Natas - Level 9

2 November 2017
OverTheWire Natas

Connection information

Information given

The white box is composed of three parts:

  1. The first part is an input box with the label Input secret:
  2. The second is a button named Submit query
  3. The last is a link View sourcecode pointing to http://natas8.natas.labs.overthewire.org/index-source.html

Getting the password

Here is the interesting part of the server source code:

<h1>natas8</h1>
<div id="content">
  <?
    $encodedSecret = "3d3d516343746d4d6d6c315669563362";

    function encodeSecret($secret) {
      return bin2hex(strrev(base64 encode($secret)));
    }

    if(array key exists("submit", $ POST)) {
      if(encodeSecret($ POST[’secret’]) == $encodedSecret) {
        print "Access granted. The password for natas9 is <censored>";
      } else {
        print "Wrong secret";
      }
    }
  ?>
  <form method=post>
    Input secret: <input name=secret><br>
    <input type=submit name=submit>
  </form>
  <div id="viewsource"><a hrefoubWYf2kBq="index−source.html">View sourcecode</a></div>
</div>

So we need to decode the secret 3d3d516343746d4d6d6c315669563362 in this order:

  1. Revert bin2hex: convert the hex to a binary string
  2. Revert strrev
  3. Decode base64 From this, we will get the password to give to the form.

Getting the password from online tools

The operations can be performed using tools available online. But first let’s see how we can encode our secret using the same process.

Encoding our secret

Our secret will be encodeMe.

  1. Using https://www.tools4noobs.com/online_php_functions/base64_encode/ we get the base64 encoding, which is ZW5jb2RlTWU=.
  2. Then using https://www.tools4noobs.com/online_php_functions/strrev/ we get the strrev output which is =UWTlR2bj5WZ.
  3. Finally we use bin2hex thanks to this website https://www.functions-online.com/bin2hex.html and get the encoded secret: 3d5557546c5232626a35575a.

Decoding our secret

Decoding our secret is super easy.

  1. We use http://hex2bin.onlinephpfunctions.com/ to perform the hex2bin.
  2. We use https://www.tools4noobs.com/online_php_functions/strrev/ for the strrev function.
  3. We use https://www.tools4noobs.com/online_php_functions/base64_decode/ for the base64 decode function.

If we apply this method to the secret 3d3d516343746d4d6d6c315669563362 we get: 1. ==QcCtmMml1ViV3b 2. b3ViV1lmMmtCcQ== 3. oubWYf2kBq

Getting the form password using bash functions

Encoding our secret

Our secret will be encodeMe.

base64 encoding

sammy@server: ̃$ echo −n "encodeMe" | base64
ZW5jb2RlTWU=

The echo -n prevents the newline from echo being encoded in the result. Had we not prevented that, the result would be different:

sammy@server: ̃$ echo "encodeMe" | base64
ZW5jb2RlTWUK

strrev

sammy@server: ̃$ echo "ZW5jb2RlTWU=" | rev
=UWTlR2bj5WZ

bin2hex

Here is the definition of the bin2hex function from the php.net website:

string bin2hex ( string $str ) Returns an ASCII string containing the hexadecimal representation of str. The conversion is done byte-wise with the high-nibble first.

Well, a function that returns the hexadecimal representation of a string: xxd.

sammy@server: ̃$ echo −n "=UWTlR2bj5WZ" | xxd −p
3d5557546c5232626a35575a

Decoding our secret

hex2bin

We just have to revert xxd with the -r option.

sammy@server: ̃$ echo −n "3d5557546c5232626a35575a" | xxd −r −p
=UWTlR2bj5WZsammy@server: ̃$

strrev

sammy@server: ̃$ echo "=UWTlR2bj5WZ" | rev
ZW5jb2RlTWU=

base64 decoding

sammy@server: ̃$ echo −n "ZW5jb2RlTWU=" | base64 −d
encodeMesammy@server: ̃$

One liner

sammy@server: ̃$ echo −n "3d3d516343746d4d6d6c315669563362" | xxd −r −p | rev | base64 −d
oubWYf2kBqsammy@server: ̃$

Once we enter oubWYf2kBq in the input and submit the query, the page refreshes and we get the following text:

Access granted. The password for natas9 is W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

Back to Write-Ups