wargames Archives - thefluffy007

Another day, another hacking challenge…

Today’s challenge is to find the password for level 9.

To view level 8, please go HERE.

After entering the username/password we see the following screen:

On the right side there’s a link that says, “view sourcecode”.

Clicking this link we see the following:

First, you should notice that there is weird syntax (language) of “<? and ?>” What is this? Well, this is PHP (Personal Home Page). Which is a server-side programming language.

What exactly is passthru? Passthru is a function that executes a command. To learn more about the passthru function click HERE. In this case we’re using the word in the first screenshot to look through a file named dictionary.txt.

Let’s try to enter the word “test” to see what we get…

The code returns all of the words that have test in it. OK. Let’s see if we can get ALL of the words in the dictionary.txt file.

Let’s try the word of “” instead of test. Doing that we get the following:

We have all the words in the dictionary.txt file. Why did I pick “” ? Well if you look in the passthru function the command was enclosed in quotes. I figured that if I entered quotes we would break out of the command which would produce all of the words in the file.

So now we have all of the words, what do we do now?

The challenge seems to be vulnerable to command injection. To learn more about command injection, go to the link HERE.

Let’s try to add another command to list all of the directories in the folder. The command to enter is: ls%20-la; (%20 is the URL encoding of space). This command is listing all of the files in the directory include hidden ones (in Linux hidden files start with the “.”).

We have listed all of the directories, and have a potential gem. There’s a file named .htpasswd. Let’s add on to the command sequence to open this file. To do that we add the following: cat%20.htpasswd;.

We have received the password! Which is: $1$p1kwO0uc$UgW30vjmwt4x31BP1pWsV.

hacking, owasp, web application security

OverTheWire: Natas Level 8 – #appsec #webapp #websecurity #wargames

August 11, 2017March 3, 2021 thefluffy007

Another day, another challenge…

In today’s challenge we’re going to solve level 8 from the Natas wargame.

Let’s begin.

Going to the following link, and entering the username “natas8” and password “DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe” we get the following:

OK, we see a page that is asking for an input secret. Clicking the view sourcecode link we see:

Looking at the screen, there’s PHP code with an encoded secret variable that seems to be in hexadecimal. There’s also a function titled “encodeSecret” that does the following steps:

Change the binary to hex (bin2hex)
Reversing the string (strrev)
Base64 encoding (base64_encode)

From there the code is checking to see if our input secret equals the encoded secret. If it does then we get the code for level 9, otherwise we need to try again.

So, how are we going to solve this?

Going to Google and looking for a PHP interpreter, we’re presented with the following link.

From there, We’re going to do the reverse the steps of above. Our new steps are:

Convert the hex to binary (hex2bin)
Reverse the string (strrev)
Base64 decode (imap_base64)

Below is the screenshot that depicts the above steps.

Doing the steps, we are presented with the decoded secret which is “oubWYf2kBq”

Going back to the level 8 page, and entering our decoded secret we get the following:

We found the flag!

hacking, owasp, web application security

OverTheWire: Natas Level 7 – #appsec #webapp #websecurity #wargames

August 4, 2017March 3, 2021 thefluffy007

Another day, another challenge…

In today’s blog post we will solve level 7 from the Natas wargame challenge.

Let’s begin.

Going to the following link, and entering username “natas7” and password “7z3hEENjQtflzgnT29q7wAvMNfZdh0i9” we see the following:

Hmm… we see a Home and About links. Let’s click the links and see what happens.

After clicking the links we see there’s not much that’s showing on the screen.

Let’s view the source and see if there are any hints there.

Doing a right click, view page source we see:

Hmm… we see a comment that says, “password for webuser natas8 is in /etc/natas_webpass/natas8”

How can we use this information?

Looking at the above screenshots of Home and About – we notice that at the end of the URL it’s referencing a page. For instance for the home page it’s “page=Home” and for About it’s “page=About”. Let’s try to change the page name to the hint that was provided to us.

Changing the URL to: http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8, we see…

the flag!

hacking, owasp, web application security

OverTheWire: Natas Level 6 – #appsec #webapp #websecurity #wargames

August 3, 2017March 3, 2021 thefluffy007

Another day, another challenge…

In today’s blog post we’re going t solve level 6 in the Natas wargame.

Let’s begin.

