The code we see from line 23 to 29 is pretty familiar, it's the same that we saw on level 06, what's new here is the encodeSecret function, it takes a $secret and encodes it, the parameter it takes is the value we submit on the form, which is then compared to the $encodedSecret, which they also provide. I think the course of action is pretty straight forward, we need to take the encoded string and reverse it, we can easily do this because we know how it's encoded in the first place:
encoding:
base64_encode -> strrev -> bin2hex
decoding:
hex2bin -> strrev -> base64_decode
Writing the decoding function is pretty easy:
function decodeSecret($secret) {
    return base64_decode(strrev(hex2bin($secret)));
}
One important thing to note here is that hex2bin function only exists in PHP 5.4.0 or greater. Another even more important thing to note is how bin2hex and hex2bin work. bin2hex takes an ASCII string and converts each of it's characters to hexadecimal, the hex2bin does the opposite, as an example:
bin2hex("A"); # returns "41"
hex2bin("41"); # returns "A"

bin2hex("Hi"); # returns "4869"
hex2bin("4869"); # returns "Hi"
You can take an ASCII table and manually make the conversion.
Now we just apply the decode function to the encoded secret (using some online PHP sandbox) and get the decoded secret:
oubWYf2kBq
Following what we did on level 06, we send the decoded secret and get the password.
curl --data "submit=submit&secret=oubWYf2kBq" http://natas8:DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe@natas8.natas.labs.overthewire.org/
Which results in:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas8", "pass": "DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe" };</script></head>
<body>
<h1>natas8</h1>
<div id="content">

Access granted. The password for natas9 is W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl
<form method=post>
Input secret: <input name=secret><br>
<input type=submit name=submit>
</form>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>
Access granted and on line 15 we get the password we want.

User natas9
Password W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

Fairly simple challenge if you have some programming basics. We just had to reverse a function, this could have been much harder if we didn't have the encoded secret and the encode function.

Never Settle,

<< Previous challenge
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)