Natas Level 8 → Level 9

From the page source, we see the function code in PHP that give us some information about the secret we need to input. From the $_POST(‘secret’) we see that the string we enter will pass through function encodeSecret before compare with the $encodedSecret.

<?
$encodedSecret = "3d3d516343746d4d6d6c315669563362";

function encodeSecret($secret) {
    return bin2hex(strrev(base64_encode($secret)));
}

if(array_key_exists("submit", $_POST)) {
    if(encodeSecret($_POST['secret']) == $encodedSecret) {
    print "Access granted. The password for natas9 is <censored>";
    } else {
    print "Wrong secret";
    }
}
?>

Therefore, if we reverse all the call inside the function using the encodedSecret, we should get the plain text secret by create and run the following php commands.

base64_decode(strrev(hex2bin("3d3d516343746d4d6d6c3156 69563362")))

Thus, it decodes to oubWYf2kBq. Using this secret we can get the next password.

W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

Here is the PHP references for strrev(), hex2bin(), bin2hex(), base64_decode() and base64_encode().

Advertisements