OverTheWire : Natas

Capture.PNG

Coming off of OverTheWire’s Bandit labs, I was ready for more! So I moved on to the next suggested game called Natas. Natas unlike Bandit is all web based so no putty or SSH is involved. Natas is used to help create a baseline and understanding of some simple web hacking techniques.

 


Natas : Level 0


 Hint: You can find the password for the next level on this page.
So I right click on the page, and select “View Source” from there I find password one!
ffc-capture-the-flag-400x400

Natas : Level 0-1


Hint: You can find the password for the next level on this page, but right clicking has been blocked!
This essentially is the same challenge as the previous, but right click has been disabled. So I go up to the browser menu (Chrome in my case) and click the hamburger menu ||| and select More Tools -> Developer Tools -> and I expand the elements, BOOM, password! Next Level!
ffc-capture-the-flag-400x400

Natas : Level 1-2


 Hint : There is nothing on this page.
So this threw me for a loop. Unfortunately due to the reading materials I’ve used, and the previous challenge, as my buddy said . . . “You’re trying to think like a hacker too much.”
So after a minute I re-read the source over and over till I realized, file/pixel.png.
So I clicked on the link, and removed pixel.png. This left me with natas2.natas.labs.overthewire.org/files/
Which in there left me with pixel.png and users.txt. Sure enough users.txt contained the password!
ffc-capture-the-flag-400x400

Natas : Level 2-3


Hint: There is nothing on this page
OK, same hint as last time . . . So I hit CTRL+U to show the source.
Capture.JPG
So the source says, no more information leaks, Not even Google will find it . . .is that a hint? Or a challenge!? This is another one I was wayyyy overthinking. And unfortunately a buddy in an attempt to help me said to “Google search rob, oh crap!” So I immediately edited the URL to /robots.txt which held the directory to the users.txt. Next time!

Natas : Level 3-4


Hint: Access disallowed. You are visiting from “” while authorized users should come only from “http://natas5.natas.labs.overthewire.org/”
Based on the hint I knew I needed to modify my “source” address to show where I was coming from. I spent some time trying to figure out how to do this via source, code, etc. After awhile I felt I should just do it the way I knew it. Soooo I fired up my Kali VM and fired up Burp suite! I refresh the page and capture the data to be transmitted
Capture
I changed the highlighted area to
and then selected forward in burp suite! Sure enough the page loads and we have the password. On to the next challenge.
ffc-capture-the-flag-400x400

Natas : Level 4-5


Hint: Access disallowed. You are not logged in.
Being that I had Burp suite fired up, I refreshed and intercepted once again. Sure enough, the cookie value is 0 (see img), so I change that to 1 and forward!
Capture.JPG
Seconds later the page displays the next level’s password!
ffc-capture-the-flag-400x400

Natas : Level 5-6


 Hint: Input Secret ”          “
This round we’re presented with a input box and a submit query button. Being that Burp Suite has been working, I give it another go.

After that didn’t work I decided to click the view source button and see what’s going on. Again it points to the “includes/secret”

<?

include “includes/secret.inc”;

if(array_key_exists(“submit”, $_POST)) {
if($secret == $_POST[‘secret’]) {
print “Access granted. The password for natas7 is <censored>”;
} else {
print “Wrong secret”;
}
}
?>

So I append includes/secret.inc to the web address, hit enter . . and boom! We have the password. I copy & paste in to the input box, hit submit, and we have the password for the next level!
* Note : An issue I had on this level was that I actually was doing this in Kali but the “secret.inc” file was blank. However; my friend doing it Windows had no issue. After awhile we figured out that the issue was with Iceweasel. I opened it in Kali with Chrome & Firefox and there were no issues.
ffc-capture-the-flag-400x400

Natas : Level 6-7


The home page this time just says “Home” & “About.” Well that doesn’t give us much to go on! But we know better at this  point so I start by clicking “Home” which now changes the page to say this is the front page.
Capture
I don’t really think this is of any significance . . . so I move on to viewing the page source. Here we find our hint!
<!– hint: password for webuser natas8 is in /etc/natas_webpass/natas8 –>

While it tells us where we want to look this round, we did know thanks to the about me for this whole Natas challenge that /etc/natas_webpass/natasX is where all the passwords are stored.

On a whim I append the directory from the hint to the web address

http://natas7.natas.labs.overthewire.org/etc/natas_webpass/natas8

Which just causes the page to time out. I again hit “Home” which changes the address to

http://natas7.natas.labs.overthewire.org/index.php?page=home

I get a similar address when I click “About” but the following is always static

http://natas7.natas.labs.overthewire.org/index.php?page=

So I once again change the address to say

http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8

And Shazam! We have our password file. Based on what I know of websites and previous study material. I’m assuming this is working because the directories and such are not properly locked down restricting outside access. So when you add the /etc/natas_pass/natas8 you’re telling the server to look in that directory? Correct me if I’m wrong!

ffc-capture-the-flag-400x400

 

 


