Monday, October 29, 2012

OvertheWire - Natas Wargame Level 8 Writeup

Level 8

Using the credentials obtained in the previous writeup, we can log in to Level 8, in which we are presented with the following screen:

It appears as though we must find another secret to obtain the password for natas9. Let's view the source code:

 <head><link rel="stylesheet" type="text/css" href=""></head>  
 <div id="content">  
 $encodedSecret = "3d3d516343746d4d6d6c315669563362";  
 function encodeSecret($secret) {  
   return bin2hex(strrev(base64_encode($secret)));  
 if(array_key_exists("submit", $_POST)) {  
   if(encodeSecret($_POST['secret']) == $encodedSecret) {  
   print "Access granted. The password for natas9 is <censored>";  
   } else {  
   print "Wrong secret";  
 <form method=post>  
 Input secret: <input name=secret><br>  
 <input type=submit name=submit>  
 <div id="viewsource"><a href="index-source.html">View sourcecode</a></div>  

We see that this code performs the "encodeSecret" function on our input, and compares it with the already encoded $encodedSecret variable. Therefore, we can perform the inverse of the encodeSecret function on our already encoded secret value to obtain the original value.

There are a couple of things to note:

  • We must do the operations in reverse order since this is the inverse function.
  • The hex2bin function is only available in PHP >= 5.4.0. Since I had a Backtrack R3 instance available that had PHP 5.3.2, I had to resort to the documentation to find the alternative: pack ("H*", $str)

I obtained the original secret using the following:

 root@bt:~# php5  
 echo base64_decode(strrev(pack("H*" , "3d3d516343746d4d6d6c315669563362")))  

We can then put use this secret to (hopefully) obtain the password for natas9:

Just as we hoped, we are presented with the password which we can use to log in to the next level. More writeups to come.


1 comment:

  1. echo 3d3d516343746d4d6d6c315669563362 | xxd -r -p | rev | base64 -d