Natas 11 writeup

20 March 2019
by th3-3inst3in

Natas 11 writeup


Natas 11

Visit this link to go to level 11 for which you’ll need the password from the previous level. You’ll land here main

Clicking the view Sourcecode link we see the following code


$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");

function xor_encrypt($in) {
    $key = '<censored>';
    $text = $in;
    $outText = '';

    // Iterate through each character
    for($i=0;$i<strlen($text);$i++) {
    $outText .= $text[$i] ^ $key[$i % strlen($key)];

    return $outText;

function loadData($def) {
    global $_COOKIE;
    $mydata = $def;
    if(array_key_exists("data", $_COOKIE)) {
    $tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true);
    if(is_array($tempdata) && array_key_exists("showpassword", $tempdata) && array_key_exists("bgcolor", $tempdata)) {
        if (preg_match('/^#(?:[a-f\d]{6})$/i', $tempdata['bgcolor'])) {
        $mydata['showpassword'] = $tempdata['showpassword'];
        $mydata['bgcolor'] = $tempdata['bgcolor'];
    return $mydata;

function saveData($d) {
    setcookie("data", base64_encode(xor_encrypt(json_encode($d))));

$data = loadData($defaultdata);

if(array_key_exists("bgcolor",$_REQUEST)) {
    if (preg_match('/^#(?:[a-f\d]{6})$/i', $_REQUEST['bgcolor'])) {
        $data['bgcolor'] = $_REQUEST['bgcolor'];



<div id="content">
<body style="background: <?=$data['bgcolor']?>;">
Cookies are protected with XOR encryption<br/><br/>

if($data["showpassword"] == "yes") {
    print "The password for natas12 is <censored><br>";

Lets go over this code and see how we can get to our flag

What is our objective ?

We need to somehow modify the data within the cookies such that $data[‘showpassword’] == yes . In order to modify the cookies we first need to somehow find the key which is used to xor_encrypt() the cookies

We know that
data ^ key = xorOut
xorOut ^ data = key

Thus taking the cookies base64 decoding it and running the xor_encrypt() function on it with the array as the key we can find the original key

php code run to get key

I took the quickest route and just copy pasted the xor_encrypt() function directly which gave me the output as shown below after trying the whole string as my key I realized that it wasn’t working , a few failed attempts and I realized the repeating value “qw8J” was my key

With our newly found key we can just modify our php script insert that as the key change the value of “showpassword” to yes and get our new cookie

getting new cookies

Add the outputed string as our cookie and vola !


tags: web - overthewire
Contact me : Twitter , Facebook