Skip to main content

9 posts tagged with "natas"

View All Tags

Natas Level 8

Shubham
Cybersecurity Enthusiast

Natas 8

Solution

okay so the first thing that will come to our mind while visiting the page will be clicking that View sourcecode button.
when you will visit that page you will find an encoded secret, you have to decode it
but we are given a function in php to encode secret ... so to decode it we will implement that in reverse order

function encodeSecret($secret) {
return bin2hex(strrev(base64_encode($secret)));
}

bin2hex(strrev(base64_encode($secret)) produced 3d3d516343746d4d6d6c315669563362
reverse these steps to get the secret

make sure you have php installed on your pc/laptop ... then execute following commands.

shubhamdchhatbar@shubhams-MacBook-Air ~ % php -a
Interactive shell

php > echo base64_decode(strrev(hex2bin('3d3d516343746d4d6d6c315669563362')));
oubWYf2kBq
php >

submit this oubWYf2kBq and you will get password for natas 9

`

Natas Level 9

Shubham
Cybersecurity Enthusiast

Natas 9

Solution

first thing you are likely to click here is View sourcecode

there you will see something like this

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}

if($key != "") {
passthru("grep -i $key dictionary.txt");
}
?>

here passthru() function is used ... read more about it on https://www.php.net/manual/en/function.passthru.php#127699

since passthru is there we can use command injection ...
basically it is an attack which executes the arbitrary commands on the host operating system via a vulnerable application ... read OWASP Command Injection for more information.

in Find words containing search box
write ;ls -a you will see the files now on the official website it is given that password can be found on etc/natas_webpass/natas*

so we will execute the command ; cat /etc/natas_webpass/natas10; and will get the password for natas 10
`

Natas Level 2

Shubham
Cybersecurity Enthusiast

Natas 2

so in this level you will see there is nothing in the html, css and js when you inspect the element ... so we got the hint from there, that there a folder named files by looking at the line <img src="files/pixel.png>

so now we will navigate to the files by adding /files in the end
there you will see users.txt
in that you will find password for natas 3

`

Natas Level 3

Shubham
Cybersecurity Enthusiast

Natas 3

Theory

Today’s internet is indexed by search-engine crawlers, such that Google and Co know what content exists on websites to improve search engine results. The robots.txt file exists on servers to tell these crawlers and other web bots, which part of the website can be visited. It allows defining a user-agent aka for what specific bot the rules should be, and which page of the website the user-agent is not allowed to visit.

User-agent: Googlebot
Disallow: /nogooglebot/

User-agent: *
Allow: /

Sitemap: https://www.example.com/sitemap.xml

Here, for all crawlers/bots the whole website can be visited, except Google’s crawler, which cannot visit the ’nogooglebot’ directory. Also noticeable is the sitemap link. A sitemap is another file to give web crawlers information about the website. It is important to be aware that the ‘robots.txt’ file does NOT serve a security purpose. The disallowed pages can still be visited and might still show up in search engines. Read more about this file in the (Google Developer Docs)[https://developers.google.com/search/docs/crawling-indexing/robots/create-robots-txt].

Solution

Opening the website and looking at the source code, we can find a comment, which gives us a hint: .

This sound like the robots.txt file, I explained in the theory section. Navigating to the site: http://natas3.natas.labs.overthewire.org/robots.txt reveals that the file exists and it shows a disallowed path. Navigating to this path, again leads to a public directory with a ‘user.txt’ file, which contains the password to the next level.

`

Natas Level 4

Shubham
Cybersecurity Enthusiast

Natas 4

Theory

The communication between the client (our machine) and the server (that hosts the website) is done by a request-response. We sent a request for a certain page and the server sends the response with the content. Generally, they will follow different protocols and structures, which depend on the service. In this case, it is HTTP (Hypertext Transfer Protocol). The request generally includes the request method (GET, POST,…), the requested URL and the protocol version. However, it can also include additional, potentially needed information, through so-called request headers. There are many such fields, some more common than others. Relevant ones for this challenge are ‘Authorization’, which would include the credentials for the website and ‘Referer’, which is the URL/webpage from which the request is sent. Generally, all this is handled by our browser and we do not have to worry about it. It is however possible to manipulate requests.

