Python Web Hacking: PHP XOR | Natas (Level 11)

John Hammond · Intermediate ·🔐 Cybersecurity ·8y ago

Key Takeaways

Shows a PHP XOR vulnerability in a Natas challenge

Full Transcript

Hey, what's going on everybody? This is John Hammond and we're still looking at the Natis war game from Overthewire. So, we're on level 11 right now. Um, that's just Natis 11.natus.abs overthewire.org in the URL. And we looks like we have an application here, kind of a web application that will let us set the color of um the backgrounds for this web page. Um, and that is pretty neat, but we want to see what's vulnerable. What can we do with it? Um so the notice here is that cookies are protected with exor encryption. So we can uh view the source code here and this tells us okay here's the HTML of the page and we can see some PHP code here. Um this is the interesting stuff. The PHP code is the server side code. So that's what we want to know and see what we can uh uh what we can mess with what we can get around. So uh looks like we have a variable called default data. Uh you can tell it's a variable because it has a dollar sign. Those are preceded variables preceded with dollar sign and PHP. And it's an array associative array of show password is set to the string no background color is by default set to hex FFF or RGB 255 255 255. Uh and we have functions exor encrypt and uh load data save data etc. And then we actually have the level of the page the the HTML of of the page and level. Um it looks like there's a note here. It does a little condition if the data array uh index said show password is set to yes then it will give us the password for natis 12 the the next level. So it censored out here but looks like that's the functionality that we want. We need to somehow set data show password to yes um and checking out the code we can see that data that variable is set from the function load data and it uses by default the default data. So, we saw the default data up here, but what does load data do? This is the function. Looks like it reads out of the cookie um PHP like special variable. It sets up um the argument that's passed in. So, default data originally is defaf. Then goes through and that's my data. And it tests if the array key exists. So if the cookie has data set then it will looks like it stores a variable temp data where it tries to base 64 decode and then exor encrypt and then JSON decode whatever that data cookie is set to. Um and that's a lot of stuff but looks like that all it really does is extract out the um th those those variables. So it looks like it extracts out show a password which we know by default is no and the background color which is hex fff ff in this case. Um it looks like it does that just by reading through it and it does some pre match. Okay that that regular expression is just to test whether the background color is set to a proper hexadimal color. Cool. Um and it will do these things if the key exists in that array. So, there must be a cookie that's being set. Let's go ahead and take a look at that. Um, I'm going to switch over to Sublime Text where I have a Python script that's letting us work with this. Here is the page once we get it with the request module in Python. And we have the content, etc. Let's take a look at the source code just like this again. Run that and take a look. Make sure we actually run it. Is it not doing that for me? Classic. Okay, now I've got it set up and it looks pretty gross. So, we can go ahead and do our tidy HTML. We can go ahead and deantize that. and all those BR or breaks in HTML, we can remove those because they're just in the way. So, okay, now we can see the PHP code in a little bit of a better editor. And this is handy, but let's just kind of take note of this as source PHP source 11.php or whatever. Um, you may have seen that in my file explorer I had some stuff already pre-prepared, but that's because I've tried to test this stuff and wanted to have it done before I started to record. So, let's keep moving here. Um, let's go ahead and take a look at what that cookie actually looks like. So, we're doing that with the session variable. We're making this get request with a session variable. So, we can print out session.cookies. Check this out. And we don't have anything. Oh, because we're still viewing the index source page. Let's go back to the original page. Now, we can check out the cookie jar. And we have data. So, let's scrape him out. Do some array indexing here. And it looks like this, which is clearly in base 64 um with the percent 3D. And we know that that is um a URL encoded character. We can just remove that. Um we can decode that with URL. Um, url liib.quote I think should bring it back. Nope. Unquote is the one that we want because that will remove. Okay, that there. Cool. Now it'll properly interpret that. So now let's grab B 64 so we can decode that. B 64.deode. Uh, and we want B64 decode. My bad. So run that. And we have nonsense and garbage. So this must be the um exord version of this version of the data that we're working with because remember in the source code that we were looking at they do run exor encrypt on it. So it's probably going to be a little bit difficult to really read um because it's exord or exclusive or encrypted stuff like that. Not really encrypted but you know well I guess maybe whatever however you want to interpret it is exord that operation is run through the data. So we can take a look at that exor encrypt function here and it happens with a key variable that we don't know it's censored uh the input that we pass to it. So looks like that's just um what was b 64 decoded here and the out text or the v the output variable that the result that happens when we go through this operation. So it does this exor in a for loop. It iterates through each character by using i as our iterator. um all the way through the length of the text. So we can index the text and the key based off of the length of the key uh modulus. So it wraps around it does a circle operation thing and it uses the exor operator here that that carrot symbol. So we're appending to our output.ext or output text that variable out text um with the PHP concatenation