 Level 23 of Natus for the over-the-wire war game gets into a little bit of PHP variable type misunderstanding Because see I'm actually looking at the source code in the web page here because they're doing a little bit of the PHP highlight file Where they're they throw a bunch of like span characters or HTML stuff That's not that good to look at in sublime text So I'm back in the website here in the Firefox in a web browser But we're determining okay if we've submitted to the form here which asks us do we want to enter a password and The PHP code tests if that key exists if we've actually submitted the form is there a stir stir or a string string whatever PHP function that is and is the request password greater than 10 So this stir stir looks like it's kind of comparing something like the requested password with the string I love you and and so and obviously this both of these conditions must be returned true to actually be Retrieving the credentials for the next level password for Natus 24. So I want to check out what these things were I Wanted to see okay, what is PHP stir stir And it looks like that will find the first occurrence of a string and it will return part of a haystack String starting to starting from and including the first occurrence of the needle to the end of the haystack, okay, and That Greater than 10 thing is interesting because that's expecting that request password to be an integer But we're using it as a string over here in this context. So how do we get around this? interesting thing is that PHP type conversions PHP doesn't entirely care Really what your variable really is it all depends on what context you're using it in or how you're testing things with it PHP does not require support explicit type definition variable declarations a variable types determined by the context in which the variables being used So that is to say if string Value is assigned to variable var var becomes a string if an integer variable is assigned to var becomes an integer That's cool because it's dynamic type setting and stuff like that But it's also interesting when you're using comparison operators or just assignment operators on them So I'll shut up and I'll show you what I mean if we get back into our pipe on code We'll go ahead and request this page with the get function, but if we wanted to post to this page We can change the method there set data to have the password and We'll set it to that string. I love you. So this will return wrong After I include a comment or a comma there because we're not getting that same Greater than 10 thing in this case. We're seeing that string I love you that the string password interpreted as a string and When it's being tested as less than or greater than 10 It's just gonna be nothing really or a zero I don't I don't entirely know I'll admit what pH fuel evaluated to however if we were to give it some numbers here Like if we were to say 10 PHP is gonna start to think that this first part here when you're interpreting it as a number as an integer That's gonna be what takes precedence if you interpret it as a number So weird thing, right? What if I were to say? Oh 11 I love you because 11 is greater than 10 and the I love you string is still in there It'll return true on both of those cases 11 is greater than 10 and I love you is in the string It's returning that needle and the rest of the haystack. So it gets it just fine Here we go. The credentials for the next level are password for it and that is 24 Okay, let's snag that but keep that in mind because PHP type juggling is seen like everywhere And a lot of web challenges and in CTF style stuff And I'm sure you'll probably run into it in the wild because PHP is still out there Like crazy. So definitely keep that in mind weird weird oddities with PHP that stuff gets into like magic hashes Etc. And PHP is just a bundle of bugs depending on on who you ask and what opinions you get But that is the solution for Natus 23. Let's save this for a script for Natus 24 and We will move on to see what's next in this level Are we getting the page? Perfect. Alright, thank you guys so much for watching. Hope you're enjoying these if you did like the video Please do press that like button if you want to comment Tell me what you think what you like what you didn't like what I can do better much how much I suck etc if you want to subscribe and If you would like to support me, please do check out my patreon account want to send a special shout out to the people that are Supporting me already Spencer Clark. Thank you for supporting me on patreon I try to shout out to everyone who does support me if they give anything more than just a dollar and A five dollars or more will let you all showcase Everything that I upload to YouTube as early as I can so even if it's scheduled for upload later I'll give it to you early access. So thanks for watching guys. See you soon