We covered a scenario of web application admin bypass by reverse engineering the PHP source code which was based on creating a cookie through a series of encoding and XOR encryption. Following the same logic in the code, we were able to change the required attributes in the cookie to bypass the challenge and receive the password of the next level. This was part of OverTheWire War Games Natas Level 11
OverTheWire Natas Level 10 to 11 Walkthrough
I started by explaining that the goal of this OverTheWire web challenge was to reveal a password by manipulating a cookie value. The webpage had a feature to change the background color, and I noticed this preference was stored in a cookie. After inspecting the source code, I discovered that the password would be displayed if a cookie property named show password was set to “yes”; currently, it was set to “no.” I also learned that the cookie data underwent several transformations: it was base64 decoded, then XOR decrypted, and finally JSON decoded.
The XOR Encryption Problem and Key Deduction
The main hurdle was the XOR encryption function, which used a key that was censored in the source code. This meant I didn’t know the key directly. However, I remembered a crucial property of XOR encryption: if you have both the plaintext (the original, unencrypted data) and the ciphertext (the encrypted data), you can deduce the key.
To deduce the key, I demonstrated creating a PHP script. The inputs for this script were:
- The current cookie value from the browser (this served as my ciphertext).
- The known plaintext structure of the cookie (an array with
show passwordset to “no” and the current background color), which I then JSON encoded.
The script’s logic was to:
- Base64 decode the browser cookie (ciphertext).
- XOR the decoded cookie (ciphertext) with the JSON-encoded known plaintext.
- The output of this XOR operation would be the encryption key.
Although the exact command wasn’t explicitly typed, I implied running this script using a command like php <script_name.php>. The output revealed a repeating pattern in the key: “KNHL”. This was my elusive XOR key!
Crafting the New Cookie and Getting the Password
With the key (“KNHL”) now known, I created a new PHP script to generate the desired manipulated cookie. The inputs for this new script were:
- The desired plaintext: an array where
show passwordwas set to “yes” and the background color was set (for example, to white). - The deduced XOR key (“KNHL”).
This script would:
- JSON encode the desired plaintext array.
- XOR encrypt this JSON-encoded data using the “KNHL” key.
- Base64 encode the result of the XOR encryption. This final output was my new, manipulated cookie value.
Again, I implied running this script with a command like php <script_name.php>.
The output of this second script was the new cookie value. I then pasted this new cookie into my browser’s cookie storage for the challenge page. Upon refreshing the page, the password for the next level (Natas 12) was successfully revealed!
Technical Commands
While I didn’t explicitly type out every command in the video, the process involved executing PHP files from the terminal. If I had named my PHP scripts find_key.php and create_cookie.php, the commands would have been:
php find_key.php: To execute the first script that deduced the XOR key.php create_cookie.php: To execute the second script that created the new cookie withshow passwordset to “yes.”
I also implicitly used ls (on a Linux/macOS terminal) to list files in the current directory when discussing the script files.
In essence, I walked through a classic web security challenge where understanding how data (specifically cookies) is processed and encrypted is key. By deducing the encryption key, I was able to craft malicious input and achieve the desired outcome of revealing the next level’s password.
Video Walkthrough
