Recap of Last Lesson: We learned more about PHP and some of the ways it is used to display content and how to exploit it.

Natas Level 8

Objective

Find the password to log into level 9.

Intel Given

  • URL: http://natas8.natas.labs.overthewire.org/
  • Source code available

How to Again, more PHP.  Check out the other lessons in the series for more information and resources for learning PHP if you have not already.  You know the drill by now, and we know that to get the inside scoop we should jump right into the source code.  I’m going to post the source code below and then I’m going to talk you through it.  Here is the PHP portion:
<?
$encodedSecret = “3d3d516343746d4d6d6c315669563362”; function encodeSecret($secret) { return bin2hex(strrev(base64_encode($secret))); } if(array_key_exists(“submit”, $_POST)) { if(encodeSecret($_POST[‘secret’]) == $encodedSecret) { print “Access granted. The password for natas9 is “; } else { print “Wrong secret”; } } ?>

So from the top down:

  • A variable named $encodedSecret: we can assume this is an encoded version of the secret password.
  • A function called encodeSecret which takes a variable (user input) and performs actions upon it.
  • The functions action is to take the value of $secret, base64 encode it, then reverse the string, and then convert the binary data into hex.
  • The if statement compares the value of $secret after being ran through the function with the value of $encodedSecret.
  • If they are identical, we are provided with the password.  Otherwise, we are told the password is wrong.
  • Ok, now we understand it.  Lets figure out how we can use that to our advantage. Lets use some simple logic here.  if variable $secret is supposed to be 3d3d516343746d4d6d6c315669563362 *we derive the original value by simple reversing the process.  We work through it backwards.  It’s really that simple.  What we need to do is take *3d3d516343746d4d6d6c315669563362 (a hex value) and convert it to binary.  Then, we reverse the string, and then, we base64decode it.

    At this point, you may know be wondering, “How do I do that?” Lucky for you, we have a fantastic programming language that will do this heavy lifting for you.  This language is yes, you guessed it, PHP.  The real trouble is finding something to interpret it.  you have a couple of options:

    • Upload a file to a webserver with PHP installed
    • Run PHP on your local machine

    Since you are obviously running Linux (You are a hacker right?) I’ll describe a couple ways you do it from your command line.  Run the command apt-get install php5 **or **yum install php5 depending on your distribution of Linux.  We can either feed a file to **php5 **or we can invoke it at the command-line and run the command in the terminal.  I highly recommend you try it on your own, but to see what success looks like, here is the results form the terminal and here is the contents if you do it from a file.

    Piece of cake.  Pop the password in and reap the rewards.

    Conclusion
    In this lesson we got deeper into PHP and had our first experience reversing a PHP function.  Get used to having to understand code to know how to exploit it.  If you found this complicated brush up on PHP a bit more.  You may not always know what PHP command are available for use to use, but you can always uses php.net as a resource for learning about PHP functions and how to use them.

    Hackmethod is proud to announce Mal_Wear by HM. Exploit/Vulnerability themed nerdy t-shirts! Get them while they last. Dismiss