Overthewire : Natas : 11 - 20
21 September, 2020
A brief writeup of solving the Overthewire War Game Natas, levels 11 through 20
10 ➜ 11
- Well, some characters are escaped this time, but that's not enough to stop us
- Try this
'' /etc/natas_webpass/natas11 #
11 ➜ 12
- The source code will tell you what algorithm is being used
- That algorithm is susceptible to a plaintext attack
- A XOR attack works like this
plaintext ⊕ key = encrypted_text
encrypted_text ⊕ plaintext = key
encrypted_text ⊕ key = plaintext
- Find the key using the default data and the default cookie
- Now modify the data as you need
12 ➜ 13
- Notice what part isn't paid to attention to in the code
- Manipulate the HTML to use that part to your advantage and simply print out the password
- PHP will work
13 ➜ 14
- Read about the function being used to validate the input data.
- A list of file types and their initial bytes are available here
- PHP to the rescue again...
14 ➜ 15
- Straight-forward ______ injection
15 ➜ 16
- Straight-forward ______ ______ injection
- Remember, passwords consist of 32 alphanumeric characters
- Fuzzy matching strings to specific patterns can require some specific words...
- Very good write-up about blind SQL injection
16 ➜ 17
- Fuzzy matching but this time with
grep - $() to run commands is still allowed so let's take advantage of that
- Find a word that exists in the file, say xyz. It has to be an absolute word.
- Now the trick is to
grepthe password file for a part of the password, prepend it to the actual word and give the whole as an input. - If the grep returns something, the searched string would become abc\ xyz, something that doesn't exist in the actual file being queried using
grep. - This one was a bit tricky, so feel free to spend a lot of time on it.
17 ➜ 18
- You can see the query if
debug=truebut that won't be of much use. - PHP's
mysql_result()doesn't really report any errors, just a boolean depending on if the query was executed successfully, no use since the result wasn't visible. - After a couple of trials, triggering time delays was the answer.
- Be careful to monitor the status of the HTTP request instead of elapsed time.
18 ➜ 19
- Two words, brute force...
19 ➜ 20
- Well it isn't incremental now...
- A lot of hit and trial with CyberChef, turns out it was a hex encoded ASCII string
- Brute force again...