character with the dot the dot equals and then it finally gives us the out text. So, okay, let's try and get in the middle of this because we can totally recreate this function. Um, let's in fact do that. Um, I want to see if this will copy correctly because I see some weird characters in this uh text. Uh, it looks like there's no real space or tab character in some of the indentation for this code. So let's go ahead and it may have done some weird things with tidy HTML. I'm going to copy this code from the website from the web page. So I want exor encrypt and I want the default data. And now let's create a PHP script where we can handle this stuff. Um second nattis 11.php that already exists. So let's go ahead and replace it because I was testing it earlier. So, let's have PHP tags in here. And let's put where is our Oh, I did not uh totally just killed our editor. Whatever. Whoops. Okay. Where is PHP 7.0? USB bin 7.0. Let's use that as the interpreter here. Use our shebang line. Okay. And now we have proper things. So if we were to try and run uh JSON decode that stuff, JSON decode is going to happen when we have the encrypted data, but obviously it's going to just be plain text of this. They they loaded this to begin with with save data. So that must have happened with JSON incode here. Let's go ahead and see what that looks like. JSON encode our default data. And let's echo that out to the screen so we can see it. And second.php. We will run it. And okay, it looks like just a string. That's all it did. Or it interprets it however we need to. Cool. So, if we wanted to use that and that's what's passed into our encrypt, well, perfect. Um, let's try and see if we can figure out the key for the data that we already have because we know what the original is. That's this encoded version. And we know what the actual exord result was. we can kind of figure out what the key might be because exor works with with specific properties. Um we have a exord with b and that equals c, right? So in that case plain text exord with the key equals cipher text. But we can reverse this operation because we can switch these things around. If we try and exor the plain text with the cipher text, we will return the key. So let's try and do that. Um let's create another function where we can pass in a key in and then key. Let's just modify that. Actually we don't need to create a whole new one now that that's passed in. Um, and somehow let's okay let's say call this original data that we're working with and let's go ahead and get the uh the exord data um is a way we can pass it to this PHP code. So since we're working with it over here as random garbage characters, let's actually go ahead and hexify that or encode into hex. So that is now the raw version just in hex and that way we can give it easily to the PHP code by passing that in and decoding it. So let's actually because you saw in the source code they were using functions called bin to hex or hex to bin that may actually may have been in another in the previous level but that will you know get the raw bytes out of some hex. So if I echo uh hex to bin and pass in that hex we should be able to see that. Yeah. Okay cool. So there's the raw stuff. So let's say this is the cipher text and this is the plain text. So now we can figure out the key by running our exor encrypt by passing in the plain text and what we're going to use as the cipher text for our key here because we're just doing that operation a x or b equals cop. So a x or c equals b. Now let's try and run that echo exor encrypt with the plain text and the cipher text. Check this out. And we get something that repeats. We get this qw8j over and over and over again. So that must be the original key just those four. So now we can use that as our key. We can say key equals this string. And so now we can have the data that we want to work with. The data that we actually want the good data where show password is equal to is set to yes. And now we can run the like operation to get the cookie value for that. We let's see that was um first we have to exor it. We need to run JSON encode on our good data. So now good plain text and we have the key. So good cipher text can equal to exor encrypt pass in the good plain text now that we have and the key that we want to give it. Cool. So now let's just echo that out and see what our good cipher text is. It's could probably going to look like nonsense. Yep, because it's exord. So what did they do in their script to handle it? They B 64 encoded it. Okay, so let's do that. We have that function in PHP as well. So cookie can equal base 64 encode of the good cipher text. And now let's set check out what the cookie is. This whatever this is. So let's copy and paste this into our Python script. Let's set um cookies data set to this. And so now we will get this page just as we had before, but we'll pass in cookies equals cookies. Now we can print all this Let's move those up here just so it looks normal. Let's run this and see what we've got on the page now that we've given it the proper cookie. We got it. Set the syntax to HTML. And you can see here it ran with the password for natis 12 is this guy. Cool. So that worked. Um all we did was do a little trick with exor was figuring out um what the key was by exoring both the plain text and the cipher text because we had those originally and that property of exor will allow us to determine the key. Perfect. So now now that we have the password to natis 12, let's go ahead and create a new script and get us back to where we were at at a fresh script that is 12. And when we run this now, you can see we are on natis level 12. Okay, awesome. Sweet. That was it. That was our cool and good way to get through Natis level 11. Just trying to take advantage of their PHP code. Uh modifying the exor function so it can take a key in that we can pass to it and then using the plain text and the cipher text to our advantage. So, thank you guys for watching. Hope you're enjoying this and these videos. Uh if you are, hey, please like the video. Maybe leave a comment on what you think. If you're willing to subscribe, and thank you again. I'll see you in the next video.

