 Hey, what's going on everybody? This is John Hammond, and we're still looking at the Natus wargame from over the wire So we're on level 11 right now. That's just natus11.natus.labs.overthewire.org in the URL And we looks like we have an application here kind of a web application that will let us set the color of the backgrounds for this web page and That is pretty neat, but we want to see what's vulnerable. What can we do with it? So the notice here is that cookies are protected with XOR encryption. So we can view the source code here and This tells us okay. Here's the HTML of the page and we can see some PHP code here This is the interesting stuff the PHP code is a server-side code. So that's what we want to know and see what we can What we can mess with what we can get around so Looks like we have a variable called default data You can tell it's a variable because it has a dollar sign those are proceeded variables proceed with dollar sign and PHP It's an array Associative array of show password is set to the string. No background color is by default set to hex FFFF or RGB 255 255 255 and we have functions XOR encrypt and Load data save data, etc. And then we actually have the level of the page the HTML of the page and level It looks like there's a note here. It does a little condition If the data array Index at show password is set to yes, then it will give us the password if we're not as 12 the next level So it's censored out here, but looks like that's the functionality that we want. We need to somehow set data show password do yes and Checking out the code we can see that data that variable is set from the function load data And it uses by default the default data. So we saw the default data up here But what does load data do? This is the function. It looks like it reads out of the cookie PHP like special variable. It sets up The argument that's passed in so default data Originally is def then goes through and that's my data and it tests if the array key exists. So if the cookie has data set then it will Looks like it stores a variable temp data where it tries to base 64 decode and XOR encrypt and then json code whatever that data cookie is set to Um, and that's a lot of stuff, but looks like that all it really does is extract out The um those those variables it looks like it extracts out show password Which we know by default is no and the background color, which is hex fff in this case um, it looks like it does that just by reading through it and it does some Preg match. Okay, that the regular expression is just to test whether the background color is set to a proper hexadecimal color. Cool Um, and it will do these things if the key exists in that array. So There must be a cookie that's being set. Let's go ahead and take a look at that Um, I'm gonna switch over to a sublime text where I have a python script that's letting us work with this Here is the page once we get it with the request module in python And we have the content, etc. Let's take a look at the source code just like this again Run that and take a look Make sure we actually run it Does it not doing that for me classic? Okay, now I've got it set up And it looks pretty gross So we can go ahead and do our tidy html And we can go ahead and de-entitize that And all those br or breaks in html we can remove those because They're just in the way. So, okay Now we can see the php code in a little bit of a better editor and this is handy, but let's just kind of Take note of this as source dot php Source 11 of php or whatever um You made a scene that in my file explorer I had some stuff already pre-prepared But that's because I've tried to test this stuff and wanted to have it done before I started to record So let's keep moving here. Um, let's go ahead and take a look at what that cookie actually looks like So we're doing that with the session variable. We'll make this get request with the session variable. So we can print out session dot cookies Check this out And we don't have anything. Oh because we're still viewing the index source page. Let's go back to the original page Now we can check out the cookie jar and we have data So let's scrape him out Do some array indexing here? And it looks like this which is clearly in base 64 um with the percent 3d and we know that that is Um, a url encoded character. We can just remove that um We can decode that with url Um url lib Dot quote, I think I should bring it back Nope, unquote is the one that we want because that will remove Okay, there cool. Now it'll properly interpret that. So now let's grab base 64 so we can decode that Base 64 dot decode Uh, and we want b64 decode my bad So run that and we have nonsense and garbage. So this must be the um XORed version of this version of the data that we're working with because remember in the source code that we were looking at They do run XOR encrypt on it. So It's probably going to be a little bit difficult to really read. Um, because it's XORed or Exclusive or encrypted stuff like that. Not really encrypted, but you know, well, I guess maybe whatever However, you want to interpret it is XORed that operation is ran through the data so we can take a look at that XOR encrypt function here and It happens with A key variable that we don't know. It's censored The input that we pass to it. So it looks like that's just What was base 64 decoded here? and The out text or the very the output variable that the result that happens when we go through this operation So it does this XOR in a for loop it iterates through each character by using I as our iterator um All the way through the length of the text so we can index the text and the key based off of the length of the key Uh modulus so it wraps around it does a circle operation thing and it uses the XOR operator here that that carrot symbol So we're appending to our output dot text or output text that variable out text With the php concatenation character with the dot the dot equals And then it finally gives us the