Going to the following link and entering the username of “natas6” and password of “iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq” we see the following:

Doing a right click, view source we see:

Hmm… there’s not much in here, except there’s a view sourcecode. Let’s see what this source code will yield us…

Looking at the middle of the page, we see that there’s php code (code between <?…?>), we notice that there’s an include/secret.inc. Let’s see if we can access this file and see what’s inside the file.

Changing the URL to “natas6.natas.labs.overthewire.org/includes/secret.inc” we see:

… a blank page. Let’s do a right click, view page source to see if there are nuggets hidden beneath the surface.

Doing a right click, view page source we see the following:

Hmm… looks like we find the secret.

Let’s enter this into the input box and see if this unlocks the level.

Entering the secret above into the input box we get:

We found the flag!

hacking, owasp, web application security

OverTheWire: Natas Level 5 – #appsec #webapp #websecurity #wargames

August 2, 2017March 3, 2021 thefluffy007

Another day, another challenge…

In today’s blog post, we’re going to solve level 5 from the Natas wargame challenge.

Let’s begin.

Going to the following link and entering username of “natas5” and password of “iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq” we see the following:

After pressing “OK” we see:

Hmm… we see that we’re not logged in and access is disallowed.

Using Tamper Data, let’s see if the request headers show us a way to bypass the login feature.

Opening the Tamper Data application and refreshing the website we see:

Hmm… we see inside the Cookie that there is a loggedin that is currently set to zero. What if we change it to 1?

Changing the loggedin feature to 1 and pressing Enter we see:

We received the flag!

hacking, owasp, web application security

OverTheWire: Natas Level 4 – #appsec #webapp #websecurity #wargames

August 1, 2017March 3, 2021 thefluffy007

Another day, another challenge…

Today’s blog post we’re going to solve level 4 from the Natas wargame.

Let’s begin.

Going to the following link we see:

After entering the username of “natas4” and password of “Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ” we get the following:

Hmm… we’re not allowed access because we’re coming from an invalid URL. Let’s see if we can change that.

In a previous blog, I explained how to user Tamper Data. Tamper Data allows you to modify HTTP requests and responses to see if the web page will behave differently.

We’re going to use Tamper Data for this challenge.

Starting Tamper Data, and going to the level 4 we see:

We see that the referrer shows natas4, what happens when we change it to natas5?

Changing the referrer to natas5, and clicking OK we see:

We found the flag!

hacking, owasp, web application security

OverTheWire: Natas Level 3 – #appsec #webapp #websecurity #wargames

July 30, 2017March 3, 2021 thefluffy007

Another day, anther challenge…

In today’s challenge we will solve level 3 from the Natas wargame. Let’s begin.

Going to the following link, and entering the username of “natas3” and password we retrieved from the second challenge we see:

Password from level 2:

Pressing Enter we see:

Doing a right click, view source we see:

Hmm… we have a hint. “No more information leaks!! Not even Google will find it this time…”

Knowing a thing or two about how Google indexes websites, I know that some websites use a robots.txt file. Let’s see if this website is using that.

Entering “robots.txt” at the end of the URL we see:

OK – the first parameter user-agent specifies that any agent is allowed. We’re disallowing the /s3cr3t/ folder. Let’s go to this folder and see what’s there…

Entering the /s3cret/ folder we see:

Hmm… there’s a users.txt file. Let’s see what’s there.

We found the password for level 4!

hacking, owasp, web application security

OverTheWire: Natas Level 2 – #appsec #webapp #websecurity #wargames

July 29, 2017March 3, 2021 thefluffy007

Another day, another challenge…

In today’s blog post we’re going to solve level 2 from the Natas wargame.

Let’s begin.

Going to the following link we see:

We’ve acquired the password for level 2 from the level 1 challenge (screenshot below):

Entering the username of “natas2” and password from the above screenshot we see the following:

Nothing on the page, eh… I don’t believe that.

Let’s try, right click view source and see what we get.

We notice there’s an image source of a pixel.

Clicking this link we see:

It truly is just a pixel. What if we remove the “pixel.png”? Maybe there are other files on the system. Let’s try it.

Removing the “pixel.png” and pressing Enter we see:

We see an extra file – users.txt. I wonder what’s in it.

Clicking users.txt, we noticed that it lists the different username and passwords. The one we want is the fourth row – natas3. We’ve found natas3 password!