Thursday, July 17, 2014

[WALKTHROUGH] OverTheWire - Natas21 - Natas27

Continue from previous post of walkthrough from Natas11-Natas20...

You may want to check out the walkthrough from Natas0 - Natas10 as well...

Here will talks about the walkthrough from Natas21 to the final level...

Granted with the password earlier in Natas20 brings me to Natas21...



A note from Natas21 tells me that this website has a sibling location, which looks like a experimental page... Before going over to Natas21 sibling web page, I peek into the source code...


Pretty straightforward... which is required the "admin" parameter with value "1" in the session in order to print out the credentials for next level on the page...

So, I navigate over to the experimenter page... this page prompt for the credentials for Natas21 also... but then again, I already have the password for Natas21. Hence, this will not be a problem for me...


Check out the source code...
 

Firing up my BurpSuite and add a new parameter "admin" with the value "1"... Forward the packet...


 Checking with debug to confirm with the new parameter is added to the session...



Intercept the traffic with BurpSuite again and copy the PHPSESSID, if you noticed the value changed.... navigate back to the main page and replace the PHPSESSID with the one copied just now...
  

The main page will returns the password for Natas22...


Natas22 page returns a blank white with a link to source code. Without any doubt, I check on the source code again...


It says only admin can reveal the password... else it will redirect back to the home page... I tried with intercept the traffic with BurpSuite together with the parameter "revelio" and "admin" with the value "1", but it turns out to be failed.

Hence, in order to print out the web content without being redirect, I use the `curl` command...


Combined together with the `grep` command provides a better view for the results...


Natas23 asking for password directly in order to login... but I do not know the pass-phrase. So, I went out checking on the source code to get an idea...


The prompt box is asking for a password contains the word "iloveyou" and the value greater than 10... so I just input the password "11iloveyou" as it contains the keyword "iloveyou" and the int value is greater than 10...

The command "$_REQUEST["passwd"] > 10" does implicit casting a string to int. Basically, "11iloveyou" will become "11" as integer value...


Password is granted!


Natas24 has the similar looks to previous level... check out the source code....


If the input password matched with the censored word, the password for the next level will be printed out. But I do not know the exact censored words...

So I fire up BurpSuite to intercept the traffic again and start fuzzing around... since it is comparing strings value, and what will happens if I pass the data as array to mess things up a little bit?



The page returns with a warning message and also THE KEY for the next password! My guess is that strcmp an array and a string results in an error and returns "False" as the value, since the "!" in front of it negate the returned results and hence become "True" value...


What a long quote displayed on the Natas25 =.=!! Well, I just don't bother to go read it up.



Since I got control over the HEADER and the SESSION ID, I can perform directory traversal attack using the language although it seems to be sanitized...

However, by replacing every "../" with nothing does not help at all...

Because,

 "../"  => ""
"..././" => "../"



Intercepted the traffic with BurpSuite and trying to display the log file, which is written the password for Natas26 through the HEADER I manipulated earlier...


Get the password and move onto level 26...

Natas26 seems like an image drawer, but it doesn't matter until I look further into its code to seeks for vulnerable point...


Logger class is probably unused...


The code contained the unserialize() together with the magic method __destruct()... Hence, this might be vulnerable to PHP Object Injection...

I create a php file with Logger class modeled based on the original with some amendments...
 


Execute the php file and I got the generated cookie value...



Intercepted the traffic with BurpSuite again and input the latest generated cookie value...

Next thing to do is to navigate to the "/img/letmepass.php".


 Got the password to the final level... Natas27...


Accessing the Natas27 with the congratulations message... :)
Posted by at No comments:
Labels: , , ,

[WALKTHROUGH] OverTheWire - Natas11 - Natas20

This post is the sequel version of my walkthrough from Natas0-Natas10...

Holding the key to access to Level 11...



"Cookies are protected with XOR encryption" is the message tells by the page... so I guess something has to be done with the cookies... So, I proceed with the source codes...


Simply enough, I know that when the value of "showpassword" in the key "data" returns True, the page will display the password for the next level... so I have to understand the algorithm that create the value "yes" for the "showpassword"...


The PHP codes will then perform json_encode with the data, followed by encrypt with XOR and encode with base64 encryption... so, basically what I need to do is to find the key for the xor encryption process and reverse the whole progress to generate a brand new cookie value...

