Username: natas11
Password: U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK
URL: http://natas11.natas.labs.overthewire.org


A webpage that lets you change its background. Let’s give it a test.

And apparently cookies are protected with XOR encryption. Let’s check it out with EditThisCookie.

Right. So that’s definitely encrypted. Now let’s check out the sourcecode.

Some PHP.

Some inline PHP.

So to get the password for this level, we need to change our data cookie to include showpassword set to yes.

So how is the data for our cookie encoded?

A PHP array is first JSON encoded, then XOR encrypted, then base64 encoded.

We could easily use this process to change our cookie, if only we knew the XOR encryption key. Luckily for us, XOR is pretty easy to reverse-engineer. It’s commutative, which means…

data ⊕ key = encoded

data ⊕ encoded = key

We’ve got the original data, plus the encoded string. Let’s get our key. Let’s use the code already given to use to write a PHP script.

Note: the cookie data may have %3D appended to it. This is an equals sign, used for padding in base64. We’ll need to replace that.

So, to get our key, we first need to set our new key as the JSON encoded array. Then, we run our XOR encryption on our base64 decoded data. Let’s give it a run.

qw8J seems to repeat over and over again, so that’s probably the key. Let’s adjust our script, making sure to set showpassword to yes.

Now give it a run.

That looks like something that could be correct. Let’s paste that into our cookie and refresh.