OverTheWire[.com] Natas Walkthrough - JUST HINT, NO SPOILERS

game portal: http://overthewire.org/wargames/natas/
PASSWORDS for each level are stored in /etc/natas_webpass/natasX

I made this walkthrough for people like me, i needed some help, but didnt want the spoiler, so here i will give you all the information needed to pass each level, yet not the solution.

For levels needed custom web request i made a different post for powershell and javascript with how-to's, since is a piece of learning for itself, and also for those of us that play at work and have only powershell at their hands. Although its not a complete spoiler there, its quite most of the solution so try yourself 1st.

The Natas game is from basic to advances web hacking. Every few levels is about whole new exploitation (with some harder ones doing comeback later), so a lot of learning.

If you're new, you're the reason i am writing so much even for the 1st level, just please google EVERY topic you see, since in the following levels i assume you know the previous topics.

Don't be arrogant, more than a few sites were hacked for a programmer forgetting to remove a test page with "exploit" of level 0.

Level 0: Developers Tool (1)

In every browser, there is a Developers Tool, which contains certain tools for programmers to debug their pages. If you right-click on the page you can open it by selecting "Inspect Element", and it will focus on a certain element. You can also click "View Source" to see the HTML source text, before any changes were made to it on the browser (with JS usually).

Level 1: Developers Tool (2)

The Developers Tool Can also be opened by pressing F12. And "View Source" by prepending "view-source:" to your url.

Level 2: Server Directory and Files Structure

Every domain or sub-domain of a website is actually exposing a "root" directory in the file-system to where its content is, and there is a default file to go if non specified.

Usually any website would have some extra folders exposed with some extra files, like images and other resources, and these folders should be restricted. Otherwise anyone can browse to that folder and see its content, and its files contents.

for example in our level there is an image http://natas.labs.overthewire.org/img/wechall.gif, and you can put the url in your browser to get to it, but if you'll try to browse to the folder http://natas2.natas.labs.overthewire.org/img/ you'll a nice 403 HTTP-Response (Forbidden) which means access denied.

If you're unfamiliar with HTTP-Response codes google that please.

In order to review the request open Developers Tool -> network tab, and refresh the page, you will see each and every file the browser requested, with alot of details.

HINT - compare netword for level 2 with level 1.

Advanced - try browse to http://natas2.natas.labs.overthewire.org/img3/ , you'll get 404 instead of 403. What does it tells you?

Level 3: robots.txt

Google is a search engine for public facing websites. It uses web-crawlers / web-spiders robots to run around every website out there and read its content.

If you're unfamiliar with web-crawling / web-spiders please google that.

Every website can help the robots where to crawl, and ask him where not to crawl, with a file called "robots.txt".

If you're unfamiliar with robots.txt file please google that.

Level 4: HTTP Headers

Topics for you to google: "http headers", "http referer header".
Now you should make sense of the message displayed at the level.
In the network tab you can see all headers sent with each request, and all returned from server. Some are auto-made by the browser and you cant modify them even with Javascript.

Now your mission is to send a Custom Request to the website, with the right header.

Now for the rest of the game choose your favorite tool and PLEASE start mastering it, i can recommend "curl" (curl man) for linux users, .Net users can just create a console-application and use "WebClient" or "Powershell", or just google for "custom http web request". I'm sure there are even some chrome add-on's but its better for you to learn.

As stated, in case of need, natas 4 powershell.
"curl" start kit: "-u <user:pass>", "-H <header:value>"

P.S. - it matters in the header id you send the url with "/" in the end or not.

Level 5: HTTP Cookies 

If you're unfamiliar with http cookies at technical level, please google that. That's the challenge. And learn how you can send them with the tool you've chosen in level 4.

In the Developers Tool, in the Network tab, when you click a request, it has its own tab, one of them is the "Cookies" tab.

