thlor/natas11_walkthrough.php

## natas11_walkthrough.php
<?php
// See: http://natas11.natas.labs.overthewire.org/

// The color code is stored in a cookie.
// Cookie not legible (as we know it's encrypted by XOR)
// From the PHP source we see that:
// - cookie is also base64 encoded (find: base_encode() and base_decode() in source)
// - once decrypted, cookie contents are a json string (find: json_encode() and json_decode() in source)
// - this json has (at least) these two keys: "showpassword", "bgcolor" (see $data['bgcolor'] and $data['showpassword']
// - we confirm our suspicion based on from php/html source that "bgcolor" stores the background color we change and "showpassword" value decides whether password is shown (default: no, desired: yes)
//
// If we change the background color in the web form, we see that the cookie is also changing.
$original_cookie = 'ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw%3D';

//                                                                    ˇˇ content changed here, must be the difference between f and 0
$fffff0_cookie   = 'ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxEIaAw%3D';

// Based on this, we create what we think the decrypted json with default values would look like:
$original_json = '{"showpassword":"no","bgcolor":"#ffffff"}';

// We know that the cookie is base64 encoded. If we base64_decode the cookie, the content is not legible, but it has the same byte length as our json (41B). We are onto something!
echo strlen(base64_decode($original_cookie)) === strlen($original_json); // results TRUE

// XOR conversion works both ways:
//   $encrypted = $source ^ $key;
// but also
//   $key = $source ^ $encrypted;
// So what we do is assume that the JSON we created is the source of the encrypted cookie, and therefore XOR the JSON with the cookie (after we base64_decode the cookie):
$key = $original_json ^ base64_decode($original_cookie);

// $key's value is now "qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jq".
// From the xor_encrypt() function we see that during encryption the i-th character of the source is XORed with the i-th character of the key (repeating the key over and over).
// Clearly, we had found the key. It's "qw8J".

// Now that we know the key, we will create a json that enables password display:
$attack_json = '{"showpassword":"yes","bgcolor":"#ffffff"}';

// XOR this with the key we found. For this we repeat until the resulting mask is the same length as our json. We could do it with foreach, but I just did it manually:
$attack_json_encrypted = $attack_json ^ "qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw";

// Then we base64 encode it. The result is the cookie we use to attack the system so it would show us the password.
$attack_cookie = base64_encode($attack_json_encrypted);
echo $attack_cookie;

// We copy the attack cookie string and in our browser's dev window we replace the original with the attack one. Then hit refresh
// Voila, done.
	<?php
	// See: http://natas11.natas.labs.overthewire.org/

	// The color code is stored in a cookie.
	// Cookie not legible (as we know it's encrypted by XOR)
	// From the PHP source we see that:
	// - cookie is also base64 encoded (find: base_encode() and base_decode() in source)
	// - once decrypted, cookie contents are a json string (find: json_encode() and json_decode() in source)
	// - this json has (at least) these two keys: "showpassword", "bgcolor" (see $data['bgcolor'] and $data['showpassword']
	// - we confirm our suspicion based on from php/html source that "bgcolor" stores the background color we change and "showpassword" value decides whether password is shown (default: no, desired: yes)
	//
	// If we change the background color in the web form, we see that the cookie is also changing.
	$original_cookie = 'ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw%3D';

	// ˇˇ content changed here, must be the difference between f and 0
	$fffff0_cookie = 'ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxEIaAw%3D';

	// Based on this, we create what we think the decrypted json with default values would look like:
	$original_json = '{"showpassword":"no","bgcolor":"#ffffff"}';

	// We know that the cookie is base64 encoded. If we base64_decode the cookie, the content is not legible, but it has the same byte length as our json (41B). We are onto something!
	echo strlen(base64_decode($original_cookie)) === strlen($original_json); // results TRUE

	// XOR conversion works both ways:
	// $encrypted = $source ^ $key;
	// but also
	// $key = $source ^ $encrypted;
	// So what we do is assume that the JSON we created is the source of the encrypted cookie, and therefore XOR the JSON with the cookie (after we base64_decode the cookie):
	$key = $original_json ^ base64_decode($original_cookie);

	// $key's value is now "qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jq".
	// From the xor_encrypt() function we see that during encryption the i-th character of the source is XORed with the i-th character of the key (repeating the key over and over).
	// Clearly, we had found the key. It's "qw8J".

	// Now that we know the key, we will create a json that enables password display:
	$attack_json = '{"showpassword":"yes","bgcolor":"#ffffff"}';

	// XOR this with the key we found. For this we repeat until the resulting mask is the same length as our json. We could do it with foreach, but I just did it manually:
	$attack_json_encrypted = $attack_json ^ "qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw";

	// Then we base64 encode it. The result is the cookie we use to attack the system so it would show us the password.
	$attack_cookie = base64_encode($attack_json_encrypted);
	echo $attack_cookie;

	// We copy the attack cookie string and in our browser's dev window we replace the original with the attack one. Then hit refresh
	// Voila, done.