Nasta Solutions 0-10

###### tags: `overthewire` `tutorials` `Natas` `CTF` `hacking` `easy` `overthewire` `0-10` # Nasta Solutions 0-10 ## Natas 0 The level is really simple, the prompt say that you can find the password on this page. If you right click to view the page source you can find the password there. This can also be achieved through pressing *Ctrl+U*, handy shortcut. One can also go full hackerman and do inspect elment to view the source in order to retrive the password. ## Natas1 This level is similar to natas level 0, in this the makes have disabled the right click fucntionality. ### Intended Solution 1. The intended solution is to use shortcut *Ctrl+U* or use developer's tools with shortcut *Ctrl+Shift+i* to view the source. 1. You could also use the python script similar to one used in first challange. ### Unintended Solution But Due to poor of the implementation the disable right click feature only works if you right click inside the white box. One can *Right-Click* anywhere outside the white box to view the page source. ## Natas2 The prompt on the page says ``There is nothing on this page`` On viewing the source of the page you see there is a image inlcuded in the source as *files/pixel.png* lets examine the *files* folder in the source. To open the folder we append the url as:- http://natas2.natas.labs.overthewire.org/files/ Nice! we see the user.txt, opening which gives us the password for the level 3 ## Natas3 Inside the page source you will find a comment that will say: ```` Since it hinted towards not even google finding it, so i thought about robots.txt file that is used to keep search engines out. Thus going to **http://natas3.natas.labs.overthewire.org/robots.txt** shows us a disallowed entry. ``` User-agent: * Disallow: /s3cr3t/ ``` Going to that directory gives us our password for the next challenge. ## Natas 4 The prompt here says *Access disallowed. You are visiting from ``` while authorized users should come only from "http://natas5.natas.labs.overthewire.org/"* ``` This means all we have to do in order to gain access is add a header to the request. It can be achieved by capturing the request with burpe and editing the header or we can use the python script. So capture the request in BurpSuite and edit the **Referer** header in the proxy tab and send the request. ![burpe](https://github.com/not-duckie/natas_solutions/raw/master/images/image.png) I have written a python script for it. You can take a look it [here](https://github.com/not-duckie/natas_solutions/blob/master/natas4/natas4.py) ## Natas 5 We get a prompt that says *Access disallowed. You are not logged in*, to further investigate we could either user burpe to intercept the request and analyze it but we are using python for all the solutions so we inspect element to see the sent out requests and then a write suitable python requests. 1. Press *Ctrl+Shift+i* to open developer tools and click on *Networking* tab and then click on *ALL* (exactly below the network tab) to see all the requests. 1. Click on the request to select the GET request and then on right side click on *headers* tab. 1. On analyzing the headers we see a weird set-cookie *loggedin=0*, the set-cookie is the header in the response tag saying to set the cookie to this so the server could identify us as not logged in. 1. But we are hackerman :P we will do somewhat opposite of that, we will add that cookie but set it value to 1 or any other number other than zero I have written a python script for [it](https://github.com/not-duckie/natas_solutions/blob/master/natas5/natas5.py) . ## Natas 6 The Page has a *Input secret* field, we see the source code for the form enumerations, ``` <? include "includes/secret.inc"; if(array_key_exists("submit", $_POST)) { if($secret == $_POST['secret']) { print "Access granted. The password for natas7 is <censored>"; } else { print "Wrong secret"; } } ?> ``` It takes the value of variable secret via a POST request i.e *$_POST['secret'])* and prints the password for the next level if it matches the variale $secret. So we go to *include/secret.inc* to see what is the value of variable *$secret*. When we open the *http://natas6.natas.labs.overthewire.org/includes/secret.inc* page we see blank page, so we press *Ctrl+U* to view the page source and we see the value of $secret i.e **FOEIUWGHFEEUHOFUOIU**. So we enter the value and get the password for the next level. ## Natas 7 When you see the webpage there nothinh on the page except *Home* and *About*, on click them them nothing happens, but if you see it carefully you observe that the url changes a bit. ### URL A Uniform Resource Locator, colloquially termed a web address, is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it.