out text So okay, let's try and get in the middle of this because we can totally recreate this function um Let's in fact do that um I want to see if This will copy correctly because I see some weird characters in this A text It looks like There's no real space or tab character in some of the indentation for this code. So let's go ahead and It may have done some weird things with tidy html I'm gonna copy this code from the website from the web page So I want XOR encrypt and I want the default data And now let's create a php script where we can handle this stuff um second Natas 11 dot php that already exists. So let's go ahead and replace it because I was testing it earlier So let's have php tags in here And let's put where is our Oh, I did not uh Totally just killed our red or whatever. Whoops Okay Where's php 7.0 usb bin 7.0? Let's use that as the interpreter here. Use our shebang line Okay, and now we have proper things. So if we were to try and run uh json decode That stuff json decode is going to happen when we have the encrypted data But obviously it's going to just be plain text of this they they loaded this to begin with with Save data So that must have happened with json encode here Let's go ahead and see what that looks like json encode our default data And let's echo that out to the screen so we can see it Second Natas 11 dot php. We will run it And okay, it looks like just a string. That's all it did it Or it interprets it however we need to Cool, so if we wanted to use that And that's what's passed in to our encrypt Well, perfect um Let's try and see if we can figure out the key for The data that we already have because we know what the original is That's this encoded version and we know what the actual x-word result was we can kind of figure out what the Key might be because x-word works with with specific properties We have a x-word with b and that equals c right so In that case plain text x-word with the key equals cipher text But we can reverse this operation because we can switch these things around if we try and x or the plain text with the cipher text We will return the key So let's try and do that um Let's create another function where we can pass in a key in and then key Let's just modify that actually we don't need to create a whole new one now that that's passed in um And somehow let's Okay, let's say call this original data that we're working with and let's go ahead and get the uh The x-word data um Is a way we can pass it to this php code So since we're working with it over here as random garbage characters Let's actually go ahead and Hexify that or encode into hex So that is now The raw version just in hex and that way we can give it easily to the php code by passing that In and decoding it. So let's actually Because you saw in the source code they were using functions called bin to hex or hex to bin That may actually they have been in another In the previous level, but that will you know get the raw bytes out of some hex. So if I echo hex to bin And pass in that hex we should be able to see that Yeah, okay, cool. So there's the raw stuff So let's say this is the cipher text This is the plain text So now we can figure out the key by running our xor encrypt by passing in the plain text And what we're going to use as the cipher text for our key here because we're just doing that operation a xor b equals c So a xor c equals b Now let's try and run that echo xor encrypt with the plain text and the cipher text Check this out and we get something that repeats We get this q w8j over and over and over again. So that must be the original key just those four So now we can use that as our key We can say key equals this string And so now we can have the data that we want to work with the data that we actually want The good data where show password is equal to is set to yes And now we can run the like operation to get the cookie value for that We let's see that was um, first we have to xor it. We need to run json encode on Our good data Good plain text and we have the key so Good cipher text can equal to xor encrypt pass in The good plain text now that we have and the key that we want to give it Cool. So now let's just echo that out and see what our good cipher text is It's good probably going to look like nonsense. Yep, because it's xord So what did they do in their script to handle it? They They Bay 64 encoded it. Okay. So let's do that We have that function in php as well So cookie can equal bay 64 encode of the good cipher text And now let's set check out what the cookie is This whatever this is so let's copy and paste this into our python script. Let's set um cookies data Set to this and so now we will get this page just as we had before But we'll pass in cookies equals cookies Now we can print Let's move those up here. Just so it looks normal Let's run this And see what we've got on the page now that we've given it the proper cookie We got it Set the syntax to html And you can see here it ran with the password for natus 12 is this guy cool. So that worked All we did was do a little trick with xor was figuring out What The key was by Exhoring both the plain text and the cipher text because we had those originally and that property of xor will allow us to determine the key Perfect. So Now now that we have the password to natus 12 Let's go ahead and create a new script and get us back to where we were Fresh script Natus 12 and when we run this Now you can see we are on natus level 12. Okay, awesome Sweet that was it. That was our Cool and good way to get through natus level 11 Just trying to take advantage of their php code Modifying the xor function so it can take a key in that we can pass to it And then using the plain text and the cipher text to our advantage So thank you guys for watching. Hope you're enjoying this and these videos If you are hey, please like the video Maybe leave a comment on what you think if you're willing to subscribe and thank you again. I'll see you in the next video