Overthewire: Natas Level 6 to 10
Table of Contents
Overthewire - Natas
This series on the overthewire webpage challenges you to think outside the box and more about communication between client and server in order to find the hidden flag on the website for the next level. The structure of the challenge is that for each level you require a user name and password to authenticate to the next level challenge website. The username is natas[X] with X being the current level (e.g. natas5 for level 5), the corresponding URL is “http: //natas[X].natas.labs.overthewire.org/", X again being the level number e.g. “http://natas5.natas.labs.overthewire.org/" for the fifth level, and the password consists of 32 alphanumeric characters.
And now without further ado, let’s get to it:
natas6
First let’s have a general look at the natas6 website. We see an input field, a submit query button and a link to "View source code". Perfect.
When we access the source code, we find the following in the HTML body:
<?
include "includes/secret.inc";
if(array_key_exists("submit", $_POST)) {
if($secret == $_POST['secret']) {
print "Access granted. The password for natas7 is <censored>";
} else {
print "Wrong secret";
}
}
?>
<form method=post>
Input secret: <input name=secret><br>
<input type=submit name=submit>
</form>
Alright, assuming that this is actually the source code behind the input field, we need to enter the correct code via a POST request and we get access to the natas7 password.
However, there even is a second important hint here: “includes/secret.inc”; So what is there? Let’s got to the site’s path and open the website inspector again:
Wow, < !–?$secret = “FOEIUWGHFEEUHOFUOIU”;?– >??? Ok so if that is the required secret, let’s try it:
Spoiler natas7:
Username: natas7Password: 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9
URL: http://natas7.natas.labs.overthewire.org
natas7
Another page, another challenge. We see a “Home” and an “About” button.
The website itself is not really interesting, but the HTML comment visible with the inspector is: < !– hint: password for webuser natas8 is in /etc/natas_webpass/natas8 – >
This looks like a directory traversal or Path Traversal attack seems possible and likely.
So what happens, if we try to include a page in our path that is not foreseen to be accessible from the web? Let’s try:
http://natas7.natas.labs.overthewire.org/index.php?page=/../../../../../../
Even though we could not directly include a file or folder to be displayed on the webpage, we know we can walk directories. So let’s include the “/etc/natas_webpass/natas8” path.
Spoiler natas8:
Username: natas8Password: DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe
URL: http://natas8.natas.labs.overthewire.org
natas8
The layout of this level seems familiar again. It is very similar to natas6.
Let’s have a look at the source code:
<?
$encodedSecret = "3d3d516343746d4d6d6c315669563362";
function encodeSecret($secret) {
return bin2hex(strrev(base64_encode($secret)));
}
if(array_key_exists("submit", $_POST)) {
if(encodeSecret($_POST['secret']) == $encodedSecret) {
print "Access granted. The password for natas9 is <censored>";
} else {
print "Wrong secret";
}
}
?>
This seems like more fun than previous levels. Why? Because we actually start to have to reverse engineer something.
The encoded_secret is: “3d3d516343746d4d6d6c315669563362” We reach this encoded_secret by first base64_encode encoding our $secret, then reversing the string (strrev) and then using the bin2hex function to return the hexadecimal representation of that string. So if we reverse it, we have to 1. reverse bin2hex, 2. reverse the string again, 3. decode the base64 string and we get the secret. Alright in order to do that, I have written a small python2.7 tool:
import base64
encoded_secret = "3d3d516343746d4d6d6c315669563362"
# 1. hex to string
str_encoded_secret = encoded_secret.decode("hex")
# 2. reverse it
rev_str_encoded_secret = str_encoded_secret[::-1]
# 3. decode base64
secret = base64.decodestring(rev_str_encoded_secret)
print(secret)
If we run it, we get the secret: “oubWYf2kBq”
Let’s enter that:
Spoiler natas9:
Username: natas9Password: W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl
URL: http://natas9.natas.labs.overthewire.org
natas9
Another page, another input field and another source code. As there are no interesting hints on the page or in the page code itself, let’s start with the source code:
<body>
<h1>natas9</h1>
<div id="content">
<form>
Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
</form>
Output:
<pre>
<?
