6 July 2022

Pentesting Fun Stuff

following the cyber security path…

Natas

Introduction

Natas teaches the basics of serverside web-security.
Each level of natas consists of its own website located at http://natasX.natas.labs.overthewire.org, where X is the level number. There is no SSH login. To access a level, enter the username for that level (e.g. natas0 for level 0) and its password.
Each level has access to the password of the next level. Your job is to somehow obtain that next password and level up. All passwords are also stored in /etc/natas_webpass/. E.g. the password for natas5 is stored in the file /etc/natas_webpass/natas5 and only readable by natas4 and natas5.

Start here:

Username: natas0
Password: natas0
URL: http://natas0.natas.labs.overthewire.org

Location

http://overthewire.org/wargames/natas/

Natas 0

hint: ‘You can find the password for the next level on this page.’
In the source code of the page is the password for the next level.

<!--The password for natas1 is gtVrDuiDfck831PqWsLEZy5gyDz1clto -->

 Natas 1

hint: ‘You can find the password for the next level on this page, but rightclicking has been blocked!’
In the source code of the page is the password for the next level.

<!--The password for natas2 is ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi -->

Natas 2

hint: ‘There is nothing on this page’
In the source code of the page a 1×1 png image can be found. When opening the file in a browser traversing to a high level is possible.
http://natas2.natas.labs.overthewire.org/files/users.txt

# username:password
alice:BYNdCesZqW
bob:jw2ueICLvT
charlie:G5vCxkVV3m
natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
eve:zo4mJWyNj2
mallory:9urtcpzBmH

Natas 3

hint: ‘There is nothing on this page’
In the source code of the page is a comment which holds the answer for the next password (robots.txt).

<!-- No more information leaks!! Not even Google will find it this time... -->

http://natas3.natas.labs.overthewire.org/s3cr3t/users.txt

 Natas 4

hint: ‘Access disallowed. You are visiting from “” while authorized users should come only from “http://natas5.natas.labs.overthewire.org/”‘
The key here is the referer. There are some add-on’s that can capture the HTTP request and alter it. I’m using burpsuite and change the referer from ‘natas4’ to ‘natas5’ and forward the request. This give me the password for the next level.

 Natas 5

hint: ‘Access disallowed. You are not logged in’
In the cookie, there is a ‘loggedin’ which is 0 at the moment. After changing it to 1, I get the password for the next level.

Natas 6

There is a ‘secret’ value required to pass the test. To know the secret I need to view the source code.

<?
include "includes/secret.inc";
    if(array_key_exists("submit", $_POST)) {
        if($secret == $_POST['secret']) {
        print "Access granted. The password for natas7 is <censored>";
    } else {
        print "Wrong secret";
    }
    }
?>

So there is a folder with the secret in it. After browsing to that folder and checking the source code, I get the secret. After submitting the secret, I get the password for the next level.

Natas 7

In the source there is a hint.

<!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 -->

When I look at the parameter ‘?page=’ and I replace ‘home’ with the folder from the hint, I get the password for the next level.

Natas 8

There is a ‘secret’ value to be found. On the page is a link to the source code of the secret.

<?
$encodedSecret = "3d3d516343746d4d6d6c315669563362";
function encodeSecret($secret) {
    return bin2hex(strrev(base64_encode($secret)));
}
if(array_key_exists("submit", $_POST)) {
    if(encodeSecret($_POST['secret']) == $encodedSecret) {
    print "Access granted. The password for natas9 is <censored>";
    } else {
    print "Wrong secret";
    }
}
?>

It looks like the ‘secret’ string is encoded. When viewing the code it appears that the string was first encoded base64, then reverted and finally encoded hex. To view the ‘secret’ in plain text I simply need to reverse the process.

┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $echo '3d3d516343746d4d6d6c315669563362' | xxd -r -p | rev | base64 -d
oubWYf2kBq

When I submit the ‘secret’ string I get the password for the next level.

Natas 9

On this page there is a search form and a link to the source code of the search form.

