-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathnatas11.py
49 lines (41 loc) · 1.47 KB
/
natas11.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
"""
Help script to resolve natas challenge #11
"""
import requests
import json
import base64
level = 'natas11'
url = 'http://{}.natas.labs.overthewire.org'.format(level)
with open('natas.json') as j:
credentials = json.load(j)
auth = (level, credentials[level])
del credentials
"""
From the source code we know that the value of the cookie is calculated:
function saveData($d) {
setcookie("data", base64_encode(xor_encrypt(json_encode($d))));
}
and decoded like this:
json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true);
"""
def xor(data, key):
return bytes(bytearray(a ^ b for a, b in zip(*map(bytearray, [data, key]))))
s = requests.Session()
s.post(url, auth=auth, data={'bgcolor': '#ffffff'})
# We know that the default data of the cookie is:
# $defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");
# if we XOR the json array with our encrypted cookie value, we should get the key.
data = s.cookies['data']
decoded_bin = base64.b64decode(requests.utils.unquote(data))
key = xor(decoded_bin, b'{"showpassword":"no","bgcolor":"#ffffff"}')
print(key)
# So the key is a repetition of the bytes "qw8J"
key = key[:4]
# Do the reverse operation with our payload.
payload = b'{"showpassword":"yes","bgcolor":"#ffffff"}'
new_key = b'qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw' # Made by hand.
new_data = requests.utils.quote(base64.b64encode(xor(payload, new_key)))
print(new_data)
s.cookies['data'] = new_data
response = s.get(url, auth=auth)
print(response.text)