Natas 9 -> 10

user: natas9
pass: W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

Hmm. Needle in a haystack, wouldn't you say? Let's take a look at the source code. Looks like the box is looking for a specific 'needle' to be entered to get the password. Well, there might just be an easier way -  let's take a closer look at how the search box is working. Looks like this php code is using 'passthru' to run grep, a shell command. what else could passthru run, however?

For those familiar with shell, the ';' character is your friend for multiple commands on a single line. That's what we're going to do here. If we start our box input with ';', we can follow it with commands of our choice!

What's more, I seem to remember a helpful hint suggesting that /etc/nats_webpass/natas<level number> always holds the password for the next level.

Type ;cat /etc/natas_webpass/natas10 into the search box for the information you  seek.

Comments

Post a Comment

Popular posts from this blog

Natas 11 -> 12

user: natas11 pass: U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK OK, this level is a bit tricky. We start out looking at the source code, and we are faced with several functions. xor_encrypt seems to encrypt any text sent to it by xoring the input character by character with the key we want. loadData checks to see if the cookie sent with the data matches the background color, and has the 'showpassword' field in it. If the background color sent with the data and sent in the cookie match,  it stores the color and the showpassword boolean - this is probably the key to getting the key. The big trick here is that there's an XOR encryption going on. At first this might seem tricky, but on closer consideration we remember that if xor myword => cypher, then xor cypher => myword. in the function saveData, we wee that the cookie for the website is set with base64-encode, xor_encrypt, and json-encode. Therefore, we start with the cookie. We know we want to base64-decode, so let...
Read more

Natas 6 -> 7

user: natas6 pass: aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1 Well, it looks like we need to input a secret of some sort. If only we knew what it was... Luckily, though, someone left a link to the website source code here. And, what's this? it very conveniently says, right there: include "includes/secret.inc"; So let's start there. That looks like a folder we could try navigating to. http://natas6.natas.labs.overthewire.org/includes/secret.inc yields the secret:  FOEIUWGHFEEUHOFUOIU. Plugging that in gives us the password!
Read more

Natas 10 -> 11

user: natas10 pass: nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu This looks familiar - but someone got smart and decided to start sanitizing their inputs, it looks like. We can't use ;, |, or & to circumvent the grep command. Clever designers. But what other command exploits might we be able to use? Let's think back to the days when we were command-line masters instead of browser-hackers. I seem to recall that grep had some fancy functionality... like, for instance, the ability to grep over multiple files at once. So what happens if we tell it to do just that? Of course, we don't know what to tell grep to look for, so let's just use the .* operator to tell it to match any number of occurrences of anything. Remember, looking at the source, that our file will be searched over first, so we won't care too much about the massive number of dictionary words that will be spit out after. Let's try it (remember, the second file we should try looking at is the same as last ...
Read more