Challenge:
We are once greeted with the input secret field.

Solving it:
Lets see the source code again:

<html>
<body>
<h1>natas8</h1>
<div id="content">

<?

$encodedSecret = "3d3d516343746d4d6d6c315669563362";

function encodeSecret($secret) {
    return bin2hex(strrev(base64_encode($secret)));
}

if(array_key_exists("submit", $_POST)) {
    if(encodeSecret($_POST['secret']) == $encodedSecret) {
    print "Access granted. The password for natas9 is <censored>";
    } else {
    print "Wrong secret";
    }
}
?>

<form method=post>
Input secret: <input name=secret><br>
<input type=submit name=submit>
</form>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

So there is a variable named ‘encodedSecret’ with an encoded secret. This encoding probably is base64 even if we dont see any == on the end. So I checked it at an online decoder and it didn’t gave any valid output. After looking at the code again we see that there is a function which will be executed.

function encodeSecret($secret) {
    return bin2hex(strrev(base64_encode($secret)));
}

It seems that this function uses bin2hex, strrev and base64encode on the value of secret (which is the input). The next blok of code(see below) will use this function to encode the input (value of secret) and checks if this matches the value of ‘encodedSecret’ which is “3d3d516343746d4d6d6c315669563362”.

if(array_key_exists("submit", $_POST)) {
    if(encodeSecret($_POST['secret']) == $encodedSecret) {
    print "Access granted. The password for natas9 is <censored>";
    } else {
    print "Wrong secret";
    }
}

To get this to work I used the website http://www.writephponline.com/. On this website I wrote some php code to easily execute it without running my own web-server. I first wrote the code below to echo the value of encodedSecret through the function they used. But this encodes the already encoded secret. So I had to reverse it. For this we had to change the order of the bin2hex, strrev and base64_encode. So I changed this, but however I didn’t came to a solution. This is because I forgot to reverse the bin2hex, this should be hex2bin to reverse the whole encoding process. The php code of the echo which decodes the encodedSecret can be found at the bottom.

$encodedSecret = "3d3d516343746d4d6d6c315669563362";
echo bin2hex(strrev(base64_encode($encodedSecret)));
echo base64_encode(strrev(hex2bin($encodedSecret)));
echo " "
echo base64_encode(strrev(hex2bin($encodedSecret)));

The last echo when the PHP scripts executes is the value of the encodedSecret. But this string is still base64 encoded (see screenshot below). So I decoded this at the website https://www.base64decode.org/ and it’s still base64 decoded. So decoded it again and we came to the value “oubWYf2kBq”. Is this the secret?

Lets try it out, and it granted us access to the natas9. This took me some time to be honest. Finally something challenging 😀

Leave a Reply

Your email address will not be published. Required fields are marked *