Natas : Level 7-8


This time instead of a blank page we get an input box that we saw previously in another challenge.
Capture.PNG
If I’ve learned anything I always try hitting submit, or entering anything and hitting submit just to see if we can get any unique response. Unfortunately it’s just “Wrong password entered.” So I move on to the obvious, view sourcecode.
In here we see some interesting stuff the first thing that jumps out is the
$encodedSecret = “3d3d516343746d4d6d6c315669563362”;
And then we continue on we see the variable $encodedSecret is piped through some conversion and into $secret. This part hung me up for a bit.
Capture.PNG
I saw the bin2hex and immediately knew this is being converted from binary to hexadecimal format. Hex2Bin online conversion tool
Running that left me with a converted string of
==QcCtmMml1ViV3b
This is where I got stuck. I then started to focus on III of base64_encode. I thought simple enough we just need to decode. Not sure why, but I skipped right over “strrev” which we will come back to. So I googled for some online converters for base64_decode. Trying to decode the binary string returned me with nothing or gibberish. After a few minutes and confusion, I revisted the string and goolged “strrev” which returned a few sites with usage. But immediately they all pointed out “strrev” = “String Reverse” which all made sense! When I was looking to base64 decode most sites had examples showing the converted strings all ending with = or == which I thought was weird, but don’t know better.
So I google “strrev online” which took me here : String Reverse Online and I dropped my binary string in changing ==QcCtmMml1ViV3b  to b3ViV1lmMmtCcQ== , which then I ran it through the base64 online decoder leaving me with:

oubWYf2kBq

I alt tab (through about 20 tabs now) back over to my login prompt, enter the password, and boom! We’re in, and given the next level’s password. This level was a bit challenging, and forced me to learn a bit more about PHP and reminded myself to process commands in the order they happen! Makes sense right. Onwards!

ffc-capture-the-flag-400x400

 

 


Natas : Level 8-9


Capture.PNG
This is new for the Natas challenges! I hit search, which returned nothing. I typed in “password” and hit search and it returned a list of words. Password, passwords, and password’s.
Per the usual I move on to View Sourcecode. Looking through I see reference of a dictionary.txt. I add a “/dictionary.txt” to the end of the url which returns a web page of words. Not sure if this means anything yet?
So at this point I see the following line showing whatever word you type in is handed off to Grep for processing. Grep takes the word “test” for example and searched within the dictionary.txt for “test.”
passthru(“grep -i $key dictionary.txt”);
I know I need to chain off of that, so I first tried adding a | (pipe) ifconfig at the end. . . . nothing. I was hoping we’d see a IP address returned. I re-read the lines a dozen times and then I realize, maybe I can just get it to echo ? so in the search box I type
echo Hello
Which returns the following dictionary.txt: hello and a few variations of hello. I then tried pipe which did nothing. At this point I made the switch to & ( I verified in the end sticking with | (pipe) would have worked all the same. But to be sure I’m not accidentally just getting results of the dictionary.txt opposed to echoing hello I type
& echo Hello Seclyn
Which returns
Capture.PNG
So we now know it’s working! And it hits me, I need to cat the password file. So I search again.
& echo /etc/natas_webpass/natas10
And we’re returned level 10’s password!
This was definitely a cool level. I know a lot of PenTest books talk about misusing user / text input boxes to get valuable info. These past few lessions have helped me build up and not only better understand that, but work to that conclusion on my own. Being that web attacks is what I feel is my weakest point, I’m really enjoying this and feelnig more confident.
ffc-capture-the-flag-400x400

Natas : Level 9-10


This time we’re being told that input is now filtered for certain characters.
Capture.PNG
Just to verify (trust but verify) I enter the command that worked for us last time
& cat /etc/natas_webpass/natas10
But this time it does tell us that our “Input contains an illegal character.” So let’s dive in to the source code!
They now have the following code which filters out certain characters such as & and | (pipe).
 if(preg_match(‘/[;|&]/’,$key)) {
 To be honest, I was really hung up on this one! The character filtering was killing me, and I spent a good amount of time researching PHP special characters. Then I started searching getting around character filtering, which to my surprise, there wasn’t much. I then after an hour, decided to google “grep multiple files.”
Grep said just list the files! So i tried and nothing was returned . . . hm. But it made sense! It had to be this way. I did stumble across a forum where someone was asking a pretty similar question that I had. Unfortunately it ended up being my solution and I realized (reading further down) he later said it was for this challenge and encouraged people to try :\ but, oh well! To be honest, I’m not sure I would have gotten it. But the solution is as follows:
. * /etc/natas_webpass/natas11
The PERIOD is key here, without it this wouldn’t work. To try and justify my win I attempted to search and find an alternative solution, and at this point I cannot. I did research to try and figure out why the period works. As it even works without the * as long as the period is there. Hopefully one day I’ll better understand this.

