[WriteUp] OverTheWire – Natas – Part 1

OverTheWire hosts some cleverly designed war games and Natas is one them which is focusing on web security.

It has 27 steps in total where it starts with the simplest challenge and gradually becomes more difficult. To access the next level, you have to capture the flag of the previous one.

Let’s start.

Level 0

URL: http://natas0.natas.labs.overthewire.org

User / Pass: natas0 / natas0

natas0

Well, this is kind of obvious. Let’s check the page’s source code:

natas0-2
natas0-2

Ok the password for the next level is: gtVrDuiDfck831PqWsLEZy5gyDz1clto

Level 1

URL: http://natas1.natas.labs.overthewire.org

User/Pass: natas1 / gtVrDuiDfck831PqWsLEZy5gyDz1clto

natas1

Ok, so they don’t want me to view the page source code this time.

But, oops, it seems I can do the right clicking on my Firefox browser. Let’s play the game by its rules and open the page with Chrome.

Ok, now it doesn’t allow me to do the right-clicking. What can we do?

I opened the developer’s tools, and voila.

natas1-1

The password for the next level is: ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi

Level 2

URL: http://natas2.natas.labs.overthewire.org/

User / Pass: natas2 / ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi

natas2

It means, there IS something on this page. Let’s check the source code again.

natas2-2

Well, look at that, there is an image called pixel.png in this page, but it is not visible.

First, I downloaded this 1×1 pixel png image and tried to find something fishy in it. But, the answer was not in the image, but in the directory where the image resides.

Obviously, there is a directory called “files” on the server. Let’s take a closer look at http://natas2.natas.labs.overthewire.org/files/

natas2-3

Look at that, there is a file called users.txt. Let’s look inside by clicking on it.

Here is our sweet natas3 user and its password.

natas2-4

The password for the next level is: sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14

Onto the next level.

Level 3

URL: http://natas3.natas.labs.overthewire.org/

User / Pass: natas3 / sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14

natas3

Same trick? Let’s check the source code.

natas3-2

Hmm, it seems this time it is not kidding. There is really nothing on this page. But look what it says “Not even Google will find it this time”. What prevents search engines from finding files on a web server? Yup, robots.txt.

This is the contents of http://natas3.natas.labs.overthewire.org/robots.txt

User-agent: *
Disallow: /s3cr3t/

And finally, if we look at the directory of http://natas3.natas.labs.overthewire.org/s3cr3t/ we see the file users.txt. Opening it revealed the password for natas4.

The password for the next level is: Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

Level 4

URL: http://natas4.natas.labs.overthewire.org/

User / Pass: natas4 / Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

natas4

Obviously, we have a referrer problem here. The server expects us coming from http://natas5.natas.labs.overthewire.org/, but as you may see we provide nothing as the referrer. We need to alter the referrer header. What is the best tool to do this? Our old friend Burp Suite.

I put Burp Suite in Proxy mode and set the interception on. It started listening any traffic coming from port 8080. I set my browser’s proxy settings to localhost, port 8080.

natas4-2

As it can be seen above, when I tried to connect to http://natas4.natas.labs.overthewire.org/, Burp intercepted and it is waiting for me to press the forward button. Before that, I added the Referer header with the value of the natas5 URL.

Click forward, and voila!

natas4-3

The password for the next level is: iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

Level 5

URL: http://natas5.natas.labs.overthewire.org/

User / Pass: natas5 / iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

natas5

There is not much clue this time. I should either provide credentials or find a switch to trick the server think that I’m already logged in.

Let’s ask our friend Burp’s help again.

Look what I found. 🙂

natas5-2

Setting the value of the loggedin cookie to “1” granted me the access.

natas5-3

The password for the next level is: aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

Next, please.

Level 6

URL: http://natas6.natas.labs.overthewire.org/

User / Pass: natas6 / aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

natas6

Ok, this time it expects me to enter the correct secret. “View sourcecode” is definitely a hint. Let’s do it.

<body>
<h1>natas6</h1>

include “includes/secret.inc”;

if(array_key_exists(“submit”, $_POST)) {
if($secret == $_POST[‘secret’]) {
print “Access granted. The password for natas7 is “;
} else {
print “Wrong secret”;
}
}
?>

Input secret:

</div>
</body>

Alright, this is the related part of the code. Look at that part being included. Let’s see what is in there.

wget http://natas6.natas.labs.overthewire.org/includes/secret.inc –user natas6 –password aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

Look what I found.

» cat secret.inc
<?
$secret = “FOEIUWGHFEEUHOFUOIU”;
?>

Let’s enter the secret.

natas6-3

The password for the next level is: 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

Level 7

URL: http://natas7.natas.labs.overthewire.org/

User / Pass: natas7 / 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

natas7

That’s it?

Let’s start by clicking around. Those two links gave me these:

http://natas7.natas.labs.overthewire.org/index.php?page=home

http://natas7.natas.labs.overthewire.org/index.php?page=about

Nothing interesting. How about the source?

natas8

Look at that hint. It even tells me where the password is. This looks A LOT like a directory traversal exploitation. Let’s give it a try.

http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8

Well… It worked. 🙂

natas7-3

The password for the next level is: DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

Level 8

URL: http://natas8.natas.labs.overthewire.org/

User / Pass: natas8 / DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

natas8

It seems we need to find a password again. Let’s view the sourcecode as it suggests.

natas8-2

Ok, clearly we need to decode the encoded secret. Just run a PHP command doing the opposite.

natas8-3

The secret is: oubWYf2kBq

Let’s enter the secret.

natas8-4

The password for the next level is: W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

Level 9

URL: http://natas9.natas.labs.overthewire.org/

User / Pass: natas9 / W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

natas9

Ok, let’s view the source code.

natas9-2

Look what they did there. How can you use passthru command without sanitizing it first? Bad coder. 🙂

Here, it took some time for me to understand what file I can access with this as there was no hint about it. Then I remembered /etc/natas_webpass/ directory at Level 7.

Entered ;cat /etc/natas_webpass/natas10; in the search field.

natas9-3

The password for the next level is: nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

Level 10

URL: http://natas10.natas.labs.overthewire.org/

User / Pass: natas10 / nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

natas10

Source code says:

  if(preg_match(‘/[;|&]/’,$key)) {
print “Input contains an illegal character!”;

Ok, now we have a better coder here as he/she did some sanitizing. I can not use semi colon anymore, so there is no way I can run another command anymore.

I need to find a way to use the grep command.

But look… “.” is still allowed. 🙂

. means any character in Regex. And since we can grep more than one file at once with grep…

. /etc/natas_webpass/natas11

It gave me the password for the natas11 user.

natas10-2

The password for the next level is: U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK

Level 11

URL: http://natas11.natas.labs.overthewire.org/

User / Pass: natas11 / U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK

To be continued…
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s