OverTheWire Natas Wargame Solutions 7-10

Let’s continue our progression through the Natas wargame server. The challenges ahead are slightly more difficult than the previous challenges which is why I chose to break where I did. Nevertheless, they are not impossible. Some entry level knowledge of PHP would go a long way here. Examine my solutions below:

Natas 6->7

Here we have an insecure PHP login form. Looking at the source, we can see that whatever we enter as the input secret is being compared to variable $_POST, within the PHP script. We also see the file “include/secret.inc is mentioned. We can tac that on to the end of our URL to see what it contains. Immediately, we will see it holds the secret variable “FOEIUWGHFEEUHOFUOIU”. Our script uses this variable to compare the input secret to, which means it is our password. Remember you need to change the URL to Natas7 to get access.

FOEIUWGHFEEUHOFUOIU

 

Natas 7->8

Now we are presented with a very nondescript web page containing two tabs, home and about. If we travel to the about page, and examine the source, we see a huge clue. It’s an HTML comment telling us that the password is held in /etc/natas_webpass/natas8. Awesome. But if you tac it on to the end of the URL like we have previously been doing it will not redirect you there. You need to tac it on the end of the”page=” variable.

http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8

DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

Natas 8->9

Moving along we come across another PHP login form. Viewing the source we something that should catch your interest, the variable: $encodedSecret = “3d3d516343746d4d6d6c315669563362”;. This is going to be our password, insecurely stored, but encoded nevertheless. It is encoded with the function “encodeSecret” shown below.

Natas 8
The script Base64 encodes the secret->reverses that->then calls bin2hex() on that. We can actually use this script, in reverse order to get our secret. Create the script in a .php file like so:

<!--?php echo base64_decode(strrev(hex2bin("3d3d516343746d4d6d6c315669563362"))); ?-->

There are a couple of ways to run the script. If you are on some Linux flavor, and have PHP installed. You can run it inside your shell like this:

 php -f natas8.php

Or, if you have some web server like XAMPP or Apache/HTTPD installed, you can throw the script in /htdocs and simply navigate to the script. You will see the password as soon as you land on the page. It’s worth noting having a local web server is useful for many reasons.

oubWYf2kBq

Natas 9->10

Natas 9 presents us with a search form. Examining the source code, we see another PHP script.

Natas10

 

 

 

 

 

We are not concerned with the fact that the form searches a dictionary file called dictionary.txt. Rather, we are interested in the fact the search form executes commands on the server. So, how can we leverage this?

We see that the script is greping the dictionary file. A little known fact about executing commands in this fashion is that we can chain commands together by using the shell command separator ;. Thinking back to Natas 7, we learned that the passwords are stored in /etc/natas_webpass/respectiveLevel. Let’s construct a chained command using this knowledge:

grep -i ; cat /etc/natas_webpass/natas10 # dictionary.txt

We used an additional argument in our command chain, the # operator.  That is used to comment anything after that operator. Thus, restricting our search to only /etc/natas_webpass/natas10. Finally, we are presented with our password:

nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s