Natas : Level 10-11


OK, so for me, this one was difficult. This was a bit more complicated than the previous where we essentially read some basic PHP and were on our way. In this challenge we had to modify part of the PHP script to encrypt a new cookie. I spent a bit of time on this realizing I just don’t know enough about PHP. So I decided to break from this, and focus on better understanding PHP.
That’s where SoloLean came in to play. I signed up and took their PHP online course and was able to knock that out in a couple of days, but overall only took a few hours. One of the nice things about SoloLearn is, in the end you’re presented with a certificate of completion. May be nice to have on a resume or show your employer.
download.jpg
Let me tell you, if you’re like me and have no PHP background… STOP NATAS RIGHT NOW AND TAKE THIS COURSE. I will help you really understand the PHP that you’re reading.
Onward . . . . Admittedly even after taking that course I needed a bit of direction. I was able to review the source code and now knowing better, know I needed to modify their existing code. This lead me to do things such as switch base64_decode to base64_encode. After some toying and resolving some errors (because they now make sense) I was able to write the following code which when ran, returned some interesting results.
 <?php
 
 $orig_cookie = base64_decode('ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw');  
 function xor_encrypt($in) {  
   $text = $in;  
   $key = json_encode(array( "showpassword"=>"no", "bgcolor"=>"#ffffff"));  
   $outText = '';  
   // Iterate through each character  
   for($i=0;$i<strlen($text);$i++) {  
   $outText .= $text[$i] ^ $key[$i % strlen($key)];  
   }  
   return $outText;  
 }  
 echo xor_encrypt($orig_cookie);

 ?>  

----------------------------------------------------------------------------

 root@oracle:~/temp# php5 decrypt.php  
 qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jq
From some reading and research we’re able to understand that being returned is the key used to encrypt the cookies. So we modify our script and insert the key “qw8j” in to our modified PHP script.
Capture.PNG
Running this script results in the password for the next level! This script can be executed by running the following.
root@oracle:~/temp# php5 decrypt.php
Again this overall was a very difficult challenge for me. I did have to get help, I had to read other reviews, and I had to take a PHP course. Overall, I benefited from every inch of it. The point of these courses are to build your knowledge and force you to learn. So NEVER feel bad if you have to look up the answer as long as you can then read and learn from it.
stock-vector-capture-the-flag-139895428

Natas : Level 11-12


Coming off of the last level, and my newly found PHP knowledge, I WAS READY! And then fell flat. . . . . I knew deep deep down, it would still be challenging as it is well, a challenge, and I just learned basic PHP. My biggest issue with challenges, when I learn something new I tend to focus on that and forget the previous challenge info.
In this case, Burpsuite. So looking at the code I immediately notice a few things.
First, if the file is larger than 1000 it will echo “File size is too big.”
 if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) {
echo "File is too big";
I then noticed that if the file meets the requirements it will generate a random file name and tell us where it’s been uploaded.
} else {
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded";
My biggest mistake in this challenge was I spent a lot of time originally looking at the functions that are setup in the begging of the page. Then I remembered start simple, start with what you know.
So I take a simple file and upload it, it was too big. So I made an empty test.txt file and uploaded it . . . success! And it says the file “upload/z48jga83ix.jpg” was uploaded. I click on it, and it says unable to open the file.
So I created a PHP file using get contents to show us the /etc/natas_webpass/natas13 password file. But I kept uploading and it would modify the upload.php to upload.jpg. Then I remembered -_- BURPSUITE!
Capture
So I upload the file, intercept with burpsuite, modify the name to .php, and the webpage confirms “41pki3ymfz.php” was uploaded!
Capture.PNG
So I click the link, and sure enough we have the password!
This was a great challenge, which initially stumped me due to overthinking. I’ve now stuck a piece of paper to my monitor that says “Keep it simple!”
stock-vector-capture-the-flag-139895428

Natas : Level 12-13


 This challenge, the page greets us and says we now only allow image file uploads! So we know there is now some kind of file verification. Looking at the source code it looks like in the if-else if section they added a check via exif_imagetype.
So for sake of knowing, I upload and modify the same PHP file we just used and get an error saying Not an image file! I rename the upload.php to upload.jpg, and we get the same error. Not an image file! So we know, that the check occurring is not simply based on the file extension.
Capture.PNG
A quick Google search of exif_imagetype shows that the tool checks the first few bytes of the file to verify it is an image. I then Google “trick exif_imagetype” and to my surprise, there’s quite a few results! The first is a blog post by TriGeminal at SitePoint. In his post he points out that adding GIF89a to the beginning of the file before the start of our PHP solves the problem we’re having! It tricks the exif tool into thinking it’s a GIF.
So I modify our upload.php. I upload it, use Burpsuite to change the extension from JPG to PHP. And boom! We have our file uploaded! We follow the link, and sure enough we have the next level’s password.
Capture.PNG
Thanks to Google, the previous challenge, and SoloLearn’s PHP course, this one was a no brainer and was knocked down quick!
stock-vector-capture-the-flag-139895428

Natas : Level 13-14


This challenge we’re immediately presented with a login screen requesting a username and password.
Capture.PNG
I click “Login” just to see, and we’re returned a “Access Denied.”
Sooooo let’s view the sourcecode.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s