All things reversed

GynvaelEN - Mission 17 - Solution

Paweł Łukasik -

Another stream from Gynvael - another mission. This time we need to extract a message from a restriced admin panel.

What we see on the page is a welcome message, and an info that the cookie was stored and a request to reload the page. So he "Hit Refresh" (;)) and we get this.

Decrypted cookie data: {"access_level":"user"}

ACCESS TO THE FLAG DENIED!
Only admin has access!

Ok, so it gives us more info. We can see that we should have some cookie attached to our request and we can actually see what is being decrypted. Let's see.

If we we can find the cookie in Developers Tools. And in fact yes, we can see the cookie:

If we decode that with a short python script we get:

We can see that the amount of bytes is equal to the decoded JSON object so we can assume that this is what is stored in this cookie. Now, let's think how we can attack & exploit.

If we change one byte in the cookie (and encode it correctly), after we send the bytes we can see it's begin decoded and invalid result is presented.

So we for sure can influence what the server receives but how to do it correctly? What we want to do is to exchange "user"} with "admin"}. But we face two issues here. First is how to change the characters, and the second one is that they are of different length. Let's deal with those separately.

So let's look how this is encrypted. Not going into much details (if you want to learn I recommend - Crypthography I on Coursera!) each plaintext char is xored with a key. So if we encrypt 'u' (0x75) with some byte of the key, we get:

0x75 ^ k = 0x9d

Let's see what would happen if we xor different letter but on the same position:

0x61 ^ k = ??

From the first one we can get k = 0x9d ^ 0x75 and if we apply this to the second one we get a formula to calculate the char:

0x61 ^ 0x9d ^ 0x75 = 0x89

Let's test that:

Nice we got: "{"access_level":"aser"}" - now repeat this for the rest of the chars (of course you can code that) so after doing this we should be able to send a {"access_level":"admin" to the server. Now for the problem of missing the one char.

Actually this is even simpler than this. There's only 256 combinations that's needed to be tested so we brute-force it.

Solved.