Overthewire Natas Level 10 To 11

Level 11

Username: natas11
Password: redacted
URL:      http://natas11.natas.labs.overthewire.org

As normal, lets look at various sources

Okay.. I’m going to look at the source for this one, this looks interesting.

<?  
  
$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");  
  
function xor_encrypt($in) {  
 $key = '<censored>';  
 $text = $in;  
 $outText = '';  
  
 // Iterate through each character  
 for($i=0;$i<strlen($text);$i++) {  
 $outText .= $text[$i] ^ $key[$i % strlen($key)];  
 }  
  
 return $outText;  
}  
  
function loadData($def) {  
 global $_COOKIE;  
 $mydata = $def;  
 if(array_key_exists("data", $_COOKIE)) {  
 $tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true);  
 if(is_array($tempdata) && array_key_exists("showpassword", $tempdata) && array_key_exists("bgcolor", $tempdata)) {  
 if (preg_match('/^#(?:[a-fd]{6})$/i', $tempdata['bgcolor'])) {  
 $mydata['showpassword'] = $tempdata['showpassword'];  
 $mydata['bgcolor'] = $tempdata['bgcolor'];  
 }  
 }  
 }  
 return $mydata;  
}  
  
function saveData($d) {  
 setcookie("data", base64_encode(xor_encrypt(json_encode($d))));  
}  
  
$data = loadData($defaultdata);  
  
if(array_key_exists("bgcolor",$_REQUEST)) {  
 if (preg_match('/^#(?:[a-fd]{6})$/i', $_REQUEST['bgcolor'])) {  
 $data['bgcolor'] = $_REQUEST['bgcolor'];  
 }  
}  
  
saveData($data);  
  
  
  
?>

This line looks interesting to me. Is the cookie the key? I’m going to have to copy this PHP and do some tweaks..,

$tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true);  

I’m going to do some stuff.. To be continued.