OvertheWire – Natas Wargame Level 8 Writeup

Level 8

Using the credentials obtained in the previous writeup, we can log in to Level 8, in which we are presented with the following screen:

It appears as though we must find another secret to obtain the password for natas9. Let’s view the source code:

 <html>  
 <head><link rel="stylesheet" type="text/css" href="http://www.overthewire.org/wargames/natas/level.css"></head>  
 <body>  
 <h1>natas8</h1>  
 <div id="content">  
 <?  
 $encodedSecret = "3d3d516343746d4d6d6c315669563362";  
 function encodeSecret($secret) {  
   return bin2hex(strrev(base64_encode($secret)));  
 }  
 if(array_key_exists("submit", $_POST)) {  
   if(encodeSecret($_POST['secret']) == $encodedSecret) {  
   print "Access granted. The password for natas9 is <censored>";  
   } else {  
   print "Wrong secret";  
   }  
 }  
 ?>  
 <form method=post>  
 Input secret: <input name=secret><br>  
 <input type=submit name=submit>  
 </form>  
 <div id="viewsource"><a href="index-source.html">View sourcecode</a></div>  
 </div>  
 </body>  
 </html>  

We see that this code performs the “encodeSecret” function on our input, and compares it with the already encoded $encodedSecret variable. Therefore, we can perform the inverse of the encodeSecret function on our already encoded secret value to obtain the original value.

There are a couple of things to note:

• We must do the operations in reverse order since this is the inverse function.
• The hex2bin function is only available in PHP >= 5.4.0. Since I had a Backtrack R3 instance available that had PHP 5.3.2, I had to resort to the documentation to find the alternative: pack (“H*”, $str)

 root@bt:~# php5  
 <?  
 echo base64_decode(strrev(pack("H*" , "3d3d516343746d4d6d6c315669563362")))  
 ?>  
 oubWYf2kBq  

We can then put use this secret to (hopefully) obtain the password for natas9:

Just as we hoped, we are presented with the password which we can use to log in to the next level. More writeups to come.

-Jordan

Print Share Comment Cite Upload Translate

APA

() » OvertheWire – Natas Wargame Level 8 Writeup. Retrieved from https://www.truth.cx/2012/10/29/overthewire-natas-wargame-level-8-writeup/.

MLA

" » OvertheWire – Natas Wargame Level 8 Writeup." - , https://www.truth.cx/2012/10/29/overthewire-natas-wargame-level-8-writeup/

HARVARD

» OvertheWire – Natas Wargame Level 8 Writeup., viewed ,

VANCOUVER

- » OvertheWire – Natas Wargame Level 8 Writeup. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2012/10/29/overthewire-natas-wargame-level-8-writeup/

CHICAGO

" » OvertheWire – Natas Wargame Level 8 Writeup." - Accessed . https://www.truth.cx/2012/10/29/overthewire-natas-wargame-level-8-writeup/

IEEE

" » OvertheWire – Natas Wargame Level 8 Writeup." [Online]. Available: https://www.truth.cx/2012/10/29/overthewire-natas-wargame-level-8-writeup/. [Accessed: ]