Original Description

If you would like to support me, please like, comment & subscribe, and check me out on Patreon: https://patreon.com/johnhammond010 E-mail: johnhammond010@gmail.com PayPal: http://paypal.me/johnhammond010 GitHub: https://github.com/JohnHammond Site: http://www.johnhammond.org Twitter: https://twitter.com/_johnhammond
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from John Hammond · John Hammond · 0 of 60

← Previous Next →
1 Code Commentaries? PHP to JavaScript in Bash and PHP!
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
2 Tutorials? MySQL connection with PHP and Bash!
Tutorials? MySQL connection with PHP and Bash!
John Hammond
3 Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
4 JavaScript Splits The URL!
JavaScript Splits The URL!
John Hammond
5 HTML Tables in Python!
HTML Tables in Python!
John Hammond
6 HTML, Net Shares, GML!
HTML, Net Shares, GML!
John Hammond
7 Python 08 Programming Style and Comments
Python 08 Programming Style and Comments
John Hammond
8 Python 26 Object Oriented Programming
Python 26 Object Oriented Programming
John Hammond
9 75 Python Tutorials, Out Now!
75 Python Tutorials, Out Now!
John Hammond
10 Batch 14 Mathematical Expressions
Batch 14 Mathematical Expressions
John Hammond
11 Batch 85 Array Append
Batch 85 Array Append
John Hammond
12 Batch 86 Array Count
Batch 86 Array Count
John Hammond
13 Batch 87 Array Index
Batch 87 Array Index
John Hammond
14 Batch 88 Array Insert
Batch 88 Array Insert
John Hammond
15 Batch 89 Array Remove
Batch 89 Array Remove
John Hammond
16 Batch 90 Array Reverse
Batch 90 Array Reverse
John Hammond
17 Python [colorama] 00 Installing on Linux
Python [colorama] 00 Installing on Linux
John Hammond
18 Python [colorama] 09 Cursor Position
Python [colorama] 09 Cursor Position
John Hammond
19 Python [hashlib] 02 Algorithms
Python [hashlib] 02 Algorithms
John Hammond
20 Python 00 Installing IDLE on Linux
Python 00 Installing IDLE on Linux
John Hammond
21 Python [pygame] 11 Rectangular Collision Detection
Python [pygame] 11 Rectangular Collision Detection
John Hammond
22 Python [pygame] 12 Platforming Rectangular Collision Resolution
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
23 Python [XML-RPC] 01 Research
Python [XML-RPC] 01 Research
John Hammond
24 Python [pyenchant] 03 Personal Word Lists
Python [pyenchant] 03 Personal Word Lists
John Hammond
25 FancyURLopener Authentication and User-Agent [urllib] 03
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
26 Python 04: PEP8 Coding
Python 04: PEP8 Coding
John Hammond
27 Python Challenge! 17 COOKIES
Python Challenge! 17 COOKIES
John Hammond
28 Google CTF 2016: Ernst Echidna
Google CTF 2016: Ernst Echidna
John Hammond
29 Google CTF 2016: Spotted Quoll
Google CTF 2016: Spotted Quoll
John Hammond
30 Google CTF 2016: Can you Repo It?
