Natas8

Problem

We arrive at a webpage that asks for a query again

Solution

Let’s take a look at the source code.

<?

$encodedSecret = "3d3d516343746d4d6d6c315669563362";

function encodeSecret($secret) {
    return bin2hex(strrev(base64_encode($secret)));
}

if(array_key_exists("submit", $_POST)) {
    if(encodeSecret($_POST['secret']) == $encodedSecret) {
    print "Access granted. The password for natas9 is <censored>";
    } else {
    print "Wrong secret";
    }
}
?>

We can conclude that we need to input something that will then go through the encodeSecret() function and then match the string value of $encodedSecret.

So let’s try to find the “counter” to each of the functions called in the encodeSecret() function:

• bin2hex converts binary value into a hexadecimal value.
  • so the “counter” to this function is hex2bin.
• strrev reverses a string.
  • we’ll just reverse the string again, back to it’s original state.
• base64_encode encodes whatever is passed to it into base64.
  • we decode it back into whatevere it was with base64_decode.

We also need to reverse the flow of these functions, let’s say we have a string, if we pass it into encodeSecret() it will:

1. get encoded into base64,
2. reversed, then
3. converted into it’s hexadecimal representation.

Now it’s supposed to be some wierd string, if we want to change it back into our original string, we need to:

1. convert it from it’s hexadecimal representation back into what it actually is,
2. reverse it back, then
3. decode it from base64.

Let’s try it out.

$ php --interactive
Interactive mode enabled

php > $encodedSecret = "3d3d516343746d4d6d6c315669563362";
php > echo base64_decode(strrev(hex2bin($encodedSecret)));
oubWYf2kBq
php > 

Now we just need to submit the string that we got from our “reverse” function.

Flag

W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

Takeaway

• Understand exactly what each function does, google helps.