So continuing off where we left of straight away:

Natas 5

Ok cool, so logging into natas 5 the site greets us with this message:

Access disallowed. You are not logged in

So my thought process was quite straight forward. How does a browser know if someone is logged in usually? Cookies! Let’s check out the cookies using the developer console again. Heading to the Storage tab and expanding the cookies drop down on the left we see there is a cookie called “loggedin” and it has a value of 0.

Cool so lets change that value from 0 to 1, and refresh the page to see the changes.

Aw yeah, theres our flag for natas 6:

aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

Natas 6

Alright so natas 6 was pretty easy for me since it was right it was all right in front of me. You’re presented with this page

Seem’s like you just have to put the right value in to get the password, and conviently there is a “View sourcecode” button on the right, so clicking that we get to see the source code!

So here is a snippet of the source code (the important bit). We see that it just checks the parameter ‘secret’ and if it’s correct it shows us the password. So how does it get the secret value? The include statement, let’s see if we can access it at http://natas6.natas.labs.overthewire.org/includes/secret.inc. Yep we can, but it’s a blank page :(. Not to fear though, coming back to our roots, lets check out this page source with CTRL+ U.

<?
$secret = "FOEIUWGHFEEUHOFUOIU";
?>

So we got the secret, but that’s not our password. We now need to input it in the original input box.

And there we go, there’s our password for natas7:

7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

Natas 7

Alrighty, I would say natas 7 up’s the anti a little bit from the previous challenges. We are presented with a page with two links to ‘Home’ and ‘About’ with nothing interesting on either of these pages.

Great, hmm let’s have a look a the source code to see if there is anything there we can look at.

Interesting comment, it’s telling us that we can get the password from a file on the file system, rather than it being given to us. This then gave me the idea of a Local File Inclusion (LFI). Looking at the url of the webpage when we click a link it is as follows:

http://natas7.natas.labs.overthewire.org/index.php?page=home

There is a page parameter there, it seems to be retrieving the page based on whatever value that is set to. So what if I change it to the password file given in the comment above? So:

http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8

Aaaaaand

There it is, it read from that file and displayed it’s contents on the page so the password for natas 8 is:

DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe 

Natas 8

Moving onto natas 8 we are greeted with the same password query as Natas 6. So let’s have a look at the source code and see what has changed.

<?

$encodedSecret = "3d3d516343746d4d6d6c315669563362";

function encodeSecret($secret) {
    return bin2hex(strrev(base64_encode($secret)));
}

if(array_key_exists("submit", $_POST)) {
    if(encodeSecret($_POST['secret']) == $encodedSecret) {
    print "Access granted. The password for natas9 is <censored>";
    } else {
    print "Wrong secret";
    }
}
?>

Interesting, so the secret we need to input is stored encoded and then decoded when we it makes the compare between out password and the correct one. The important line in this is:

 return bin2hex(strrev(base64_encode($secret)));

As this is where the encoding happens, so it first base64 encodes the secret, reverses the string and then converts it to hex. So all we have to do is get the secret and reverse that process.

Bin2Hex

Really simple just head on over too https://www.asciitohex.com/ which is a super useful site for these conversion. Put in the secret hex into the hex box and hit convert. The output that we want to grab is the Text(ASCII/ANSI) out put as it becomes a string which is “==QcCtmMml1ViV3b”.

Strrev

If you look up this php function you can see that all this does is simply reverse the string so using, handy ol python we can reverse it back to its original state using:

python -c "print('==QcCtmMml1ViV3b'[::-1])"

Use that in the command line, and outputs the string “b3ViV1lmMmtCcQ==”.

Base64_encode

So the last step needed to decode this is to decode the base64, again heading to https://www.asciitohex.com/ and putting in our string in the base64 box and hitting convert, we get the secret in the ascii box as “oubWYf2kBq”

Ok cool we have the secret, now we can input it into the text box


Boom natas 9 password is:

W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

Natas 9

Ok so natas 9 is different to anything we have seen so far so it probably needs a new technique. We are greeted with a find words containing input which find words in a dictionary that contain our input.

Another conveniently placed ‘View sourcecode’ button, let’s hit it and see what is going on.

Output:
<pre>
<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    passthru("grep -i $key dictionary.txt");
}
?>
</pre>

So the interesting place here is that the code is executing PHP’s passthru() function which is pretty much executing what ever is passed to it on the host machine, in this case the grep function as is. So this is fairly easy to exploit. All we have to do is stop the command early, insert our own command and then view the output on the screen.

Now it was useful to remember that the passwords to the nata’s are stored in /etc/natas_webpass/natas<x> where <x> is the number of the natas. We know this from the hint in natas8.

So crafting out payload to send to the server we use a ; to end the command early and input our own command.

; cat /etc/natas_webpass/natas10

And there she is, password for natas10:

nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

Natas 10

Ok cool, we now are in natas 10, double digits! Let’s see what we have here. So we are presented with the same page as Natas 9 except it says:

For security reasons, we now filter on certain characters

Oh boy, that probably means our semi-colon that we used last time probably won’t work again. Let’s look at the source code to see what has changed.

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    if(preg_match('/[;|&]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i $key dictionary.txt");
    }
}
?>

Hmm, so preg_match is a regex on our input which checks if it contain’s any of these characters ; | &.

Right so basically it’s stopping us from ending the command early. But we still have full control of the command but we can’t use these characters. Well first thing I know about grep is that we can give it multiple files so

grep -i <search-term> <file1> <file2> ..

-i is just the flag that ignores case when it is searching. So my first thought is that we could simply pass in the /etc/natas_webpass/natas11 which would search the password file. But then how would we sift through all the other stuff in the dictionary. Looking at the previous passwords you would notice that they are all 32 characters and contains lower case and upper case letters as well as numbers. NUMBERS! Words in the dictionary don’t contain numbers, so hopefully if our search term is just a number it will filter out all the words in the dictionary and then if that number is in the password it will show it. I started with 1, no luck, 2, nothing. I put in 8 and viola out she comes.

8 /etc/natas_webpass/natas11

Flag for natas 11

U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK

Conclusion

So this concludes part 2 of my Natas journey click here to see the next part, part 3!

Leave a Reply

Your email address will not be published. Required fields are marked *