Wednesday, 24 September 2014

Wargames - Natas 02

Tags: , , , ,
<< Previous challenge

Recommended reading:
Using the credentials discovered from the previous challenge, let's login into this third one.

We head up to http://natas2.natas.labs.overthewire.org and once again see a very simple webpage, with nothing to interact with, we're even told "There's nothing on this page". I hope you already know the drill, time to take a look at the source code:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas2", "pass": "ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi" };</script></head>
<body>
<h1>natas2</h1>
<div id="content">
There is nothing on this page
<img src="files/pixel.png">
</div>
</body></html>
This time around, things are not so obvious. Taking a look at the body of the page, however, there's an img tag that links to a 1x1 PNG image. The image itself is not very revealing, what we're looking here is its link, it's under a directory called files, let's head to http://natas2.natas.labs.overthewire.org/files/. Looks like there's a users.txt file. Shall we open it?
1
2
3
4
5
6
7
# username:password
alice:BYNdCesZqW
bob:jw2ueICLvT
charlie:G5vCxkVV3m
natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
eve:zo4mJWyNj2
mallory:9urtcpzBmH
Wasn't that hard after all, looking at line 5 of this file, we can see the password we're looking for.

User natas3
Password sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14

In this challenge we took advantage of directory listings, I recommend you read the provided link, which will explain in detail what it is. This type of exploitation results from poorly configured HTTP servers.

Never Settle,

<< Previous challenge
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)