* ![url-parts](https://proxy.duckduckgo.com/iu/?u=https%3A%2F%2Fqph.fs.quoracdn.net%2Fmain-qimg-942ef9fd07d745fbc4f692c83e2ef496&f=1). Arguments can be passed to the webpage with the help of **?** parameter. Here in the challenge we see that the url *http://natas7.natas.labs.overthewire.org/index.php?page=home* is showing whatever the is being passed as t argument to the *page* parameter to the url. If not implemented properly this is know as *LFI (Local File Inclucsion)* vulnerability. So we give it a go and try to print the contents of /etc/passwd to confirm the vlun. we edit the url to be, *http://natas7.natas.labs.overthewire.org/index.php?page=/etc/passwd*. ![1.png](https://github.com/not-duckie/natas_solutions/raw/master/natas7/images/1.png) we get the contents of the /etc/passwd, it is vlunerable LFI. On examining the source we see that the password is stored in the path */etc/natas_webpass/nata8*, thus we append the url and get our passwd, ``` http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8 ``` ## Natas 8 In this level similar to previous level we get to enter a password which will be checked by the server and on the basis of which it will permit the entry. When we view the source code we get: ``` <? $encodedSecret = "3d3d516343746d4d6d6c315669563362"; function encodeSecret($secret) { return bin2hex(strrev(base64_encode($secret))); } if(array_key_exists("submit", $_POST)) { if(encodeSecret($_POST['secret']) == $encodedSecret) { print "Access granted. The password for natas9 is <censored>"; } else { print "Wrong secret"; } } ?> ``` The php code takes the user submitted string encode it, and if it matches the *$enocdedSecret* , we will get the password for next level. So lets decode the **\$enocdedSecret**, we will do exactly the reverse of ``` bin2hex(strrev(base64_encode($secret))) ``` I'll will use php to decode it in order to solve this. we will be doing exact reverse of the mentioned function in php ``` <?php $nice = '3d3d516343746d4d6d6c315669563362'; echo base64_encode(strrev(hex2bin('$nice'))); ?> ``` ## Natas 9 The natas9 level starts with a prompt saying *Find words containing:* on examing the source code: ``` <? $key = ""; if(array_key_exists("needle", $_REQUEST)) { $key = $_REQUEST["needle"]; } if($key != "") { passthru("grep -i $key dictionary.txt"); } ?> ``` we see that its basically doing a grep command in bash to get all the words from a file called *dictionary.txt*. All we have to do is make it print contents of */etc/natas_webpass/natas10* to get to next level. we can use some regular expressions to solve it. I used the following command to solve it: ``` "^" /etc/natas_webpass/natas10 # ``` Here we are injecting user controlled variable and essentially making the resulting command to be: ``` grep -i "^" /etc/natas_webpass/natas10 #dictionary.txt ``` 1. \# -> this in bash in is comment 1. ^ -> this is regex and meaning any word or string that starts, essentially meaning all the words or strings. I have written a python script to do the essentially the same. You can find it [here](https://github.com/not-duckie/natas_solutions/blob/master/natas9/natas9.py) ## Natas10 Natas level 10 starts similar to the previous level, it prompts us with **Find words containing:** but we notice a new statement here **For security reasons, we now filter on certain characters**, lets view the source code: ``` <? $key = ""; if(array_key_exists("needle", $_REQUEST)) { $key = $_REQUEST["needle"]; } if($key != "") { if(preg_match('/[;|&]/',$key)) { print "Input contains an illegal character!"; } else { passthru("grep -i $key dictionary.txt"); } } ?> ``` Now a new filter has been added, but the character we used in previous challenges are not being filter, so lets us try the same injection. ``` "^" /etc/natas_webpass/natas10 # ``` we get the password, i guess there was a simpler solution of the previous challenge that we did'nt see.