<?
$key = "";
if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}
if($key != "") {
    passthru("grep -i $key dictionary.txt");
}
?>

The user input is being passed to grep and is compared with the content of ‘dictionary.txt’ file and the output is rendered on the page. Because there is no input validation I can try to let grep show other files.
natas10
Because I know that all the passwords are stored in  /etc/natas_webpass/ I can grep the correct file and get my the password for the next level.

Natas 10

Same thing only now with a filter. When checking the source code it seems that the filter is focusing on the characters ‘;’ and ‘&’. So when I try the same command as before, with a small adjustment (11 instead of 10), I get the password for the next level.

Natas 11

A input field to adjust the background color and a link to the source code.

<?
$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");
function xor_encrypt($in) {
    $key = '<censored>';
    $text = $in;
    $outText = '';
    // Iterate through each character
    for($i=0;$i<strlen($text);$i++) {
    $outText .= $text[$i] ^ $key[$i % strlen($key)];
    }
    return $outText;
}
function loadData($def) {
    global $_COOKIE;
    $mydata = $def;
    if(array_key_exists("data", $_COOKIE)) {
    $tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true);
    if(is_array($tempdata) && array_key_exists("showpassword", $tempdata) && array_key_exists("bgcolor", $tempdata)) {
        if (preg_match('/^#(?:[a-f\d]{6})$/i', $tempdata['bgcolor'])) {
        $mydata['showpassword'] = $tempdata['showpassword'];
        $mydata['bgcolor'] = $tempdata['bgcolor'];
        }
    }
    }
    return $mydata;
}
function saveData($d) {
    setcookie("data", base64_encode(xor_encrypt(json_encode($d))));
}
$data = loadData($defaultdata);
if(array_key_exists("bgcolor",$_REQUEST)) {
    if (preg_match('/^#(?:[a-f\d]{6})$/i', $_REQUEST['bgcolor'])) {
        $data['bgcolor'] = $_REQUEST['bgcolor'];
    }
}
saveData($data);
?>
<h1>natas11</h1>
<div id="content">
<body style="background: <?=$data['bgcolor']?>;">
Cookies are protected with XOR encryption<br/><br/>
<?
if($data["showpassword"] == "yes") {
    print "The password for natas12 is <censored><br>";
}
?>
<form>
Background color: <input name=bgcolor value="<?=$data['bgcolor']?>">
<input type=submit value="Set color">
</form>

So the code takes ‘data’ and first JSON encodes it, then XOR encodes it and finally base64 encodes it. The outcome from this is set as the cookie data and reads from it. ‘Data’ has two values: bgcolor and showpassword. If ‘showpassword=yes’ then I get the password. So to get the key, I need to alter the cookie, which is XOR encoded.
Luckily XOR is easily decoded if you have 2 out of 3 values. In this case I got the encrypted text and the plain text.
For this I take the code from the site and alter it a little bit.

<?php
function xor_encrypt($text) {
    $key = base64_decode('ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw=');
    $outText = '';
    for($i=0;$i<strlen($text);$i++) {
       $outText .= $text[$i] ^ $key[$i % strlen($key)];
    }
    return $outText;
}
$data = array("showpassword"=>"no", "bgcolor"=>"#ffffff");
print xor_encrypt(json_encode($data));
?>

When I run it in the terminal I get the key.

┌─[n13mant@planetmars]─[~/Desktop]
└──╼ $php natas11.php
qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jq

Now to test if it’s really the key.

<?php
function xor_encrypt($text) {
      $key = 'qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jq';
          $outText = '';
          for($i=0;$i<strlen($text);$i++) {
             $outText .= $text[$i] ^ $key[$i % strlen($key)];
                 }
        return $outText;
}
$data = array("showpassword"=>"no", "bgcolor"=>"#ffffff");
print base64_encode(xor_encrypt(json_encode($data)));
?>
┌─[n13mant@planetmars]─[~/Desktop]
└──╼ $php natas11_encrypt.php
ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw=

That looks like my cookie. Now to alter ‘showpassword=no’ to ‘showpassword=yes’ and run it again.

┌─[n13mant@planetmars]─[~/Desktop]
└──╼ $php natas11_encrypt.php
ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMM

Now to change my cookie in the browser and refresh the page.
And the password is presented: EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3
To be continued….

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.