HINT - with computers, "0" is also "false" (no) and "1" is also "true" (yes)

Level 6: PHP Include

Many of the following challengers will be about PHP exploits, so do yourself a favor and do some basic php tutorial, so you will be able to understand them. You will also need to craft some code and functions.

Basics: with php you write your HTML and at any point you open script tags like this
And anything between this tags is php code running. The scope is your running page, meaning a script in a tag in the head of the page can be used at the end. If at any point the script echo's text it's rendered as part of the html, either simpe text or html tags and elements, according to result.

Also the "include" keyword is used to include and evaluate another php file.

Level 7: PHP Injection (1): 

If you dont know what "code injection" means, please google it. wiki does a great job. Also "query string".

With that wiki, and QueryString, and if you look at the source code, you should get it.

HINT - when clicking a link, we see the "page" parameter in the query-string. If guessing, the parameter is used for an "include".

Level 8: Encoding

Google list: "encoding", "Base64 encoding", "binary to hexadecimal".

Encoding is used ALOT in the web, starting from simple things like passwords, values, cookies, sessions, ect. (which we will meet all of the above soon) and get evolved to encryption (we'll get there too). So you MUST know to identify an encoding from a distance quite easy.

For the Next pack of missions we are going to get the php source code to help us with the exploit. So learn carefully the code, google every command, many of them have exploits, either by their usual output, or by sending malicious input.

This one is not about exploiting or malicious code, its just about you doing some minor reverse-engineering (search and read about the php functions used) to the encoding function of "encodeSecret" end extract the password from the given "$encodedSecret" variable. This can be done with some "online php" (google).

Level 9: Shell Injection (1)

Time to do a tutorial for "linux shell", i did this one myself after installing my kali.
If you dont have a linux, there are many "online shell" sites, of even use them to connect to the "Bandit" game, and preferably play it 1st (i have a full tutorial), there will be a few levels are about Shell Injection. For now, focus on "grep" and "cat" commands.

Anyway, as we learned in level 7 what is Injection, there we injected code to cause malicious execution for the php include command, now we want to cause malicious execution for...

Well, you need to google for the php command "passthru"

HINT - google "linux shell chain commands".
Advanced - "#" means comment.

Level 10: Shell Injection (2)

In the previous level you learned how to chain your own command. But looking at the source code the chain characters are now forbidden.

But you can achieve the same goal without the chain characters. If last time we tried to "cut off" the "grep" command and chain another command, this time we can elevate the power of "grep" to search what we want.

HINT - ans where we want it.

Level 11: Encryption (1)

Google list: "encoding", "encryption", "json", "Base64 encoding", "xor encryption".
If you google all that, and learn the code well (googling the commands), you should solve it fast with any php online editor and your favorite custom http craft tool used in levels 4 & 5.

Time to learn Encryption! And the most basic version of Encryption is XOR.

Looking at the source code we can see "saveData" function, using 3 functions, 1 of them you know (base64), another you should just google (json), and the main is a local function.

What is XOR? XOR means Exclusive OR, which means "are the values different"?
In most programming languages its used with the character "^".

When you XOR strings, it converts them to their binary values, XOR the 1's and 0's, and return the answer.

For example, take the "xor_encrypt" function to your php editor, set the key to "a", and send "b". "echo" result to see the character [right facing triange], now let's do it manually.
Find an "ascii to binary" converter, i like this one, and put "a b", they convert to "01100001 01100010", XOR it with a pen and paper:


now back to that converter (or "binary to ascii") to see that "00000011" converts to that same char (sorry, could manage to encode it in blogger).

But the thing about XOR is, now XOR "b" with "00000011". You get... "a", your secret key.
The rule about XOR is C is cipher text, T is text, and K is key:
T ^ K = C ,   C ^ T = K ,  K ^ C = T

If you noticed, the code uses the same function to encrypt AND decrypt. There for you can play with the "TKC" parameters, while only need 2 to get the 3rd, and thus being able to decrypt the encrypted values you get.

