{"id":691,"date":"2015-02-11T04:08:23","date_gmt":"2015-02-11T04:08:23","guid":{"rendered":"https:\/\/www.hackmethod.com\/?p=691"},"modified":"2018-12-12T18:18:07","modified_gmt":"2018-12-12T18:18:07","slug":"overthewire-natas-8","status":"publish","type":"post","link":"https:\/\/hackmethod.com\/overthewire-natas-8\/","title":{"rendered":"OvertheWire \u2013 Natas 8"},"content":{"rendered":"<div class=\"entry-content\">\n<p class=\"entry-content\"><strong>Recap of Last Lesson:<\/strong> We learned more about PHP and some of the ways it is used to display content and how to exploit it.<\/p>\n<p class=\"entry-content\"><a href=\"http:\/\/natas8.natas.labs.overthewire.org\/\"><strong>Natas Level 8<\/strong><\/a><\/p>\n<h4><\/h4>\n<h4 class=\"entry-content\"><strong>Objective:<\/strong><\/h4>\n<p class=\"entry-content\">Find the password to log into level 9.<\/p>\n<h4 class=\"entry-content\"><strong>Intel Given:<\/strong><\/h4>\n<div class=\"entry-content\">\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li>URL: http:\/\/natas8.natas.labs.overthewire.org\/<\/li>\n<li>Source code available<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/div>\n<p><!--more--><\/p>\n<h4><strong>How to:<\/strong><\/h4>\n<p>Again, more PHP.\u00a0 Check out the other lessons in the series for more information and resources for learning PHP if you have not already.\u00a0 You know the drill by now, and we know that to get the inside scoop we should jump right into the <a href=\"https:\/\/www.hackmethod.com\/wp-content\/uploads\/2015\/01\/natas8_sourceCode.png\">source code<\/a>.\u00a0 I&#8217;m going to post the source code below and then I&#8217;m going to talk you through it.\u00a0 Here is the PHP portion: <code><br \/>\n&lt;?<\/code> $encodedSecret\u00a0=\u00a0&#8220;3d3d516343746d4d6d6c315669563362&#8221;; function\u00a0encodeSecret($secret)\u00a0{ return\u00a0bin2hex(strrev(base64_encode($secret))); } if(array_key_exists(&#8220;submit&#8221;,\u00a0$_POST))\u00a0{ if(encodeSecret($_POST[&#8216;secret&#8217;])\u00a0==\u00a0$encodedSecret)\u00a0{ print\u00a0&#8220;Access\u00a0granted.\u00a0The\u00a0password\u00a0for\u00a0natas9\u00a0is\u00a0<censored>&#8220;; }\u00a0else\u00a0{ print\u00a0&#8220;Wrong\u00a0secret&#8221;; } } ?&gt;<code><\/code> <\/censored><\/p>\n<\/div>\n<div class=\"entry-content\"><\/div>\n<div class=\"entry-content\">So from the top down:<\/div>\n<div><\/div>\n<ul>\n<li class=\"entry-content\">A variable named <strong>$encodedSecret: <\/strong>we can assume this is an encoded version of the secret password.<\/li>\n<li class=\"entry-content\">A function called<em> encodeSecret<\/em> which takes a variable (user input) and performs actions upon it.<\/li>\n<li class=\"entry-content\">The functions action is to take the value of <strong>$secret<\/strong>, base64 encode it, then reverse the string, and then convert the binary data into hex.<\/li>\n<li class=\"entry-content\">The if statement compares the value of <strong>$secret<\/strong> after being ran through the function with the value of <strong>$encodedSecret<\/strong>.<\/li>\n<li class=\"entry-content\">If they are identical, we are provided with the password.\u00a0 Otherwise, we are told the password is wrong.<\/li>\n<\/ul>\n<p>Ok, now we understand it.\u00a0 Lets figure out how we can use that to our advantage. Lets use some simple logic here.\u00a0 if variable <strong>$secret<\/strong> is supposed to be <em>3d3d516343746d4d6d6c315669563362 *we derive the original value by simple reversing the process.\u00a0 We work through it backwards.\u00a0 It&#8217;s really that simple.\u00a0 What we need to do is take *3d3d516343746d4d6d6c315669563362<\/em> (a hex value) and convert it to binary.\u00a0 Then, we reverse the string, and then, we base64<strong>de<\/strong>code it.<\/p>\n<p>At this point, you may know be wondering, &#8220;How do I do that?&#8221; Lucky for you, we have a fantastic programming language that will do this heavy lifting for you.\u00a0 This language is yes, you guessed it, PHP.\u00a0 The real trouble is finding something to interpret it.\u00a0 you have a couple of options:<\/p>\n<ul>\n<li>Upload a file to a webserver with PHP installed<\/li>\n<li>Run PHP on your local machine<\/li>\n<\/ul>\n<p>Since you are obviously running Linux (You are a hacker right?) I&#8217;ll describe a couple ways you do it from your command line.\u00a0 Run the command <strong>apt-get install php5 **or **yum install php5<\/strong> depending on your distribution of Linux.\u00a0 We can either feed a file to **php5 **or we can invoke it at the command-line and run the command in the terminal.\u00a0 I highly recommend you try it on your own, but to see what success looks like, here is the results form the <a href=\"https:\/\/www.hackmethod.com\/wp-content\/uploads\/2015\/01\/phpdecode.png\">terminal<\/a> and here is the contents if you do it from <a href=\"https:\/\/www.hackmethod.com\/wp-content\/uploads\/2015\/01\/8_decode.png\">a file<\/a>.<\/p>\n<p>Piece of cake.\u00a0 Pop the password in and reap the <a href=\"https:\/\/www.hackmethod.com\/wp-content\/uploads\/2015\/01\/9_code.png\">rewards<\/a>.<\/p>\n<div class=\"entry-content\">\n<h4 class=\"entry-content\"><strong>Conclusion:<\/strong><\/h4>\n<div class=\"entry-content\">In this lesson we got deeper into PHP and had our first experience reversing a PHP function.\u00a0 Get used to having to understand code to know how to exploit it.\u00a0 If you found this complicated brush up on PHP a bit more.\u00a0 You may not always know what PHP command are available for use to use, but you can always uses<a href=\"http:\/\/php.net\/\"> php.net<\/a> as a resource for learning about PHP functions and how to use them.<\/div>\n<\/div>\n<p><!--more--><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recap of Last Lesson: We learned more about PHP and some of the ways it is used to display content and how to exploit it. Natas Level 8 Objective: Find the password to log into level 9. Intel Given: URL: http:\/\/natas8.natas.labs.overthewire.org\/ Source code available<\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":true,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[44,49],"tags":[57,45,46],"class_list":["post-691","post","type-post","status-publish","format-standard","hentry","category-overthewire","category-tutorials","tag-natas","tag-overthewire","tag-tutorials"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p5zY4D-b9","_links":{"self":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/691","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/comments?post=691"}],"version-history":[{"count":8,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/691\/revisions"}],"predecessor-version":[{"id":5224,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/691\/revisions\/5224"}],"wp:attachment":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/media?parent=691"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/categories?post=691"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/tags?post=691"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}