Using the credentials obtained in the previous writeup, we can log in to Level 8, in which we are presented with the following screen:
It appears as though we must find another secret to obtain the password for natas9. Let's view the source code:
<html>
<head><link rel="stylesheet" type="text/css" href="http://www.overthewire.org/wargames/natas/level.css"></head>
<body>
<h1>natas8</h1>
<div id="content">
<?
$encodedSecret = "3d3d516343746d4d6d6c315669563362";
function encodeSecret($secret) {
return bin2hex(strrev(base64_encode($secret)));
}
if(array_key_exists("submit", $_POST)) {
if(encodeSecret($_POST['secret']) == $encodedSecret) {
print "Access granted. The password for natas9 is <censored>";
} else {
print "Wrong secret";
}
}
?>
<form method=post>
Input secret: <input name=secret><br>
<input type=submit name=submit>
</form>
<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>
We see that this code performs the "encodeSecret" function on our input, and compares it with the already encoded $encodedSecret variable. Therefore, we can perform the inverse of the encodeSecret function on our already encoded secret value to obtain the original value.
There are a couple of things to note:
- We must do the operations in reverse order since this is the inverse function.
- The hex2bin function is only available in PHP >= 5.4.0. Since I had a Backtrack R3 instance available that had PHP 5.3.2, I had to resort to the documentation to find the alternative: pack ("H*", $str)
I obtained the original secret using the following:
root@bt:~# php5
<?
echo base64_decode(strrev(pack("H*" , "3d3d516343746d4d6d6c315669563362")))
?>
oubWYf2kBq
We can then put use this secret to (hopefully) obtain the password for natas9:
Just as we hoped, we are presented with the password which we can use to log in to the next level. More writeups to come.
-Jordan
echo 3d3d516343746d4d6d6c315669563362 | xxd -r -p | rev | base64 -d
ReplyDelete