Natas - Level 9
Connection information
- Username: natas8
- Password: DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe
- URL: http://natas8.natas.labs.overthewire.org
Information given
The white box is composed of three parts:
- The first part is an input box with the label Input secret:
- The second is a button named Submit query
- The last is a link View sourcecode pointing to http://natas8.natas.labs.overthewire.org/index-source.html
Getting the password
Here is the interesting part of the server source code:
<h1>natas8</h1>
<div id=”content”>
<?
$encodedSecret = ”3d3d516343746d4d6d6c315669563362”;
function encodeSecret($secret) {
return bin2hex(strrev(base64 encode($secret)));
}
if(array key exists(”submit”, $ POST)) {
if(encodeSecret($ POST[’secret’]) == $encodedSecret) {
print ”Access granted. The password for natas9 is <censored>”;
} else {
print ”Wrong secret”;
}
}
?>
<form method=post>
Input secret: <input name=secret><br>
<input type=submit name=submit>
</form>
<div id=”viewsource”><a hrefoubWYf2kBq=”index−source.html”>View sourcecode</a></div>
</div>
So we need to decode the secret 3d3d516343746d4d6d6c315669563362 in this order:
- Revert bin2hex: convert the hex to a binary string
- Revert strrev
- Decode base64 From this, we will get the password to give to the form.
Getting the password from online tools
The operations can be performed using tools available online. But first let’s see how we can encode our secret using the same process.
Encoding our secret
Our secret will be encodeMe.
- Using https://www.tools4noobs.com/online_php_functions/base64_encode/ we get the base64 encoding, which is
ZW5jb2RlTWU=. - Then using https://www.tools4noobs.com/online_php_functions/strrev/ we get the strrev output which is
=UWTlR2bj5WZ. - Finally we use bin2hex thanks to this website https://www.functions-online.com/bin2hex.html and get the encoded secret:
3d5557546c5232626a35575a.
Decoding our secret
Decoding our secret is super easy.
- We use http://hex2bin.onlinephpfunctions.com/ to perform the hex2bin.
- We use https://www.tools4noobs.com/online_php_functions/strrev/ for the strrev function.
- We use https://www.tools4noobs.com/online_php_functions/base64_decode/ for the base64 decode function.
If we apply this method to the secret 3d3d516343746d4d6d6c315669563362 we get:
- ==QcCtmMml1ViV3b
- b3ViV1lmMmtCcQ==
- oubWYf2kBq
Getting the form password using bash functions
Encoding our secret
Our secret will be encodeMe.
base64 encoding
sammy@server: ̃$ echo −n ”encodeMe” | base64
ZW5jb2RlTWU=
The echo -n prevents the newline from echo being encoded in the result. Had we not prevented that, the result would be different:
sammy@server: ̃$ echo ”encodeMe” | base64
ZW5jb2RlTWUK
strrev
sammy@server: ̃$ echo ”ZW5jb2RlTWU=” | rev
=UWTlR2bj5WZ
bin2hex
Here is the definition of the bin2hex function from the php.net website:
string bin2hex ( string $str ) Returns an ASCII string containing the hexadecimal representation of str. The conversion is done byte-wise with the high-nibble first.
Well, a function that returns the hexadecimal representation of a string: xxd.
sammy@server: ̃$ echo −n ”=UWTlR2bj5WZ” | xxd −p
3d5557546c5232626a35575a
Decoding our secret
hex2bin
We just have to revert xxd with the -r option.
sammy@server: ̃$ echo −n ”3d5557546c5232626a35575a” | xxd −r −p
=UWTlR2bj5WZsammy@server: ̃$
strrev
sammy@server: ̃$ echo ”=UWTlR2bj5WZ” | rev
ZW5jb2RlTWU=
base64 decoding
sammy@server: ̃$ echo −n ”ZW5jb2RlTWU=” | base64 −d
encodeMesammy@server: ̃$
One liner
sammy@server: ̃$ echo −n ”3d3d516343746d4d6d6c315669563362” | xxd −r −p | rev | base64 −d
oubWYf2kBqsammy@server: ̃$
Once we enter oubWYf2kBq in the input and submit the query, the page refreshes and we get the following text:
Access granted. The password for natas9 is W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl