1. Objective
Find the password for natas level 12.
2. Introduction
When we open the webpage for Natas 11, we are greeted with the following
message:
Cookies are protected with XOR encryption.
What is XOR:
XOR is a binary operation that returns true (1) only when the number of true inputs is odd. It compares corresponding bits of two binary numbers, resulting in 1 for differing bits and 0 for identical bits.
Example:
Let's consider two binary numbers, A = 1010 and B = 1101.
1010 X 1101 ------- 0111
In this case, A XOR B equals 0111 in binary, or 7 in decimal.
XOR Property:
If A XOR B = C, then A XOR C = B.
Verification:
Let A = 1010, C = 0111, and find B.
1010 X 0111 ------- 1101
The result is 1101 in binary, which is B. So, A XOR C equals B, confirming the XOR property.
This property holds true for any combination of A, B, and C, demonstrating that given any two values, you can find the third using XOR.
3. Exploration
Checking the source code, we get an understanding of how the encryption works and what we need to do to complete the challenge.
The steps followed in the above script are:
-
The load data function is called where:
- The cookie is loaded.
- The value is decoded from base64.
- The resulting value is XOR encrypted using a hidden key.
- The resulting value is converted to an array.
- The program gets the background and show password value and stores it in a dictionary, which is returned.
-
The save data function is called where:
- The dictionary returned above is converted to a JSON string using JSON encode.
- It is then XOR encrypted, converted to base64, and set as the cookie.
- If the value of showpassword is yes, then the password to the next level is revealed.
From this, we can tell that we must find a way to change the value of show password to yes.
4. Exposing the key
We have a key, a JSON string, and a cookie.
The process above is:
key xor json_string = cookie
We can use the procedure below to get the key, which we can use to encode the modified value into a valid cookie value
cookie xor json_string = key -
The cookie:
- Go to the developer tools by right-clicking on the page and selecting inspect.
- Select the storage tab.
- Under cookies, select http://natas11.natas.labs.overthewire.org/.
MGw7JCQ5OC04PT8jOSpqdmkgJ25nbCorKCEkIzlscm5oKC4qLSgubjY%3D
-
The default data:
$defaultdata = array( "showpassword" => "no", "bgcolor" => "#ffffff" );- Converting this to a JSON string gives us {"showpassword":"no","bgcolor":"#ffffff"}
Let's open Cyber Chef https://gchq.github.io/
- The first step will be to decode the cookie from base64.
- Use the XOR operation with {"showpassword":'no',"bgcolor":"#ffffff"} as the key.
- On the drop-down next to the key, select UTF8.
- We get a result of KNHLKNHLKNHLKNHLKNHLKNHLKNHLKNHLKNHLKNHLKL.
- Notice that the key is repeating. We can shorten it to KNHL.
- The new value will be {"showpassword":"yes","bgcolor":"#ffffff"}.
- Go back to Cyber Chef and use the XOR operation with KNHL as the key and {"showpassword":"no","bgcolor":"#ffffff"} as the value.
- Use the to Base64 operation to encode to base64.
- Change the cookie value and refresh the page.
6. Success
With this, we have gained a basic understanding of XOR encryption and used that information to complete the challenge.
Use the password that you have acquired above to access the next level.
PS:
Those with sharp eyes may have noticed that the key we got above doesn't quite repeat entirely. On the last repetition where it is cut off, it begins as KL instead of the expected KN.
KNHL KNHL KNHL KNHL KNHL KNHL KNHL KNHL KNHL KNHL KL
If you take the original cookie and decode from base64 and use KNHL in the XOR operation, we get {"showpassword":"no","bgcolor":"#ffffff"}y as the result.
I have no idea why the 'y' is present there, and omitting the 'y' from our solution does not affect it. If you have any idea why it is there, let me know down below.
NthApostle
YWqo0pjpcXzSIl5NMAVxg12QxeC1w9QG
Comments
Post a Comment