Solution

  1. open the burpsuite
  2. turn the intercept on
  3. then click on the "refresh page" button
image
  1. send the request to the repeater
  2. open the repeater tab and edit the "Referer: http://natas4.natas.labs.overthewire.org/" to "Referer: http://natas5.natas.labs.overthewire.org/"
  3. then send the request again ...
  4. you will see that you have been authorised and you will get the password of natas 5
    `

Natas Level 5

Shubham
Cybersecurity Enthusiast

Natas 5

Theory

http is a stateless protocol: each request is independent and the server does not keep session state by default. to provide a continuous experience (for example, a logged-in session) servers send small pieces of data called http cookies to the client. the browser stores these cookies and sends them back with subsequent requests so the server can associate requests with a session or particular user.
a cookie is just a key=value pair (plus optional attributes like domain, path, expires, http-only, secure). because cookies live on the client side, a user (or an attacker) can inspect and modify them unless the server uses additional protections. depending on how the server interprets the cookie value, simple changes on the client side can change the server’s behavior — for example toggling an authentication flag.
in this level the application decides whether you are “logged in” based on a cookie value. by examining and altering that cookie you can change the perceived session state and gain access if the server relies solely on client-supplied cookie data.

Solution

  1. open the burp suite
  2. navigate to proxy tab
  3. turn on the intercept and open http://natas5.natas.labs.overthewire.org/
  4. right click and send it to repeater
  5. in the inspector section you will find request headers section
  6. in that cookie value will be loggedin=0
  7. change that to zero and apply changes then send the request ... in the response section you will see the password for natas 6
image

`

Natas Level 6

Shubham
Cybersecurity Enthusiast

Natas 6

Solution

when you will click "view sourcecode" ... source code will showup there you will see <? ?> this is php
PHP in HTML is enclosed in the following tags: <? ?> or <?php ?>. Variables start with a $ sign and the content of forms sent with a POST request can be accessed with the special $_POST variable.
Another important part for this level is that it is possible to include code from other files into a file, by using include or require.

since we can see one thing named includes/secret.inc
so visit http://natas6.natas.labs.overthewire.org/includes/secret.inc

you will see a blank page ... because since it does not show us an error, something is happening, PHP code is running, which does not include any visual output

so inspect and you will find the secret key like this:

?
$secret = "****************";
?

now you got the secret and then paste it in the box ... you will get password to natas 7 ... and there you go! `

Natas Level 7

Shubham
Cybersecurity Enthusiast

Natas 7

Solution

if we click on about, the web server will append /index.php?page=about to the end of the url
if we view the page source ../ we see a comment in both pages:
hint: password for webuser natas8 is in /etc/natas_webpass/natas8

if we try to visit /etc/natas_webpass/natas8 directly ... we will encounter Not Found error.

but if we try to visit it while we are in home ... that is: http://natas7.natas.labs.overthewire.org/index.php?page=home/etc/natas_webpass/natas8

we will get a warning which goes like

Warning: include(home/etc/natas_webpass/natas8): failed to open stream: No such file or directory in /var/www/natas/natas7/index.php on line 21

Warning: include(): Failed opening 'home/etc/natas_webpass/natas8' for inclusion (include_path='.:/usr/share/php') in /var/www/natas/natas7/index.php on line 21

error messages are frequently useful for getting a working exploit ... you can see that the web server tried and failed to open filename "home", and also told us the file path.
from here ... we can either use an absolute file path (ex: /etc/passwd) or a relative file path (../../../../etc/passwd).

lets use the absolute file path option, and navigate to http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8. This will include the flag file and display it to us.

`