Showing posts with label wargame. Show all posts
Showing posts with label wargame. Show all posts

Thursday, July 17, 2014

[WALKTHROUGH] OverTheWire - Natas11 - Natas20

This post is the sequel version of my walkthrough from Natas0-Natas10...

Holding the key to access to Level 11...



"Cookies are protected with XOR encryption" is the message tells by the page... so I guess something has to be done with the cookies... So, I proceed with the source codes...


Simply enough, I know that when the value of "showpassword" in the key "data" returns True, the page will display the password for the next level... so I have to understand the algorithm that create the value "yes" for the "showpassword"...


The PHP codes will then perform json_encode with the data, followed by encrypt with XOR and encode with base64 encryption... so, basically what I need to do is to find the key for the xor encryption process and reverse the whole progress to generate a brand new cookie value...

From the loadData(), I know that the progress flow is like this:
base64_decode =>  xor_encrypt => json_decode

And it will encode the value before passing for verification using the flow:
json_encode => xor_encrypt => base64_encode


Obtained my cookie's data value through BurpSuite proxy... and I proceed with a new php to find out the key value...


Since, A XOR B = C and C XOR B = A...

So I do it in a reverse way by decode the "data" value with base64, followed XOR encryption and json_decode...



Execute the PHP file will returns with a key, which is "qw8J" in repeated form...


Reproduce the cookie's data value by changing the "showpassword" value to "yes" and generate the required cookie value...


Replace the cookie using BurpSuite...



 And, the page returns with the password for Level 12...


Natas12 allows me to upload a JPEG file... so, I am thinking whether I can upload some php code to `echo` the password content...  Again, I look into the source code through the provided link...


Seems like the upload form is not sanitized... so I quickly upload a simple backdoor php file, which can be found in the Kali linux itself... at the same time, running together with BurpSuite...


I changed the file name into "backdoor.php"... and forward the traffic... the page will then returns the message for upload successful and the link to the uploaded file... the uploaded filename is replaced with some randomly generated strings name... so, `cat` command to display the content of "/etc/natas_webpass/natas13" on the page itself...


Copy the password and ready to move onto Natas13...


Natas13 is the exactly same as Natas12, except Natas13 is smarter this time by limiting the upload form to accept only the image files...

However, all the image file has their respective magic numbers in front to indicate themselves as the image file rather than mp3 file or others...

I simply screenshot on my screen and dump the hex value of the screenshot image file, which happens to be a PNG file...


The very first 8 bytes from the hex dump value, we can see that the magic number for a PNG file...

So, by using the 8 bytes magic number... I write a simply python script to generate a new php backdoor to bypass the security check...



Double checked on the newly created php backdoor file, and verified that it carry the magic number as a PNG file...

Repeated the whole steps as previous level through BurpSuite...



A message to indicate the file has been uploaded successfully which provided together with a new link to that uploaded php file...


Issue the command on the URL will execute the command itself... and I tend to look for the password located in "/etc/natas_webpass/natas14"...


And, I got the password for the next level access...


Natas14 requesting for username and password...at first glance, I am thinking this would be the SQL injection challenge...


Looking into the code itself proves that my hunch are right...



Login successfully and provied with the password for Natas15...


Natas15 only request for the username unlike the previous level... 


 Codes are able to tell if any user is exists or not...

So basically, I can perform the blind SQL attack which works like this... if my password are correct and the user exists, returns me a True value, which is "This user exists"... else returns me False...

Well, you get the idea... :)


However, instead of using brute forcing, I tried to use sqlmap helps here...

I know the username natas16 exists, I know the database type, I know the returned strings, and I know the injection type...




After some automated attacks, SQLmap returns with a few credentials found included the credential for natas16...


Natas16 reminds me of Natas10... but I am sure this time the security will be even tighter...


The filter character has been increased... use a simple python script here ...


 After some times for brute forcing the 32 characters... it returns the password for Natas17...


Again, Natas17 is something similar to Natas15... so, I will just go for the SQLmap to do the jobs, while I am doing my other daily tasks...

--data "username=natas18"
--dbms=MySQL
--technique=T (Since this would be a time-based blind SQL injection, and it means I got a lot of time to do my other own task too...)



SQLmap does not disappoint me again this time by returning the credential for Natas18...


Natas18 requested for admin accounts in order to retrieve the credentials for Natas19... checking out the source code and I know there will be one session id ranging from 0-640 belongs to admin account... brute forcing with 641 attempts doesn't sound bad actually...



Grabbing the password and going for the next level...


Natas19 tells me that this level use mostly the same code as the previous level, but the session IDs are not longer sequential... so, I try to find out the meaning behind this hint using BurpSuite again...



By decoding this, I know that it has an extra "-admin" for the session ID... so I can still use back my previous codes with a little amendment...



Run the python code and it returns with the password for Natas20...


Again, Natas20 requested to be an admin account in order to retrieve the credentials for Natas21... after analyzing the source code and checking out the BurpSuite... I know that the value for parameter "name" is written to the session file... so I just have to create a new "admin" parameter with value "1"...


The password for the next level is returns on the page...

