Natas - Level 9

2 November 2017

Connection information

Information given

The white box is composed of three parts:

  1. The first part is an input box with the label Input secret:
  2. The second is a button named Submit query
  3. The last is a link View sourcecode pointing to

Getting the password

Here is the interesting part of the server source code:

<div id="content">
    $encodedSecret = "3d3d516343746d4d6d6c315669563362";

    function encodeSecret($secret) {
      return bin2hex(strrev(base64 encode($secret)));

    if(array key exists("submit", $ POST)) {
      if(encodeSecret($ POST[’secret’]) == $encodedSecret) {
        print "Access granted. The password for natas9 is <censored>";
      } else {
        print "Wrong secret";
  <form method=post>
    Input secret: <input name=secret><br>
    <input type=submit name=submit>
  <div id="viewsource"><a hrefoubWYf2kBq="index−source.html">View sourcecode</a></div>

So we need to decode the secret 3d3d516343746d4d6d6c315669563362 in this order:

  1. Revert bin2hex: convert the hex to a binary string
  2. Revert strrev
  3. Decode base64 From this, we will get the password to give to the form.

Getting the password from online tools

The operations can be performed using tools available online. But first let’s see how we can encode our secret using the same process.

Encoding our secret

Our secret will be encodeMe.

  1. Using we get the base64 encoding, which is ZW5jb2RlTWU=.
  2. Then using we get the strrev output which is =UWTlR2bj5WZ.
  3. Finally we use bin2hex thanks to this website and get the encoded secret: 3d5557546c5232626a35575a.

Decoding our secret

Decoding our secret is super easy.

  1. We use to perform the hex2bin.
  2. We use for the strrev function.
  3. We use for the base64 decode function.

If we apply this method to the secret 3d3d516343746d4d6d6c315669563362 we get: 1. ==QcCtmMml1ViV3b 2. b3ViV1lmMmtCcQ== 3. oubWYf2kBq

Getting the form password using bash functions

Encoding our secret

Our secret will be encodeMe.

base64 encoding

sammy@server: ̃$ echo −n "encodeMe" | base64

The echo -n prevents the newline from echo being encoded in the result. Had we not prevented that, the result would be different:

sammy@server: ̃$ echo "encodeMe" | base64


sammy@server: ̃$ echo "ZW5jb2RlTWU=" | rev


Here is the definition of the bin2hex function from the website:

string bin2hex ( string $str ) Returns an ASCII string containing the hexadecimal representation of str. The conversion is done byte-wise with the high-nibble first.

Well, a function that returns the hexadecimal representation of a string: xxd.

sammy@server: ̃$ echo −n "=UWTlR2bj5WZ" | xxd −p

Decoding our secret


We just have to revert xxd with the -r option.

sammy@server: ̃$ echo −n "3d5557546c5232626a35575a" | xxd −r −p
=UWTlR2bj5WZsammy@server: ̃$


sammy@server: ̃$ echo "=UWTlR2bj5WZ" | rev

base64 decoding

sammy@server: ̃$ echo −n "ZW5jb2RlTWU=" | base64 −d
encodeMesammy@server: ̃$

One liner

sammy@server: ̃$ echo −n "3d3d516343746d4d6d6c315669563362" | xxd −r −p | rev | base64 −d
oubWYf2kBqsammy@server: ̃$

Once we enter oubWYf2kBq in the input and submit the query, the page refreshes and we get the following text:

Access granted. The password for natas9 is W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl