 What's up guys, John Hammond here coming back at you with another Natus video from the over-the-wire war games We just got the password for level 8. I pasted it into a new script with the correct username and all I do need to clean up the URL so that we go to the right place And we don't need to view our regular expression attack anymore or search We just want to see their raw response to the web page. So let's see what we got here We can Check this out check out the response Looks like this is asking for another input secret and It gives us the source code of the website. So let's go ahead and see if we can get this source code here if I can move over the Connection okay now that that is requested we can Go ahead and run that de-entitize Plug in code that we hit it before and let's go ahead and actually tidy up this HTML so we can read it too And again, we'll do the same HTML De-entitized because some of them were still stuck in here. Okay, so we've got some more PHP code We can tell because of These guys here looks like all the break Breaks just managed to stick in here. The new line characters just become breaks. That's stupid. I'm sorry We can view this in the web browser if we really wanted to in fact, let's do that just to kind of make those a little bit easier and Remind you that you can do that. I know that I'd kind of different for me doing this stuff all in Python, but What the heck? Just wanted to remind you that you can do this stuff in the web browser. Obviously, that's the real point of the The war game, but doing some really neat stuff With Python is cool, too. Okay, so we've got an encoded secret and it looks like hex, right? It looks like there's a function called encode secret for Secret there's an argument that we pass into it again PHP variables the dollar sign looks like it will return Bin to hex string reverse basics for encode secret. Wow Okay We're checking if the array key exists submit, okay So if the form is submitted if we actually post to it, it will run encode secret It'll so it'll run this function on what we submitted what we passed to it And if it's equal to this encoded secret, it will give us the password for natus 9. Okay, so we just have to kind of reverse What this is doing? Hmm, okay Well, what is Happening here first they base 64 encode this and then they reverse it and then they turn it to hex So Hmm If we're trying to do the opposite of this turn if we're trying to bring this backwards Let's see what this is in Bin or binary I think I don't know if you have PHP installed, but I think I do PHP 7.0 if we echo Just this oh we might need to make a script for it which PHP 7.0, okay, it's a thing. Let's go ahead and create a a Second natus 8.py just just oh no, I'm dead at natus 8.php This is gonna be a PHP script We're gonna work with the code if you haven't done this if you haven't had installed PHP before you should be able to pseudo apt install Like PHP 7.0 taxi ally or something you can check the repositories with pseudo app cache search if you need to but When we ran which PHP 7.0 that was user bin So let's get our shebang line user bin PHP 7.0 Set the syntax here to PHP for us. Okay, I guess our shebang line is just kind of gonna look like that Let's echo. Do I have anything in this PHP? I don't have any syntax highlighting in this thing. Okay, whatever echo that out Can I run this can? Will PHP work here? Seemingly not looks like I broke my build commit. Okay, whatever. Oh, I probably need a semicolon here PHP 7.0 second PHP great Oh, we need to actually put that in PHP stuff duh Now let's set syntax for PHP We need to actually have the Question mark braces around it. So when I run this is it any better? How about we make that executable? Let's remove the old Python script one Not having it Hmm, are you kidding me? Okay, so you have to denote it with the question mark PHP. I'm sorry guys That was probably pretty torturous. I didn't mean to Didn't mean for you to have to watch all that Okay, the new line will stick in there if we run it just like that So now we can run the opposite of these PHP functions So bin to hex is a thing in PHP and there is certainly a hex to bin function I would think yep noted in the see also Section here decodes a hexla decimally encoded binary string So let's run that hex to bin on this thing Now this looks like base 64 except it's backwards So they had ran str rev on this, right? We run this okay Now it is base 64 encoded and we can do What was the function called base 64 encode we can do base 64 decode? neat and This should be the secret that we want Okay Let's go ahead and put this back in our natus 8 thing here Let's go to make a request here a post request now and Let's say the data Again gonna be a dictionary. So curly braces secret was This string that we just discovered and we do want to include that submit variable as well So the program actually so it actually knows that we are submitting So let's run this see what we get here. Oh We are still requesting to index source. So Let's go back to the original root page and Access granted password for natus 9 is this thing So I didn't do a whole lot here to really reverse this other than explore PHP code within PHP code And I literally just kind of worked backwards from what they had because the final function that we saw Them run it was been to hex and obviously this looks like hex, right? So I kind of worked from the outside in in a weird way and just worked backwards hex to bin Reverse the string decode the base 64 and keep displaying it on the screen so I can work with it And that's it. You can do command line scripts with PHP You don't have to all be in a web server and that's a really cool thing to note It's actually really powerful if you tend to like PHP for the programming syntax and semantics Because you can still use it at the command line just like we just did except for a little bit of Troubleshooting my bad, but hope still hope you guys are learning some things. Hope you guys are enjoying this series we will get the password out of here and We'll call it quits for this video should be able to just paste this here steal the password out of this and Save this as not as nine dot pi And we're ready to rock for The next level. Let's keep moving. All right See you guys in the next video