That was pretty long, but I'm sure now after reading and trying you should know what to do with your [1] php online editor to [2] craft an http request with [3] the proper json that will reveal the password. Just follow the code.

WARN - if you prepare your json, make sure you dont send it to "json_encode"
HINT - when you "C^T" you can get the key multiple times like "123451234512345...." so the key will be "12345".

Level 12: File Upload Exploit (1)

You need to know 3 things to pass this one:
 - write a php file script, look at level 9 for inspiration.
 - how HTML Forms are submitted, google that
 - when you open the Developers Tool, in the Elements tab, you can alter anything in the DOM (google that too please).

So in the end, you can submit a form with whatever malicious code you'd like. The rest has nothing to do with programming, just simple logic, follow the code and you'll get it.

Level 13: File Upload Exploit (2)

This time the code tries to protect from a malicious file type via the "exif_imagetype" function.
Googling "pass exif_imagetype" you will immediately find how the functions test's for the file being ".jpg", and therefor how to pass the function.

TIP - you can even just use notepad++, File -> Character Panel, use ANSI encoding. 

Level 14: MySql Injection (1) : Basic Injection

As you can see in the code there if "debug" parameter is present than the page will output the sql query results even if you are wrong with the username and password.

To understand how to use it lets talk a bit about types of HTTP Methods. There are 7 of them, so please google "http methods", and the most common are GET and POST.

The main difference between GET and POST is that POST send's payload data to the server as part of its body, while GET can't have a body, and therefor if it wants to send data to the server it can only do it via query-string parameters (or cookies or headers ect. but they count as user data, not request data).

So once you learn about the query-string you will understand how to use the "debug" and also that you can send the username and password in the same way, instead of submitting the form, thus making a POST request (in the network tab). Remember - query-string parameters and values needs to be url encoded or some characters won't be sent.

In real world application should differ between GET and POST, but our applications doesn't.

Now we have a few mysql injection missions, so please go do some mysql tutorial, learn to play with queries.

After that time to google "mysql injection". I encourage you not to be satisfied with the "1=1" injections (which may fail from your side if you are in an organization), try also to think, do you really need to send a password at all?

HINT - learn how string is formatted in programming languages.

Level 15: MySql Injection (2) : Blind Injection

*From level 15 to 19 you need to do brute force scripting, so you need your programming skills. If you don't understand how to do that stop and go learn how

The definition of blind injections is that you only get an answer indicating yes or no to your query from the server. This usually comes with some brute force scripting, since you are getting your information piece after piece. In real world, you also need to either find a server that doesn't block your very big amount of request, or, like in real world attack, give them enough space between, like an hour or more, and some extra false data, to escape the firewall and likes.

Anyway, our code now only returns if the user exits or not, and the query only select users by default, but we need the password... so what can we ask the server? well, in this level there is no filter on the "username" param, anything. So how can you guess the password with only yes or no as answer?

HINT - as stated above, 1st part is to find a query that approves you that part of the password looks like "X", 2nd part you need some scripting skills to build a brute force script to run the 1st part recursively until you recovered the entire password.

TIP & HINT - to be sure your query test a columns case sensitive don't send "col like "value%"", since "vAlUe" will also return true, but use
col like binary "value%"

which test for binary values which are different between "A" and "a".

HINT - you can do this with just simple Javascript "XMLHttpRequest" (ajax) locally on the browser, thus not needing a special tool, AND since you already in the login scope you don't need to send credentials as they are send automatically.

Level 16: Shell Injection (3) : Blind Injection

You have learned in level 15 how to slowly harvest a password char after char with your injections, and that is called "Blind Injections". Now we do it again with shell commands.

Your google list: "linux shell arithmetic", "regex", "grep regex".

Looking at the code it sanitizes all of the chaining characters so standard injection here.
We are left with 3 very important characters, "$ ( )". Why is that so meaningful?