Stay tune for the remaining levels till level 27 which I have already completed... just need some time to post things up...
Posted by at No comments:
Labels: , , , ,

Wednesday, July 16, 2014

[WALKTHROUGH] OverTheWire - Natas0 - Natas 10

Natas, is another Wargame hosted by OverTheWire, which is solely focusing on server-side web security... You can head over and give this Wargame a try, which I strongly recommend to the beginner, especially those who interested in web security... The Wargame is hosted for all day long and all seasons, so no time restraints and solely self-pace...

Natas concluded altogether 27 levels as for the moment I am writing this write up... The level difficulty increase as you go through and it is definitely challenging enough for amateur like me... Each level of Natas located at their URL respectively and no SSH login like previous Wargame posted here...

To access to a specific level, enter the mentioned URL for that level and input the username and password... As usual, you can only access the next level after you capture the flag at current level... Please take note that the passwords are stored in /etc/natas_webpass/natasX where X is the current level number...

Let's start from the beginning, Natas0:
URL: http://natas0.natas.labs.overthewire.org
Username: natas0
Password: natas0


A very big hint given for the starter page... "You can find the password for the next level on THIS page"...  as for my usual practice, the first thing I'm going to do is to scrap the page source...


The password for next level is given and shown obviously in the page source...


Reaching level 1, I had been warned that rightclicking has been blocked... so what should I do? Simply disable your Javascript for your browser will do...


Same trick as previous level, scrap and view the page source code... the password for next level will be very obvious to be seen...


Level2 tells me that there is nothing on this page... but that doesn't stop me from viewing the page source code again...


Noticed the directory for the pixel.png file is located at "files/pixel.png"... So this means this web server has a directory named "files"...


From the "files" directory, I can see the "pixel.png" file together with a "users.txt" text file... This seems interesting to me...


Opened up the "users.txt" text file revealed the password for the next level...


Reaching the level 3, but I'm told the same message as previous level... Well, who cares as I am going to look into the page source code anyhow...


This time I am no longer seeing any directory available in the page source and I was told that no more information, not even Google can help me on this... If Google cannot tell me, which means Google don't know, and that lead me to "robots.txt", where Google stop spider crawl the sub-directory of a domain if listed in the robots.txt...


"robots.txt" tells me that there is one sub-directory with the name "s3cr3t", which is the l33t speak of the word "secret"... Obviously, the credential can be found in this way...


Having the same name "users.txt" text file as previous level... 


Checked out the file and reveal the password for the next level...


Natas4 tells me that access disallowed as the authorized users should come only from Natas5's URL... So, I fire up my BurpSuite for a better understanding the stuff running behind...


 From the BurpSuite, I can see the referer is from Natas4's URL, which is probably disallowed and not authorized in this page... Hence, I change the natas4 into natas5 as the referer....


Forward the packet...


 And, I am brought up with the password to the next level...


Natas5 basically tells me the same thing, which I am disallowed to access this page... so, no doubt I checking with the BurpSuite again...


Found out there is one parameters in the Cookie named "loggedin" with the value "0"... Changing the value from "0" to "1" should be log me in this time...


And, I was correct... the password for next level is given on the page...


This time, Natas6 asks me to input the secret keyword... but wait! There is a "View sourcecode" link, which might provide me some better idea...


The source code tells me that the page contained a file at "includes/secret.inc"... and I tried navigate to the link which provide me a blank page... out of curiousity, I right clicked on the page and view the page source...


Secret keyword is given... back to the first page and input the secret keyword...


As expected, the password for next level is given after we input the secret keyword...


Coming to Natas7, I only see two links "Home" and "About"... so I checked out the page source codes again...


This seems like a directory traversal vulnerability to me... The comment part in the source codes even tells me where the password located...


By navigate to the password location, the page returns me with the password to Natas8...


Natas8 is having the exact design and layout at Natas6, which confused me at some point that I thought I going to the wrong level... But thankful enough that the page clearly mentioned I am at the level 8 by contrasting the words "NATAS8" at the top left corner...

So, I went over and view on the source code again by going through the provided link...


The php code basically compare the encoded version of input secret keyword with the existing encoded secret code, the page will returns the password for natas9 if it is true... so, I wrote a php code to reverse engineer its encoding process...



Got the reversed secret code and input into the form...


As expected, the page returns with the password for next level...


 Natas9 is like a keyword search engine that ask us to input "words" to be searched... since I shall not rush and I take a look into the "magic" behind instead...


So, the page perform `grep` command on the dictionary.txt with the keyword inputted... but the command seems like not sanitized, so we can just end the command with ';' and display the content of "/etc/natas_webpass/natas9" using the `cat` command... not to forget comment out the codes behind as I only care about the password for next level... 




Password for the next level is `cat`-ed out and shown on the page itself...


Reached the level 10 and I am told the security has been tightened compared to level 9 and it filter on certain characters... For clearer picture, I decided to view on the source code again...


This time the input is sanitized with characters filtering... I can no longer input semi-colon, or, ampersand... but it does not filter "*" asterisk sysmbol, which is good enough for me to display the content of the password... using the same pattern as previous level and replaced with the regex ".*" to display everything instead with ";" which is to end the command beforehand...



And, this is how I found the password for next level...
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)