In this post we’re going to be looking at Level 8 of the Natas wargame hosted by Over The Wire.
What’s Going On?
Upon logging in we’re presented with another input field, submit button and source code link. Quickly viewing the source of our current page, we see no comments, so let’s move on to the source code link. Here we see the php source code of our current page. This code takes user input, performs base64_encode, string reverse, and binary to hex conversion, in that order. Then the result is compared to a constant variable, and if they match the password for the next level is revealed. So, how do we figure out what to input so that they will match?
Lucky for us, all the functions used are 2-way functions. This means that they all have a reverse operation. So, let’s take the encryptedSecret variable and do the reverse operations on it. We can do this easily by creating a small php file. Lets look at a file that will do just this:
<?
$encodedSecret = “3d3d516343746d4d6d6c315669563362”;
$binString = pack(“H*”, $encodedSecret);
$revString = strrev($binString);
$decodedString = base64_decode($revString);print “$decodedString”;
?>
Reverse functions in opposite order. The only thing of real note is the pack function. PHP’s hex2bin function has been outdated since PHP5 and replaced with pack. Running this script (I choose from the command line), results in the output of the decoded secret. Copying this secret and pasting it into the text field on the level8 website and submitting it results in an “Access Granted” message, and the password to the next level.
So What?
This is an interesting level. From a programming perspective, one might say the functions are easy to program in reverse, so this isn’t safe. After all, seeing the source code makes it easy to crack, and thus we know saying most people won’t see it is security through obscurity and that isn’t safe. So what is a better choice? Well, it depends what you’re trying to do, but in this level a better choice would have been a better choice in hash functions. Hash functions are 1-way functions, functions without a reverse operation function. This means to “reverse” or discern the original value, one must guess through all possible originals until the same encrypted (hashed) value is found. Some popular hash functions are MD5, SHA-1, SHA-256, SHA-512 and, just this month, NIST announced that Keccak was selected as the algorithm to become SHA-3!