Natas 11 -> 12
user: natas11
pass: U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK
OK, this level is a bit tricky. We start out looking at the source code, and we are faced with several functions. xor_encrypt seems to encrypt any text sent to it by xoring the input character by character with the key we want.
loadData checks to see if the cookie sent with the data matches the background color, and has the 'showpassword' field in it. If the background color sent with the data and sent in the cookie match, it stores the color and the showpassword boolean - this is probably the key to getting the key.
The big trick here is that there's an XOR encryption going on. At first this might seem tricky, but on closer consideration we remember that if
xor myword => cypher, then
xor cypher => myword.
in the function saveData, we wee that the cookie for the website is set with base64-encode, xor_encrypt, and json-encode. Therefore, we start with the cookie. We know we want to base64-decode, so let's start there. Then we try to xor encrypt the decoded cookie. However, the trick here is trying to get the actual key out, so instead of their xor_encrypt function, we'll start with the key are the json-encoded array they give us at the top of the code;
$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");
After that, the function stays the same, and we should be given the key out if we plug in our decoded cookie.
And the answer is...
qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw
Now let's use this key to encrypt the array we want to send, namely
array( "showpassword"=>"yes", "bgcolor"=>"#ffffff");
Remember, the source code shows us that the cookie is sent like this:
base64_encode(xor_encrypt(json_encode($d)))
Therefore, we need to do the same encryption to the array we want to send.
We get out
ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK
Putting that into our handy little cookie generator and submitting the default color yield the paassword!
Or, alternatively, I just learned that you can set cookie data from the developer tools console, like this:
document.cookie="data=ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK"
pass: U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK
OK, this level is a bit tricky. We start out looking at the source code, and we are faced with several functions. xor_encrypt seems to encrypt any text sent to it by xoring the input character by character with the key we want.
loadData checks to see if the cookie sent with the data matches the background color, and has the 'showpassword' field in it. If the background color sent with the data and sent in the cookie match, it stores the color and the showpassword boolean - this is probably the key to getting the key.
The big trick here is that there's an XOR encryption going on. At first this might seem tricky, but on closer consideration we remember that if
xor myword => cypher, then
xor cypher => myword.
in the function saveData, we wee that the cookie for the website is set with base64-encode, xor_encrypt, and json-encode. Therefore, we start with the cookie. We know we want to base64-decode, so let's start there. Then we try to xor encrypt the decoded cookie. However, the trick here is trying to get the actual key out, so instead of their xor_encrypt function, we'll start with the key are the json-encoded array they give us at the top of the code;
$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");
After that, the function stays the same, and we should be given the key out if we plug in our decoded cookie.
And the answer is...
qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw
Now let's use this key to encrypt the array we want to send, namely
array( "showpassword"=>"yes", "bgcolor"=>"#ffffff");
Remember, the source code shows us that the cookie is sent like this:
base64_encode(xor_encrypt(json_encode($d)))
Therefore, we need to do the same encryption to the array we want to send.
We get out
ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK
Putting that into our handy little cookie generator and submitting the default color yield the paassword!
Or, alternatively, I just learned that you can set cookie data from the developer tools console, like this:
document.cookie="data=ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK"
Comments
Post a Comment