circusmonkey404's Security Site

Over the wire Natas Level 10 Objective: Get password for Level 11 Solution: So here we see an input box and a search button, but this time with this text For security reasons, we now filter on certain characters If we put in anything it searches a dictionary.txt file for the input and displays the output, however if we look in the source code it looks like they are not going to let use a lot of special characters this time if($key != "") {     if(preg_match('/[;|&]/',$key)) {         print "Input contains an illegal character!";     } else {         passthru("grep -i $key dictionary.txt");     } } ?> </pre> Luckily for use we don’t’ need to use any of those special characters to get at the webpass directory using grep So grep man page( http://linuxcommand.org/lc3_man_pages/grep1.html ) NAME        grep, egrep, fgrep, rgrep - print lines matching a pattern SYNOPSIS        grep [OP

Over the wire Natas Level 9 Objective: Get password for Level 10 Solution: So here we see a input box and a search button If we put in anything it searches a dictionary.txt file for the input and displays the output Let’s check out the source code for anything interesting. <pre> <? $key = ""; if(array_key_exists("needle", $_REQUEST)) {     $key = $_REQUEST["needle"]; } if($key != "") {     passthru("grep -i $key dictionary.txt"); } ?> </pre> Ok so it literally just greps the file for the keyword entered, the only check it does is to see if the key is empty I bet we can pipe the input field to get it to return data Let try an ls to see if we can pass directly to the shell like we think dog & ls ../ Output: dictionary.txt ../: main natas0 natas1 natas10 natas11 natas12 natas13 natas14 natas15 natas16 natas17 natas18

Over the wire Natas Level 8 Objective : Get password for Level 9 Solution: So here we get a input box that checks to see if it’s the right key to get the correct password We can see if the source code that the input we give is compared to   a hardcoded string before it gives out the password $encodedSecret = "3d3d516343746d4d6d6c315669563362"; function encodeSecret($secret) {     return bin2hex(strrev(base64_encode($secret))); so it takes our input, base64encodes it, reverses the string, then converts to HEX so theoretically we if we take the hard coded secret and run it through that sequence backwards we should have the value needed to match. I wrote a little python script to do the encoding for me import base64 string = '3d3d516343746d4d6d6c315669563362' print("The String is: ",string, "Length   is :", len(string)) unhex = bytes.fromhex(string).decode('utf-8') print(&

Over the wire Natas Level 7 Objective: Get password for Level 8 Solution : So this page is just two links Home and About If we click on one we can see its calling a php to give us the page http://natas7.natas.labs.overthewire.org/index.php?page=about the source code for home has this hint <!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 --> Looks like we are going to use path traversal to solve this one If we put in natas8 for the page in the PHP we get his error http://natas7.natas.labs.overthewire.org/index.php?page=natas8 Warning: include(natas8): failed to open stream: No such file or directory in /var/www/natas/natas7/index.php on line 21 Warning: include(): Failed opening 'natas8' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/natas/natas7/index.php on line 21 Cool lets try it with the full path Page=/etc/natas_webpass/natas8 http://natas7.natas.labs.

Over the wire Natas Level 6 Objective: Get password for Level 7 Solution: So we have a text box with the label Input Secret and a submit query button Lets check the source code again. Here it looks like the form is taking our password we provide and checking it against another password stored In a variable $_Post[‘secret’] <? include "includes/secret.inc";     if(array_key_exists("submit", $_POST)) {         if($secret == $_POST['secret']) {         print "Access granted. The password for natas7 is <censored>";     } else {         print "Wrong secret";     }     } ?> Let’s see if we can just get to that file /includes/secret.inc and see if we can see the key in there http://natas6.natas.labs.overthewire.org/includes/secret.inc Looks like just a blank white page… but it did load so the thing exists, lets check the source for it <? $secret =

Over the wire Natas Level 5 Objective: Get password for Level 6 Solution: This page just shows a text box Access disallowed. You are not logged in So this is saying we aren’t logged, we just logged in so there must be something else here that is tracking whether we are logged in or not. Lets just take a look at the cookies using a cookie editor to see if there is something there that tracks if we are logged in or not Yup In the cookie for this site we see a value named “ Loggedin ” and is set to 0 Lets try flipping it to 1 and see what happens Access granted. The password for natas6 is aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