From the loadData(), I know that the progress flow is like this:
base64_decode =>  xor_encrypt => json_decode

And it will encode the value before passing for verification using the flow:
json_encode => xor_encrypt => base64_encode


Obtained my cookie's data value through BurpSuite proxy... and I proceed with a new php to find out the key value...


Since, A XOR B = C and C XOR B = A...

So I do it in a reverse way by decode the "data" value with base64, followed XOR encryption and json_decode...



Execute the PHP file will returns with a key, which is "qw8J" in repeated form...


Reproduce the cookie's data value by changing the "showpassword" value to "yes" and generate the required cookie value...


Replace the cookie using BurpSuite...



 And, the page returns with the password for Level 12...


Natas12 allows me to upload a JPEG file... so, I am thinking whether I can upload some php code to `echo` the password content...  Again, I look into the source code through the provided link...


Seems like the upload form is not sanitized... so I quickly upload a simple backdoor php file, which can be found in the Kali linux itself... at the same time, running together with BurpSuite...


I changed the file name into "backdoor.php"... and forward the traffic... the page will then returns the message for upload successful and the link to the uploaded file... the uploaded filename is replaced with some randomly generated strings name... so, `cat` command to display the content of "/etc/natas_webpass/natas13" on the page itself...


Copy the password and ready to move onto Natas13...


Natas13 is the exactly same as Natas12, except Natas13 is smarter this time by limiting the upload form to accept only the image files...

However, all the image file has their respective magic numbers in front to indicate themselves as the image file rather than mp3 file or others...

I simply screenshot on my screen and dump the hex value of the screenshot image file, which happens to be a PNG file...


The very first 8 bytes from the hex dump value, we can see that the magic number for a PNG file...

So, by using the 8 bytes magic number... I write a simply python script to generate a new php backdoor to bypass the security check...



Double checked on the newly created php backdoor file, and verified that it carry the magic number as a PNG file...

Repeated the whole steps as previous level through BurpSuite...



A message to indicate the file has been uploaded successfully which provided together with a new link to that uploaded php file...


Issue the command on the URL will execute the command itself... and I tend to look for the password located in "/etc/natas_webpass/natas14"...


And, I got the password for the next level access...


Natas14 requesting for username and password...at first glance, I am thinking this would be the SQL injection challenge...


Looking into the code itself proves that my hunch are right...



Login successfully and provied with the password for Natas15...


Natas15 only request for the username unlike the previous level... 


 Codes are able to tell if any user is exists or not...

So basically, I can perform the blind SQL attack which works like this... if my password are correct and the user exists, returns me a True value, which is "This user exists"... else returns me False...

Well, you get the idea... :)


However, instead of using brute forcing, I tried to use sqlmap helps here...

I know the username natas16 exists, I know the database type, I know the returned strings, and I know the injection type...




After some automated attacks, SQLmap returns with a few credentials found included the credential for natas16...


Natas16 reminds me of Natas10... but I am sure this time the security will be even tighter...


The filter character has been increased... use a simple python script here ...


 After some times for brute forcing the 32 characters... it returns the password for Natas17...


Again, Natas17 is something similar to Natas15... so, I will just go for the SQLmap to do the jobs, while I am doing my other daily tasks...

--data "username=natas18"
--dbms=MySQL
--technique=T (Since this would be a time-based blind SQL injection, and it means I got a lot of time to do my other own task too...)



SQLmap does not disappoint me again this time by returning the credential for Natas18...


Natas18 requested for admin accounts in order to retrieve the credentials for Natas19... checking out the source code and I know there will be one session id ranging from 0-640 belongs to admin account... brute forcing with 641 attempts doesn't sound bad actually...



Grabbing the password and going for the next level...


Natas19 tells me that this level use mostly the same code as the previous level, but the session IDs are not longer sequential... so, I try to find out the meaning behind this hint using BurpSuite again...



By decoding this, I know that it has an extra "-admin" for the session ID... so I can still use back my previous codes with a little amendment...



Run the python code and it returns with the password for Natas20...


Again, Natas20 requested to be an admin account in order to retrieve the credentials for Natas21... after analyzing the source code and checking out the BurpSuite... I know that the value for parameter "name" is written to the session file... so I just have to create a new "admin" parameter with value "1"...


The password for the next level is returns on the page...

Stay tune for the remaining levels till level 27 which I have already completed... just need some time to post things up...
Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)