Cover Image

OverTheWire Natas
 March 23, 2021    CTF

Natas


Starting point: https://overthewire.org/wargames/natas/

Important: For each challenge a file /etc/natas_webpass/<username> exists. It includes the password for the next level. Thus many natasX challenges boil down to somehow reading the file /etc/natas_webpass/natas$(X+1)


Natas 0

  • View Source -> Copy Password
  • Flag: gtVrDuiDfck831PqWsLEZy5gyDz1clto


Natas 1

  • Prepend view-source: to the URL -> Copy Password
  • Flag: ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi


Natas 2


Natas 3


Natas 4


Natas 5

  • Change the value of the loggedin cookie to the value 1 and reload the page.
  • Flag: aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1


Natas 6

  • as shown in the source the secret is included from includes/secret.inc
  • .inc files are not interpreted by PHP and thus the source is readable
  • go to 
    view-source:http://natas6.natas.labs.overthewire.org/includes/secret.inc
  • Secret: FOEIUWGHFEEUHOFUOIU
  • Flag: 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9


Natas 7


Natas 8

  • get encoded secret from source code
  • convert it from hex
  • reverse it
  • convert it from base64
  • CyberChef Recipe
  • Flag: W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl


Natas 9

  • The search is not escaped in the call to passthrou
  • Arbitrary commands can be executed using ; <command> #
  • Searching for ; cat /etc/natas_webpass/natas10 # gives the password
  • Flag: nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu


Natas 10

  • we cann insert ; anymore
  • we can modify the grep command to read our flag: .* /etc/natas_webpass/natas11 #
  • resulting in grep -i .* /etc/natas_webpass/natas11 #... which matches any characters in the file containing our password
  • Flag: U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK


Natas 11

  • run a plain text attack on your cookie by XOR'ing your cookie with 
    json_encode(array("showpassword"=>"no", "bgcolor"=>"#ffffff")))
  • The XOR key is qw8J
  • XOR encrypt using the XOR key 
    json_encode(array("showpassword"=>"yes", "bgcolor"=>"#ffffff")))
  • Result should be 
    ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK
  • Flag: EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3


Natas 12

  • prepare a PHP file which reads and echos /etc/natas_webpass/natas13
  • change the filename to end with .php
  • upload your php file
  • navigate your browser to the php file on the server to retrieve the flag
  • Flag: jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY


Natas 13

  • prepare a PHP file which reads and echos /etc/natas_webpass/natas14
  • prepend the 8 bytes: 89 50 4e 47 0d 0a 1a 0a (PNG header)
  • the PNG header makes the MIME checker think it is an image, while apache still executes it as php later
  • upload the file with a .php extension
  • open your php file to retrieve the flag
  • Flag: Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1


Natas 14

  • Enter a as the username
  • Enter " OR "1"="1 as the password
  • The resulting SQL Statement is SELECT * from users where username="a" and password="" OR "1"="1"
  • you get the flag
  • Flag: AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J


Natas 15

  • You can check if a user exists
  • The user natas16 exists
  • The flag is presumably his password
  • Using SQL Injection one can bruteforce one character of the password at a time
  • Flag: WaIHEacj63wnNIBROHeqi3p9t0m5nhmh
  • Python Example: 
    python
"{}\" AND (BINARY SUBSTR(password, 1, {}) = \"{}\") AND \"\"=\"".format(user, len(pw), pw)


Natas 16

  • You can inject a command using aaa$(whoami)
  • You cannot get output from the script
  • You can write to /tmp/
  • using the injection aaaa$(cat /etc/natas_webpass/natas17 > /tmp/lolplsno.txt) writes the flag to /tmp/lolplsno.txt
  • The flag can then be read using the full command injection from natas9
  • Flag: 8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw