Sunday, November 2, 2014

Natas 11

This time it looks like the page uses an encrypted cookie to decide whether to print the password to the next level or not. The page also tells us the cookie's been encrypted with XOR encryption using a fixed key, so that should be a good hint that it's likely breakable.

Using BURP to intercept the cookie shows the following:


Taking a look at the source code, it looks like it takes the cookie, json_encodes it, xor_encrypts it, and then base64_encodes it:

For the sake of simplicity, I wrote a bit of PHP to perform the same steps from their source code sample.


$default_data = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");
$chosen_data = array( "showpassword"=>"yes", "bgcolor"=>"#ffffff");

$plaintext = json_encode($default_data);
$ciphertext = base64_decode("ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw%3D");

function xor_encrypt($in, $key) {
    $text = $in;
    $outText = '';

    // Iterate through each character
    for($i=0;$i<strlen($text);$i++) {
        $outText .= $text[$i] ^ $key[$i % strlen($key)];

    return $outText;

$secret_key = xor_encrypt($plaintext, $ciphertext);
echo "secret key = ", $secret_key, "\n"; // <-- shows key is "qw8J" repeated

$chosen_plaintext = json_encode($chosen_data);
echo "chosen plaintext = ", $chosen_plaintext, "\n";
echo "corresponding ciphertext: ", base64_encode(xor_encrypt($chosen_plaintext, "qw8J")), "\n";

Knowing that if A xor B = C, then A xor C = B and C xor B = A, what would happen if we do CIPHERTEXT xor PLAINTEXT? 

We should get the KEY.

Performing this within the PHP code gives us the ciphertext for our "showpassword"=>"yes" JSON, and using BURP to substitute our chosen cookie in for the default, we get this:

No comments:

Post a Comment