In math, say i want to say that "x" is "b" multiplied by the sum of "m" and "n", if i write "x = b * m + n" then the evaluation will be "b" by "m" and to that add "n", so to fix that i will write "x = b * (m + n)" and the evaluation inside the brackets is being evaluated aside the main formula and the results is becoming a value in the main equation.

In linux shell, if you want to evaluate some inner command to become a value for the outer command, just like in the math example above, you user dollar sign followed by brackets like
outerCommand param1 $(innerCommand) param3

you can also make it as part of the param, like if i have a file named "pre" containing "he" and i want to print "hello" i can write
echo $(cat pre)llo

I expect you to understand how to leverage the above, with grep and regex, to reach the same goal you've reached in level 15.

HINT - last one yes was "user exist" and no was "user not exist". This time your indicator is getting results. Is is your yes or your no? Answer this question before starting to write any code.

Level 17: MySql Injection (3) : Time-Based Injection

Google list: "mysql sleep", "mysql if"

So you know that Blind Injection is that you only get indication of some output from the server that can be interpreted as yes or no.

What if you can send any injection you would like, but the server doesn't give you any output as indication as we can see in this level that this is the exact same code as level 15 just without the server output indication.

Well, you can "force" it to give you some indication, instead of output as indication, you can use time as indication.

In MySql there is a command "SLEEP(seconds)". Sleep returns "0" if executed without any problems, which with this example, no problem should appear.

Another Command is the "IF" command, with the syntax "IF(test expr, true expr, false expr)".

TIP - user 2 seconds, 1 sec is too fast, and if you have a really slow connection make it 3.

Level 18: Session Hijack (1)

Also named (or is a type of) Cookie Hijacking, meaning you exploit the fact that the server define who you are (authentication) or what you're allowed to do or see (authorization) is made by a cookie value.

Looking at the code we can see there is no possible way to set "admin" to "1", we must try to connect as each and every session available until we are connected as an "admin" session.

Sharpen your crafted http skill, and your brute force scripting skill.

Level 19: Session Hijack (2)

In this level you don't have the source code, yet you get a message that most of the code is the same code. Sending some value you get our "PHPSESSID" and you can immediately its encoded, so go try some simple decoding, really simple. You should see your sent username with a number, in plain text.

Once you get the encoding, assuming is the same code, you can take the exact same code as before just encode according to the new convention.

*NOTICE - most of the encoding tools will add the LineFeed character ('\n') to the end of your string resulting in a non-valid encoded string. Learn how to tame your tool.
P.S. for linux users (after you found alone the encoding and the tool, dont cheat - here, and remove the '\\x')

Level 20: Session Injection

Looking at the code we see there is not normal way to set "admin" to "1" and trigger "print_credentials()". But good inspection of how the code writes the value of "name" and then reads it, reveals room for injection. Don't forget you have "debug()" again.

HINT - you must use URL Encode.

Level 21: Collocated Websites

Collocated Websites means that they both use the same server, bandwidth, ect.
What else do they share?

Level 22: Location Header (Intercept Redirect)

Location is a response header that tells the browser to jump (redirect) to another location. The browser does not save any data from the 1st request. Therefor you must use a tool that does.

HINT - windows users, i couldn't make it with PS any way, so just google "linux online terminal"

Level 23: Leftover Comments

A real issue out there. Believe me.

Level 24: Type Validation

Reading the manual for "strcmp" we can see that it returns "0" in case of matched strings, a number if they dont, and NULL in case that you try to compare string with non-string like array ect.

But the code does not validates that it returns "0", it just operates "NOT" on the results, also it does not validates that the input is a string.

HINT - php supports complex url parameters

i've currently reached level 28, out of 32, and will continue update



Popular posts from this blog

Asp.Net Ending Response options, Response.End() vs CompleteRequest()

c# Service Play Sound with NAudio example by Moshe

JS/JQ simulate Enter event