Select a language: Afrikaans Albanian Arabic Armenian Basque Bengali Bulgarian Catalan Cambodian Chinese (Mandarin) Croatian Czech Danish Dutch English Estonian Fiji Finnish French Georgian German Greek Gujarati Hebrew Hindi Hungarian Icelandic Indonesian Irish Italian Japanese Javanese Korean Latin Latvian Lithuanian Macedonian Malay Malayalam Maltese Maori Marathi Mongolian Nepali Norwegian Persian Polish Portuguese Punjabi Quechua Romanian Russian Samoan Serbian Slovak Slovenian Spanish Swahili Swedish Tamil Tatar Telugu Thai Tibetan Tonga Turkish Ukrainian Urdu Uzbek Vietnamese Welsh Xhosa <span style="font-size: large;">Level 8</span><br /><br />Using the credentials obtained in the <a href="http://raidersec.blogspot.com/2012/10/overthewire-natas-wargame-level-7.html" >previous writeup</a>, we can log in to Level 8, in which we are presented with the following screen:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-MeVPuRUrn_E/UI8Jgr8p4pI/AAAAAAAAASk/dt2cQaKaNGA/s1600/natas8.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="330" src="http://2.bp.blogspot.com/-MeVPuRUrn_E/UI8Jgr8p4pI/AAAAAAAAASk/dt2cQaKaNGA/s640/natas8.PNG" width="640" /></a></div><br /><a name='more'></a>It appears as though we must find another secret to obtain the password for natas9. Let's view the source code:<br /><br /><pre style="background-image: URL(http://2.bp.blogspot.com/_z5ltvMQPaa8/SjJXr_U2YBI/AAAAAAAAAAM/46OqEP32CJ8/s320/codebg.gif); background: #222222; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: white; word-wrap: normal;"> <html> <br /> <head><link rel="stylesheet" type="text/css" href="http://www.overthewire.org/wargames/natas/level.css"></head> <br /> <body> <br /> <h1>natas8</h1> <br /> <div id="content"> <br /> <? <br /> $encodedSecret = "3d3d516343746d4d6d6c315669563362"; <br /> function encodeSecret($secret) { <br /> return bin2hex(strrev(base64_encode($secret))); <br /> } <br /> if(array_key_exists("submit", $_POST)) { <br /> if(encodeSecret($_POST['secret']) == $encodedSecret) { <br /> print "Access granted. The password for natas9 is <censored>"; <br /> } else { <br /> print "Wrong secret"; <br /> } <br /> } <br /> ?> <br /> <form method=post> <br /> Input secret: <input name=secret><br> <br /> <input type=submit name=submit> <br /> </form> <br /> <div id="viewsource"><a href="index-source.html">View sourcecode</a></div> <br /> </div> <br /> </body> <br /> </html> <br /></code></pre><br />We see that this code performs the "encodeSecret" function on our input, and compares it with the <i style="font-weight: bold;">already encoded</i> $encodedSecret variable. Therefore, we can perform the inverse of the encodeSecret function on our already encoded secret value to obtain the original value.<br /><br />There are a couple of things to note:<br /><br /><ul><li>We must do the operations in reverse order since this is the inverse function.</li><li>The hex2bin function is only available in PHP >= 5.4.0. Since I had a Backtrack R3 instance available that had PHP 5.3.2, I had to resort to <a href="http://php.net/manual/en/function.hex2bin.php" >the documentation</a> to find the alternative: <span style="font-family: Courier New, Courier, monospace;">pack ("H*", $str)</span></li></ul><div><span style="font-family: Courier New, Courier, monospace;"><br /></span></div><div><span style="font-family: inherit;">I obtained the original secret using the following:</span></div><div><span style="font-family: inherit;"><br /></span></div><pre style="background-image: URL(http://2.bp.blogspot.com/_z5ltvMQPaa8/SjJXr_U2YBI/AAAAAAAAAAM/46OqEP32CJ8/s320/codebg.gif); background: #222222; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: white; word-wrap: normal;"> root@bt:~# php5 <br /> <? <br /> echo base64_decode(strrev(pack("H*" , "3d3d516343746d4d6d6c315669563362"))) <br /> ?> <br /> oubWYf2kBq <br /></code></pre><div><span style="font-family: inherit;"><br /></span>We can then put use this secret to (hopefully) obtain the password for natas9:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-bmEI3JGQgHQ/UI8Jg3PSL-I/AAAAAAAAASs/AJ2fhZHC4-4/s1600/natas8_success.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="380" src="http://1.bp.blogspot.com/-bmEI3JGQgHQ/UI8Jg3PSL-I/AAAAAAAAASs/AJ2fhZHC4-4/s640/natas8_success.PNG" width="640" /></a></div><br />Just as we hoped, we are presented with the password which we can use to log in to the next level. More writeups to come.<br /><br />-Jordan</div> First name:

Last name: