Python Web Hacking: PHP XOR | Natas (Level 11)
Key Takeaways
Shows a PHP XOR vulnerability in a Natas challenge
Full Transcript
Hey, what's going on everybody? This is John Hammond and we're still looking at the Natis war game from Overthewire. So, we're on level 11 right now. Um, that's just Natis 11.natus.abs overthewire.org in the URL. And we looks like we have an application here, kind of a web application that will let us set the color of um the backgrounds for this web page. Um, and that is pretty neat, but we want to see what's vulnerable. What can we do with it? Um so the notice here is that cookies are protected with exor encryption. So we can uh view the source code here and this tells us okay here's the HTML of the page and we can see some PHP code here. Um this is the interesting stuff. The PHP code is the server side code. So that's what we want to know and see what we can uh uh what we can mess with what we can get around. So uh looks like we have a variable called default data. Uh you can tell it's a variable because it has a dollar sign. Those are preceded variables preceded with dollar sign and PHP. And it's an array associative array of show password is set to the string no background color is by default set to hex FFF or RGB 255 255 255. Uh and we have functions exor encrypt and uh load data save data etc. And then we actually have the level of the page the the HTML of of the page and level. Um it looks like there's a note here. It does a little condition if the data array uh index said show password is set to yes then it will give us the password for natis 12 the the next level. So it censored out here but looks like that's the functionality that we want. We need to somehow set data show password to yes um and checking out the code we can see that data that variable is set from the function load data and it uses by default the default data. So, we saw the default data up here, but what does load data do? This is the function. Looks like it reads out of the cookie um PHP like special variable. It sets up um the argument that's passed in. So, default data originally is defaf. Then goes through and that's my data. And it tests if the array key exists. So if the cookie has data set then it will looks like it stores a variable temp data where it tries to base 64 decode and then exor encrypt and then JSON decode whatever that data cookie is set to. Um and that's a lot of stuff but looks like that all it really does is extract out the um th those those variables. So it looks like it extracts out show a password which we know by default is no and the background color which is hex fff ff in this case. Um it looks like it does that just by reading through it and it does some pre match. Okay that that regular expression is just to test whether the background color is set to a proper hexadimal color. Cool. Um and it will do these things if the key exists in that array. So, there must be a cookie that's being set. Let's go ahead and take a look at that. Um, I'm going to switch over to Sublime Text where I have a Python script that's letting us work with this. Here is the page once we get it with the request module in Python. And we have the content, etc. Let's take a look at the source code just like this again. Run that and take a look. Make sure we actually run it. Is it not doing that for me? Classic. Okay, now I've got it set up and it looks pretty gross. So, we can go ahead and do our tidy HTML. We can go ahead and deantize that. and all those BR or breaks in HTML, we can remove those because they're just in the way. So, okay, now we can see the PHP code in a little bit of a better editor. And this is handy, but let's just kind of take note of this as source PHP source 11.php or whatever. Um, you may have seen that in my file explorer I had some stuff already pre-prepared, but that's because I've tried to test this stuff and wanted to have it done before I started to record. So, let's keep moving here. Um, let's go ahead and take a look at what that cookie actually looks like. So, we're doing that with the session variable. We're making this get request with a session variable. So, we can print out session.cookies. Check this out. And we don't have anything. Oh, because we're still viewing the index source page. Let's go back to the original page. Now, we can check out the cookie jar. And we have data. So, let's scrape him out. Do some array indexing here. And it looks like this, which is clearly in base 64 um with the percent 3D. And we know that that is um a URL encoded character. We can just remove that. Um we can decode that with URL. Um, url liib.quote I think should bring it back. Nope. Unquote is the one that we want because that will remove. Okay, that there. Cool. Now it'll properly interpret that. So now let's grab B 64 so we can decode that. B 64.deode. Uh, and we want B64 decode. My bad. So run that. And we have nonsense and garbage. So this must be the um exord version of this version of the data that we're working with because remember in the source code that we were looking at they do run exor encrypt on it. So it's probably going to be a little bit difficult to really read um because it's exord or exclusive or encrypted stuff like that. Not really encrypted but you know well I guess maybe whatever however you want to interpret it is exord that operation is run through the data. So we can take a look at that exor encrypt function here and it happens with a key variable that we don't know it's censored uh the input that we pass to it. So looks like that's just um what was b 64 decoded here and the out text or the v the output variable that the result that happens when we go through this operation. So it does this exor in a for loop. It iterates through each character by using i as our iterator. um all the way through the length of the text. So we can index the text and the key based off of the length of the key uh modulus. So it wraps around it does a circle operation thing and it uses the exor operator here that that carrot symbol. So we're appending to our output.ext or output text that variable out text um with the PHP concatenation character with the dot the dot equals and then it finally gives us the out text. So, okay, let's try and get in the middle of this because we can totally recreate this function. Um, let's in fact do that. Um, I want to see if this will copy correctly because I see some weird characters in this uh text. Uh, it looks like there's no real space or tab character in some of the indentation for this code. So let's go ahead and it may have done some weird things with tidy HTML. I'm going to copy this code from the website from the web page. So I want exor encrypt and I want the default data. And now let's create a PHP script where we can handle this stuff. Um second nattis 11.php that already exists. So let's go ahead and replace it because I was testing it earlier. So, let's have PHP tags in here. And let's put where is our Oh, I did not uh totally just killed our editor. Whatever. Whoops. Okay. Where is PHP 7.0? USB bin 7.0. Let's use that as the interpreter here. Use our shebang line. Okay. And now we have proper things. So if we were to try and run uh JSON decode that stuff, JSON decode is going to happen when we have the encrypted data, but obviously it's going to just be plain text of this. They they loaded this to begin with with save data. So that must have happened with JSON incode here. Let's go ahead and see what that looks like. JSON encode our default data. And let's echo that out to the screen so we can see it. And second.php. We will run it. And okay, it looks like just a string. That's all it did. Or it interprets it however we need to. Cool. So, if we wanted to use that and that's what's passed into our encrypt, well, perfect. Um, let's try and see if we can figure out the key for the data that we already have because we know what the original is. That's this encoded version. And we know what the actual exord result was. we can kind of figure out what the key might be because exor works with with specific properties. Um we have a exord with b and that equals c, right? So in that case plain text exord with the key equals cipher text. But we can reverse this operation because we can switch these things around. If we try and exor the plain text with the cipher text, we will return the key. So let's try and do that. Um let's create another function where we can pass in a key in and then key. Let's just modify that. Actually we don't need to create a whole new one now that that's passed in. Um, and somehow let's okay let's say call this original data that we're working with and let's go ahead and get the uh the exord data um is a way we can pass it to this PHP code. So since we're working with it over here as random garbage characters, let's actually go ahead and hexify that or encode into hex. So that is now the raw version just in hex and that way we can give it easily to the PHP code by passing that in and decoding it. So let's actually because you saw in the source code they were using functions called bin to hex or hex to bin that may actually may have been in another in the previous level but that will you know get the raw bytes out of some hex. So if I echo uh hex to bin and pass in that hex we should be able to see that. Yeah. Okay cool. So there's the raw stuff. So let's say this is the cipher text and this is the plain text. So now we can figure out the key by running our exor encrypt by passing in the plain text and what we're going to use as the cipher text for our key here because we're just doing that operation a x or b equals cop. So a x or c equals b. Now let's try and run that echo exor encrypt with the plain text and the cipher text. Check this out. And we get something that repeats. We get this qw8j over and over and over again. So that must be the original key just those four. So now we can use that as our key. We can say key equals this string. And so now we can have the data that we want to work with. The data that we actually want the good data where show password is equal to is set to yes. And now we can run the like operation to get the cookie value for that. We let's see that was um first we have to exor it. We need to run JSON encode on our good data. So now good plain text and we have the key. So good cipher text can equal to exor encrypt pass in the good plain text now that we have and the key that we want to give it. Cool. So now let's just echo that out and see what our good cipher text is. It's could probably going to look like nonsense. Yep, because it's exord. So what did they do in their script to handle it? They B 64 encoded it. Okay, so let's do that. We have that function in PHP as well. So cookie can equal base 64 encode of the good cipher text. And now let's set check out what the cookie is. This whatever this is. So let's copy and paste this into our Python script. Let's set um cookies data set to this. And so now we will get this page just as we had before, but we'll pass in cookies equals cookies. Now we can print all this Let's move those up here just so it looks normal. Let's run this and see what we've got on the page now that we've given it the proper cookie. We got it. Set the syntax to HTML. And you can see here it ran with the password for natis 12 is this guy. Cool. So that worked. Um all we did was do a little trick with exor was figuring out um what the key was by exoring both the plain text and the cipher text because we had those originally and that property of exor will allow us to determine the key. Perfect. So now now that we have the password to natis 12, let's go ahead and create a new script and get us back to where we were at at a fresh script that is 12. And when we run this now, you can see we are on natis level 12. Okay, awesome. Sweet. That was it. That was our cool and good way to get through Natis level 11. Just trying to take advantage of their PHP code. Uh modifying the exor function so it can take a key in that we can pass to it and then using the plain text and the cipher text to our advantage. So, thank you guys for watching. Hope you're enjoying this and these videos. Uh if you are, hey, please like the video. Maybe leave a comment on what you think. If you're willing to subscribe, and thank you again. I'll see you in the next video.
Original Description
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: https://patreon.com/johnhammond010
E-mail: johnhammond010@gmail.com
PayPal: http://paypal.me/johnhammond010
GitHub: https://github.com/JohnHammond
Site: http://www.johnhammond.org
Twitter: https://twitter.com/_johnhammond
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
Related AI Lessons
🎓
Tutor Explanation
DeepCamp AI