$key = "";
if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}
if($key != "") {
passthru("grep -i $key dictionary.txt");
}
?>
</pre>
<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
Via the input form we assign a value to the $key parameter and as long as the $key parameter is not empty, it is used in the passthru(“grep -i $key dictionary.txt”) query. So what is passthru? Passthru is a PHP function, that “Execute an external program and display raw output”. Wow ok so this function is powerful, as we can use it to invoke another program that is then executed in the backend of the server and we even see the return value. Now the function that is parsed is grep. Let’s have a look at the grep man pages:
DESCRIPTION grep searches for PATTERN in each FILE. A FILE of “-” stands for standard input. If no FILE is given, recursive searches examine the working directory, and nonrecursive searches read standard input. By default, grep prints the matching lines.
...
-i, --ignore-case Ignore case distinctions, so that characters that differ only in case match each other.
...
OK, so we can use grep to search for a PATTERN in a FILE and the -i parameter allows us to ignore case distinctions. The file, that we look through is “dictionary.txt”.
So let’s look for a PATTERN, e.g. “abba”.
Alright looks like we can look for pattern matches inside the dictionary.txt file. Now either the password is stored inside the dictionary.txt file or the “grep -i” server side command execution is a problem. Let’s first browse through some bash magic. I found something really interesting here regarding UNIX shell syntax. Especially the “;” character is interesting for us: “The semi-colon (;) is a standard UNIX shell item used to separate commands.” (Source)
Ok so what if we combined our input with the “;” character and added another shell command after the “;"?
Let’s try to display the entire dictionary by inserting “; cat dictionary.txt”:
Wow, so the trick is to separate commands and then enter a query showing us the content of the correct password file. In natas7 we learned of the location of the natas8 password: /etc/natas_webpass/natas8
So now we need to look into the natas10 file. We get there with the query: “; cat /etc/natas_webpass/natas10”
Spoiler natas10:
Username: natas10Password: nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu
URL: http://natas10.natas.labs.overthewire.org
natas10
Yey, and another page with the same outline: a search bar and a “view sourcecode” link.
So how does the source code look like for this level now?
Output:
<pre>
<?
$key = "";
if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}
if($key != "") {
if(preg_match('/[;|&]/',$key)) {
print "Input contains an illegal character!";
} else {
passthru("grep -i $key dictionary.txt");
}
}
?>
</pre>
It seems like we are playing the same level as natas9 again, using passthru together with grep -i to find PATTERNS inside the dictionary.txt file. However, this time the query is filtered before it is used in the grep command.
What does “preg_match” do? Preg_match performs a regular expression match and in our case looks for the pattern “[;|&]", meaning that the “;” and “&” character is excluded from our input possibilities.
Let’s check our hypothesis with the query “; cat /etc/natas_webpass/natas11”:
Seems like our hypothesis is true thus far.
So do we have other characters other than “&” and “;” that allows us to concatenate commands?
Grep itself accepts regular expressions as PATTERN, so let’s include all possible characters by inserting “.*". “.” in regular expressions is a placeholder for all characters and “*” means an infinite repetition of the specified character. Overall “.*” means: “Dear pattern, please return anything in that folder (or the specified search space)".
Sweet, we can work with “.*". What can we do now? What if we combined the “.*” with the known directory path for the natas11 password “/etc/natas_webpass/natas11”?
Let’s try this “.* /etc/natas_webpass/natas11”:
Spoiler natas11:
Username: natas11Password: U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK
URL: http://natas11.natas.labs.overthewire.org
Wrap Up
So what have we learned thus far? We have look at our first PHP code, wrote python code to reverse engineer a secret, saw path traversal attacks, learnt about regular expressions, BASH, bash magic and finally found out why it is probably never a good idea to use passthru on an open website.
Level 11 to 15 will be up soon. :)
See you soon!