Natas12

Website URL: http://overthewire.org/wargames/natas/natas12.html

According to the data on the OverTheWire webpage.

Username: natas12
URL:      http://natas12.natas.overthewire.org

Let’s log into the URL for Natas11

Let’s look at the source code.

Let’s trace the source code a bit. It doesn’t seem to be quite straightforward. The variable $defaultdata is set to an array containing showpassword and bgcolor variables with the corresponding values. The function loadData checks the document cookie to see whether “data” is defined or not, if it exists, the data is extracted as a JSON array. Accordingly, the function returns the data as a separate object.

What we need to do is to successfully set the showpassword value to “yes”, however, without the direct access to the cookie data.

Note that the cookie data is being protected by base64 encoding and XOR encryption. XOR encryption has an inherent weakness. The encryption scheme is as follows:

Key ^ Plaintext = Ciphertext

This suffers from the weakness that if any two of the above are known, the third can be figured out. So, known ciphertext can compromise the key. We are going to use the same property here.

Let’s get a known quantity, i.e. a plaintext for our attack. We can use the default data for it.

json_encode(array( "showpassword"=>"no", "bgcolor"=>"#ffffff"));

Let’s obtain our ciphertext now.

The ciphertext in question is the value of the data field in the cookie i.e. ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw%3D

Now that we have both of the things, let’s whip up a small PHP code that’s a modified version of the source code, to give us the key.

<?php
$base = base64_decode('ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw');
function xor_encrypt($data){
  $key = json_encode(array( "showpassword"=>"no", "bgcolor"=>"#ffffff"));
  $text = $data;
  $out = '';
  for($i=0;$i<strlen($text);$i++) {
    $out .= $text[$i]^$key[$i%strlen($key)];
  }
    print $out;
  return $out;
}
xor_encrypt($base);
?>

The above script simply uses a json_encode of default values as key and ciphertext as plaintext. The basic logic behind this is :

		Key ^ Plaintext = Ciphertext
=> 		Key ^ Plaintext ^ Plaintext = Ciphertext ^ Plaintext
=>		Key = Ciphertext ^ Plaintext

So, you see the inherent weakness of XOR encryption? This is a type of chosen plaintext attack on this algorithm. Let’s execute the code and see what we get.

We got the key as ‘qw8J’. (The rest are just repetition of the key over and over again, according to XOR encryption algorithm). We’ll now modify the code above to get us our desired value of data variable in cookie.

function xor_encrypt($data){
	$key = 'qw8J';
	$text = $data;
	$out = '';
	for($i=0;$i<strlen($text);$i++) {
		$out .= $text[$i]^$key[$i%strlen($key)];
	}
	return $out;
}
$data = json_encode(array("showpassword"=>"yes","bgcolor"=>"#ffffff"));
print base64_encode(xor_encrypt($data));

So, we need to set the cookie to “ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK”.

Note that this string is 56 characters long. However, in case of base64 encoding, the block length has to be a multiple of 3, so it needs to be padded with one ‘=’ character i.e. %3D in HTML encoding. So the actual data field of the cookie needs to be “ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK%3D”

Done!

Password for next level: EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3