Over the wire Natas Level 4 Objective: Get password for Level 5 Solution: This page just shows a text box Access disallowed. You are visiting from "" while authorized users should come only from http://natas5.natas.labs.overthewire.org/ Ok so the message here is pointing us to the referring website. IF we fire up burp suite and turn on intercept we can see this GET /index.php HTTP/1.1 Host: natas4.natas.labs.overthewire.org User-Agent: Mozilla/5.0 (Linux; Android 7.0; PLUS Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.98 Mobile Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://natas4.natas.labs.overthewire.org/ Cookie: __cfduid=dc1833b1d7b69b3cac3c87671133dc9051557462221; __utma=176859643.791061132.1557462220.1558030716.1570727565.8; __utmz=176859643.1557462220.1.1.utmcsr=(direct)|utmccn=

Over the wire Natas Level 3 Objective: Get password for Level 3 Solution: This page just shows a text box There is nothing on this page Let’s check the source code again There is nothing on this page <!-- No more information leaks!! Not even Google will find it this time... --> </div> Not Even Google will find it this time huh? What do we know that keeps web crawlers from indexing pages?   Robots.txt Let’s check out the robots.txt and see if there are any goodies in there. http://natas3.natas.labs.overthewire.org/robots.txt User-agent: * Disallow: /s3cr3t/ Disallow folder /s3cr3t/    it doesn’t want google to index that folder let’s see what is in there http://natas3.natas.labs.overthewire.org/s3cr3t/ another users.txt file http://natas3.natas.labs.overthewire.org/s3cr3t/users.txt natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

Over the wire Natas Level 2 Objective : Get password for Level 3 Solution : This page just shows a text box There is nothing on this page  Ok let’s check the source and see if there is anything interesting in there In the HTML there is a img file that links to a file named pixel.png in a folder named files There is nothing on this page <img src=" files/pixel.png "> </div> </body></html> Lets see if we can see what else is in that folder http://natas2.natas.labs.overthewire.org/files/ there is a txt file in there named users.txt let’s check it out # username:password alice:BYNdCesZqW bob:jw2ueICLvT charlie:G5vCxkVV3m natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14 eve:zo4mJWyNj2 mallory:9urtcpzBmH natas3 password sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14

Over the wire Natas Level 1 Objective : Get password for Level 2 Solution : This page just shows a text box You can find the password for the next level on this page, but rightclicking has been blocked! No right clicking…. Okay F11 in chrome brings up inspector so let’s use that to get the next password <!--The password for natas2 is ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi -->

Over the wire Natas Level 0 Objective: Get password for Level1 Solution: This page just shows a text box You can find the password for the next level on this page. Checking the source code we find the password for level 1 <!--The password for natas1 is gtVrDuiDfck831PqWsLEZy5gyDz1clto -->

Krypton 5 Objectives FA can break a known key length as well. Lets try one last polyalphabetic cipher, but this time the key length is unknown. Enjoy. Solution I used the same code break website to get the key https://www.guballa.de/vigenere-solver key: keylenght Krypton6 contains BELOS Z decrypted ​random

Krypton 4 Objectives You more than likely used some form of FA and some common sense to solve that one. So far we have worked with simple substitution ciphers. They have also been ‘monoalphabetic’, meaning using a fixed key, and giving a one to one mapping of plaintext (P) to ciphertext (C). Another type of substitution cipher is referred to as ‘polyalphabetic’, where one character of P may map to many, or all, possible ciphertext characters. An example of a polyalphabetic cipher is called a Vigenère Cipher. It works like this: If we use the key(K) ‘GOLD’, and P = PROCEED MEETING AS AGREED, then “add” P to K, we get C. When adding, if we exceed 25, then we roll to 0 (modulo 26). P P R O C E E D M E E T I N G A S A G R E E D\ K G O L D G O L D G O L D G O L D G O L D G O\ becomes: P 15 17 14 2 4 4 3 12 4 4 19 8 13 6 0 18 0 6 17 4 4 3\ K 6 14 11 3 6 14 11 3 6 14 11 3 6 14 11 3 6 14 11 3 6 14\ C 21 5 25 5 10 18 14 15 10 18 4 11 19 20 11 21 6 20 2 8 10 17\ So, we get a ciphertext of: VF

Krypton 3 Objectives Well done. You’ve moved past an easy substitution cipher. The main weakness of a simple substitution cipher is repeated use of a simple key. In the previous exercise you were able to introduce arbitrary plaintext to expose the key. In this example, the cipher mechanism is not available to you, the attacker. However, you have been lucky. You have intercepted more than one message. The password to the next level is found in the file ‘krypton4’. You have also found 3 other files. (found1, found2, found3) You know the following important details: The message plaintexts are in English (*** very important) - They were produced from the same key (*** even better!) Solution ok so I used a bit of a cheat on this one, but as long as I have the internet available might as well use it right? I used the encrypted text of found2 a plugged it into a decrypter which used letter frequency to find the mono-alphabetic key for the text and found this is the key for t

Krypton 2 Objectives The password for level 3 is in the file krypton3. It is in 5 letter group ciphertext. It is encrypted with a Caesar Cipher. Without any further information, this cipher text may be difficult to break. You do not have direct access to the key, however you do have access to a program that will encrypt anything you wish to give it using the key. If you think logically, this is completely easy. Solution ok so the first thing we did was link the file in a temp directory krypton2@krypton:/krypton/krypton2$ mkdir /tmp/asmithkryp2 krypton2@krypton:/krypton/krypton2$ cd /tmp/asmithkryp2 krypton2@krypton:/tmp/asmithkryp2$ ln -s /krypton/krypton2/keyfile.dat  Then we changed the permissions for everyone to have access to the file krypton2@krypton:/tmp/asmithkryp2$ chmod 777 . just like the example on the website now we want to create a file that we will use to run the encrypt binary against krypton2@krypton:/tmp/asmithkryp2$ echo "abcdefghijklmnopqrstuvwxyz"

Krypton 1 Objectives The password for level 2 is in the file ‘krypton2’. It is ‘encrypted’ using a simple rotation. It is also in non-standard ciphertext format. When using alpha characters for cipher text it is normal to group the letters into 5 letter clusters, regardless of word boundaries. This helps obfuscate any patterns. This file has kept the plain text word boundaries and carried them to the cipher text. Enjoy! Solution So from the description its sounds like a Cesar cipher lets cat the file to see what it contains krypton1@krypton:/krypton/krypton1$ cat krypton2 YRIRY GJB CNFFJBEQ EBGGRA I'm guessing just on experience that is probably a 13 shift Cesar cipher other wise know as ROT13 let echo it and pipe it in to the translate command echo "YRIRY GJB CNFFJBEQ EBGGRA" | tr '[A-Za-z]' '[N-ZA-Mn-za-m]' LEVEL TWO PASSWORD ROTTEN

Krypton 0 Objectives Welcome to Krypton! The first level is easy. The following string encodes the password using Base64: S1JZUFRPTklTR1JFQVQ= Use this password to log in to krypton.labs.overthewire.org with username krypton1 using SSH on port 2222. You can find the files for other levels in /krypton/ Soltuion So here we have a base64 encoded string for the password for level 1 we are going to use the base64 -d decoding built into my os echo S1JZUFRPTklTR1JFQVQ= | base64 -d KRYPTONISGREAT​ pretty simple

Leviathan 1 Objective Solution ok so lets see whats in the home direcotry leviathan1@leviathan:~$ ls check leviathan1@leviathan:~$ file ./check ./check: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=c735f6f3a3a94adcad8407cc0fda40496fd765dd, not stripped ok so there is a binary there lets see what it does.. leviathan1@leviathan:~$ ./check password: jjj Wrong password, Good Bye ... It's checking for a password  I assume if given the correct password it will give us the password to the next level I orignally solved this a much different way looking a the text contained in the binary file but then found out about ltrace which make this much simplier leviathan1@leviathan:~$ ltrace ./check __libc_start_main(0x804853b, 1, 0xffffd784, 0x8048610 <unfinished ...> printf("password: ")                              = 10 getchar(1, 0, 0x65766f6c, 0x646f