Labels

OverTheWire Natas Level 10 -> Level 11 - Walkthrough

Cybersecurity - OverTheWire Natas Solutions
OverTheWire Natas Solution


Introduction

In this level, I'll give you a walkthrough to the natas wargame Level 10 -> Level 11. We will see the php code in this level and understand it to get the password.

Goal

Login to natas11 and get the password for the next level.

Login details

URL - http://natas11.natas.labs.overthewire.org
Username - natas11
Password - 1KFqoJXi6hRaPluAmk8ESDW4fSysRoIg

Theory

XOR means Exclusive OR which is denoted by the bitwise exclusive or operator "^" and acts on binary values. It gives the output as 1 if only one of the two inputs is 1. eg - 0^0 = 0, 0^1 = 1, 1^0 = 1, 1^1 = 0

An interesting concept about XOR is that if A^B=C then C^A=B. So if A is the text, B is the key and C is the xor encrypted output then we can XOR the cipher text with the actual text and get the key - C^A=B. We will utilize this to get the key.

XOR operation performed on characters uses their specified ASCII values which are integers. They are implicitly converted from decimal to binary before the XOR operation and then converted back to decimal to give the result.

Arrays in php can be defined in key value pairs. These are called associative arrays and can be accessed using the key. eg - $holiday = array("December" => "Christmas", "January" => "New Year", "April" => "Good Friday"); echo $holiday["December"];

array_key_exists() is a php function that checks an array for a specified key and returns true if the key exists otherwise it returns false.

json_decode() function in php is used to convert json encoded string into a php value. Similarly, json_encode() is a function in php which is used to encode a value to JSON format.

Solution

Open the URL in a browser. Enter the username and password mentioned above.


The below screen appears after successfully logging in that gives the message that "Cookies are protected with XOR encryption"

Click on "View sourcecode" to see the code.

Since this is fairly large code, we can break it and understand in chunks. The first line of the php code in the above image defines an array with two keys "showpassword" and "bgcolor" having default set values. The function xor_encrypt() uses a censored key, performs XOR operation and returns the output.

Lets see the next function.

The loadData() function takes an input and assigns it to a variable $mydata. It then checks whether there is data in the cookie and then performs base64_decode, XOR operation and then decodes the JSON into an array respectively and the output is stored in the variable $tempdata.
Further, this function checks if this is an array and has proper values inside it, then the values of $mydata are updated with the values from the cookie.
The saveData() function is used to set the cookie and it also performs JSON encoding, XOR operation and then base64 encoding respectively.

In the above code, we can see that if $data["showpassword"] is set to "yes", the password for natas12 will be displayed.
Now, to get the password we will first find the key used in the xor_encrypt() function, then change "showpassword"=>"yes" in the variable $defaultdata to get the value to paste in the cookies.


Copy the value in the cookie- Right click > Inspect > Application > Cookies- and paste it in the below code. Run the code in any php complier to get the key-:
$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");
function xor_encrypt($in) {
    $key = base64_decode("MGw7JCQ5OC04PT8jOSpqdmkgJ25nbCorKCEkIzlscm5oKC4qLSgubjY%3D");
    $text = $in;
    $outText = '';
    // Iterate through each character
    for($i=0;$i<strlen($text);$i++) {
    $outText .= $text[$i] ^ $key[$i % strlen($key)];
    }
    return $outText;
}
$key = xor_encrypt(json_encode($defaultdata));
echo $key;

This will output the key as "KNHLKNHLKNHLKNHLKNHLKNHLKNHLKNHLKNHLKNHLK". We will consider the key as "KNHL" as the json encoding string is probably longer than the key and the for loop cycles through the characters of the key.

Now, we will update the "showpassword" to "yes" and get the cookie data. Run the below code in php compiler-:
function xor_encrypt($in) {
    $key = 'KNHL';
    $text = $in;
    $outText = '';
    // Iterate through each character
    for($i=0;$i<strlen($text);$i++) {
    $outText .= $text[$i] ^ $key[$i % strlen($key)];
    }
    return $outText;
}
$defaultdata = array("showpassword"=>"yes", "bgcolor"=>"#ffffff");
$data = base64_encode(xor_encrypt(json_encode($defaultdata)));
echo $data;

Now, paste the output to the value for cookies and refresh the page. This will give the password for next level.


On refreshing the page, we will get the password.


This completes Level 11 walkthrough. Please post your questions and doubts in the comment section.


Labels:

Comments

Post a Comment

Popular Posts