Google CTF 2016: Can you Repo It?
John Hammond
31 Google CTF 2016: No Big Deal
Google CTF 2016: No Big Deal
John Hammond
32 Google CTF 2016: In Recorded Conversation
Google CTF 2016: In Recorded Conversation
John Hammond
33 Homemade CTF Challenge: 01 "Orchestra"
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
34 Homemade CTF Challenge: 02 "Bae's Base"
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
35 Homemade CTF Challenge: 03 "Web Hunt"
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
36 Homemade CTF Challenge: 04 "UPX"
Homemade CTF Challenge: 04 "UPX"
John Hammond
37 Homemade CTF Challenge: 05 "The Assumption Song"
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
38 Homemade CTF Challenge: 06 "A Brisk Stroll"
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
39 Homemade CTF Challenge: 06 "I lost my password!"
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
40 web25 :: Mr. Robot : EKOPARTY CTF 2016
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
41 web50 : RFC 7230 :: EKOPARTY CTF 2016
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
42 misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
43 Hack The Vote 2016 CTF: Sander's Fan Club [web100]
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
44 Hack The Vote 2016 CTF Warpspeed [forensics150]
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
45 Juniors CTF 2016 :: Black Suprematic Square
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
46 Juniors CTF 2016 :: Six Strange Tales
Juniors CTF 2016 :: Six Strange Tales
John Hammond
47 Juniors CTF 2016 :: Lost Code
Juniors CTF 2016 :: Lost Code
John Hammond
48 Juniors CTF 2016 :: Here Goes!
Juniors CTF 2016 :: Here Goes!
John Hammond
49 Juniors CTF 2016 :: Southern Cross
Juniors CTF 2016 :: Southern Cross
John Hammond
50 Juniors CTF 2016 :: Clone Attack
Juniors CTF 2016 :: Clone Attack
John Hammond
51 Juniors CTF 2016 :: Dirty Repo
Juniors CTF 2016 :: Dirty Repo
John Hammond
52 Juniors CTF 2016 :: Hackers Blog
Juniors CTF 2016 :: Hackers Blog
John Hammond
53 Juniors CTF 2016 :: Voting!!!
Juniors CTF 2016 :: Voting!!!
John Hammond
54 Juniors CTF 2016 :: The Good, The Bad and The Junkman
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
55 Juniors CTF 2016 :: Stop Thief!
Juniors CTF 2016 :: Stop Thief!
John Hammond
56 Juniors CTF 2016 :: ROFL
Juniors CTF 2016 :: ROFL
John Hammond
57 Juniors CTF 2016 :: Restriced Area
Juniors CTF 2016 :: Restriced Area
John Hammond
58 Juniors CTF 2016 :: Oh SSH!
Juniors CTF 2016 :: Oh SSH!
John Hammond
59 HackCon CTF 2017 TRIVIA and BONUS Challenges
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
60 HackCon CTF 2017 "Bacche" Challenges
HackCon CTF 2017 "Bacche" Challenges
John Hammond

Related AI Lessons

Up next
You Think Your Card Declined by Mistake? It Might Be a 2026 Scam
Tolulope Michael
Watch →