Archives

All posts for the month January, 2015

Natas level 9 msg

The form’s action is pretty self explanatory, but how does it work?

natas level 9 source

passthru() executes system commands and displays the raw output.  They are grepping for $key in the file “dictionary.txt”.  There does not appear to any input sanitation, and this is good news for us 🙂

If we set $key equal to “.* /etc/natas_webpass/natas10;” we can match every line in that file and have it all returned to us.

This works because grep recognizes wildcard characters.  The first in our attack string is the dot “.” which is a special metacharacter that matches any character.  The second is the asterisk “*” wihch matches zero or more occurrences of the character in a row.

So we are saying “match zero or more occurrences of any character”, this in turn matches every line of the file.

After that we add the full path to the file we want grep to search for, and throw in a semicolon “;” at the end as it is the “end of command” character.

The command will looked like this:

passthru("grep -i .* /etc/natas_webpass/natas10; dictionary.txt");

And the result:

natas level 9 win

natas level 8 message

This looks familiar, let’s jump right into the source code here.

natas level 8 source

It looks like we need to submit a string which will be equal to $encodedsecret after going through their encoding scheme which, when broken down looks like this:

function encodeSecret($secret) {
    $secret = base64_encode($secret);
    $secret = strrev($secret);
    $secret = pack("H*", $secret);
    return $secret;
}

If you are unfamiliar with any of these functions I encourage you to RTFM at php.net.

Since we already know the value of $encodedSecret we should be able to decode it and enter it in the form for the win.  To decode it we will run their encoding scheme in reverse with our own php script:

<?

$encodedSecret = "3d3d516343746d4d6d6c315669563362";

function decodeSecret($secret) {
    return base64_decode(strrev(pack("H*", $secret)));
}

echo decodeSecret($encodedSecret)."\n";

?>

Capture

So if we throw our output in the form:

natas level 8 win

So we log in to Natas 7 and see two links, let’s click on “home” and check out the page source shall we?

Natas Level 7 msg and source

There are a couple things to notice here.  After we click on home the address bar in our browser looks like this:

http://natas7.natas.labs.overthewire.org/index.php?page=home

index.php?page=home means that we are setting the “page” parameter in index.php equal to “home”.  If we look down to the source code we see a commented out message, telling us where the password file is located on the server.  Let’s try setting “page” equal to the full path to the file “natas8”:

Natas 7 win

 

Natas Level 6 Message

What’s the secret?  Let’s find out!

This time they give us the source code to index.php to look at.  This is because when you right click > view source on a php page in your browser, only the html is visible, and not the php code.  The source looks like this:

Natas Level 6 Source

So we can see the the data we submit in the form is referred to as $_POST[‘secret’].  It is being compared to a variable called $secret, and if the two are equal then access is granted.  So if we know the value of $secret we know what to enter in the form to be authenticated.  But wait, what is the value of $secret?  It doesn’t appear to be set anywhere in the source code.

Well this is line looks interesting:

include "includes/secret.inc";

 

What this is saying is, include the contents of “secret.inc” into the source code of index.php, as if it were actually copy/pasted in there.  For those familiar with C this is similar to including header files.

I wonder if there are any secrets in secret.inc:

natas level 6 secret.inc

When I loaded the file in my browser it appeared to just be a blank page, but when I hit view source $secret was revealed!

And voila!

natas level 6 win

natas level 5 message

Hmmm, what to do, what do….

Should we try http://natas5.natas.labs.overthewire.org/admin.php…nope!

How about http://natas5.natas.labs.overthewire.org/login.php…dangit bobbeh!!

Is there anything in the souce?

natas level 5 source

Doesn’t look like it to me.

OH I KNOW!  Let’s check out the HTTP headers.  There are a lot of ways we could do this, but the weapon of choice today will be Burp Suite.  After she’s fired up we refresh the page and take a look at the raw request our browser is generating:

Capture

That “cookie” field looks kind of interesting, with the value loggedin=0.  I wonder what would happen if we changed it to a “1” and fired the request off?

natas level 5 win

 

natas level 4 message

Wha wha!?   I swear I wasn’t on poop.fart.xxx before I logged in to this level!  Anyway, it’s saying authorized users should be coming from “http://natas5.natas.labs.overthewire.org/”.  I think it can tell where we are coming from by reading the referer field out of the HTTP header.

Wikipedia says:

“[The referer] is the address of the previous web page from which a link to the currently requested page was followed. (The word “referrer” has been misspelled in the RFC as well as in most implementations to the point that it has become standard usage and is considered correct terminology)”

We can use a firefox add-on called Modify Headers to change this value.  Let’s give it a shot:

natas level 4 modify headers

What this will do is forge the header field with whatever value we choose every time we make an http request with firefox.  We’ll refresh the page and see if it worked:

natas level 4 win

Well this looks familiar:

natas level 3 message

I mean it’s kind of true this time, lets have a look at the source anyway shall we?

natas level 3 source

How to hide stuff from google????  ROBOTS.TXT !!!!

But what are they trying to hide anyway?

natas level 3 robots.txt

Looks like there is a folder called /s3cr3t/ I wonder what’s in it:

natas level 3 s3cr3t

Oh it’s just users.txt, maybe that has a list of users and their corresponding passwords in plain text:

natas level 3 users.txt

So, natas level 2 is telling us there is nothing on this page…I don’t believe them!  Let’s have a look at the page source:

Capture

Apparently there is an image on the page that lives in the “files” folder.  I wonder if there is anything else in that folder??

Capture

hmmmmmmmmm, users.txt looks moderately interesting:

level 2 users.txt

 

So level 1 looks a lot like 0, except this time it’s saying you can’t right click.  IDK, maybe on IE 5 this javascript works the way you would think it should, but I had no problem right clicking as you can see here:

natas1 right click

And then of course we see the page source, password included:

natas 1 source

You can also see the javascript which was employed, but ultimately failed to keep this password secure:


<body oncontextmenu="javascript:alert('right clicking has been blocked!');return false;">

Today we’ll be reviewing Natas level 0 together.  We log in to http://natas0.natas.labs.overthewire.org/ with the creds they provided:

username: natas0
password: natas0

We’re then presented with the following message:

Capture

They’re saying we can find the password for the next level on this page.   After about an hour of head scratching I finally right clicked and hit view source, it looked like this:

natas level 0 source

OMG!!!!!11

I was so excited, the password was RIGHT THERE!

On to level 1…