Over the Wire Natas Levels 1 to 10 write up

What is Over the Wire?

It is a publically accessable capture the flag website that allows budding security professionals to test their skills against a live system. The challenges can be found here: https://overthewire.org/wargames/natas/

Spoiler alert, only read if you dont mind getting the answers/solutions for levels 1 to 10 of Natas

Natas

Natas is a set of challenges that focus on web application security. The following is how I solved each challenge.

Level 1

  • The page is a simple website, which used hard coded credentials in a comment.
  • By using built in tools within the browser the password to the next challenge was discovered.

Level 2

  • Inspection was "disabled" on the webpage however by using a curl to retrieve the web page using the credentials discovered in Level 1 the credentials were discovered for level two.
  • The following command was used
curl -u natas1:g9D9cREhslqBKtcA2uocGHPfMZVzeFK6 <url>

Level 3

  • When inspecting the html code a file was included that was in the directory /files/ on the web server.
  • By navigating to the directory the contents of the directory were displayed
  • A file existed named users.txt which contained the credentials for natas3
  • Explanation: This could have been mitigated by including a index.html in that directory which would automatically redirect requests to that page instead of dumping the contents of the directory, or by including configurations to redirect requests to a 404 page when no index.html file is found or directories are navigated to directly through the URL.

Level 4

  • The robots.txt file was discovered and automated agents were disallowed from scanning the directory /s3cr3t/
  • In the /s3cr3t directory was the user.txt file which contained the password for the natas4
  • Explanation: The robots.txt file allows or disallows web crawlers used by search engine sites such as Google, DuckDuckGo, and Bing to scan the site. This was likely an attempt to reduce the chances of passive reconnaissance from revealing the users.txt file within the /s3cr3t/ directory. This strategy is not recommended because it is a well known file that exposes information about potentially sensitive directories. It is recommended that files like these be encrypted with access controls such as IP allow or block listing depending on the access requirements.

Level 5

  • The page greets you with “Access disallowed. You are visiting from "" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/"
  • This means that there is some kind of mechanism that checks to see where the user was redirected from before visiting this page.
  • Upon inspection of the headers within the web request a referrer header is set which is how the server determines where the users browser got to this page.
  • The header in a request tells the server different things about what the client is expecting when they retrieve a webpage from the server. This means that these headers are set locally on the client machine and therefore can be set by an attacker.
  • There are many open source tools that can be used to manipulate headers such as BurpSuite, OWASP ZAP and these can even be set with the -H flag when using the curl command.
  • When changing the Referrer header value be the URL for natas5 to http://natas4.natas.labs.overthewire.org/index.php the password is exposed on the landing page.
curl http://natas4.natas.labs.overthewire.org/index.php -u natas4:tKOcJIbzM4lTs8hbCmzn5Zr4434fGZQm -H "Referrer: http://natas5.natas.labs.overthewire.org/"

Level 6

  • The page loads but shows the error Access disallowed, you are not logged in.
  • Upon inspection of the client side cookies there is a logged in cookie which is set to 0.
  • When setting this to 1 and refreshing the page or sending it back to the site using repeater in BurpSuite, the password is revealed.
  • This can also be achieved by using the following curl command
curl -v -u natas5:Z0NsrtIkJoKALBCLi5eqFfcRN82Au2oD http://natas5.natas.labs.overthewire.org/ -b "loggedin=1"

Level 7

  • The page supplied was an input field requesting a secret value like a password.
  • The page had a link to view the source code located at index-source.html which revealed the PHP script used to obtain the secret value. ( static code analysis )
  • The secret value check to see if the value was equal to a value stored in the /includes/secret.inc file.
  • The file secret.inc had the secret in plain text and when supplied to the input field the password for Level 8 was revealed.
  • Although this can be completed entirely in the browser using a post command can achieve the same results.
curl -X POST -d "secret=FOEIUWGHFEEUHOFUOIU&submit=Submit" -u natas6:fOIvE0MDtPTgRhqmmvvAOt2EfXR6uQgR http://natas6.natas.labs.overthewire.org/index.php

Level 8

  • This was a directory traversal challenge and required a bit of googling and some prior knowledge of how the target file system worked.
  • In the Bandit challenges the password file was located in the /etc/bandit/ in a file that was named after the target user, appling that same logic all the passwords for the natas challenges reside in the /etc/natas_webpass/ directory.
  • The URL included a ?page=<pagename> value where <pagename> was the filename of the page.
  • By requesting the root directory by using ../../../etc/natas_webpass/natas8 the credentials were exposed.
  • The most recent example of a vulnerability like this one in the real world was the ScreenConnect vulnerability which allowed a remote attacker to browse to the setup url on an exposed access panel which allowed an unauthenticated attacker to reset the login credentials. This had the impact of allowing attackers to reset credentials to access the ScreenConnect interface. ScreenConnect is a remote access software used by IT Helpdesks, Managed Service Providers and others to remotely access and run commands on machines.

Level 9

  • This challenge had to deal with encoding and reversing the methods used to decode a hardcoded password.
  • An input field was supplied as well as the PHP source code. The function used to validate credentials is seen below:
function encodeSecret($secret) {
    return bin2hex(strrev(base64_encode($secret)));
}
- After fiddling around on my own PHP server I was able to devise the following string to test for the output.
<?php
function encodeSecret($secret) {
    return bin2hex(strrev(base64_encode($secret)));
}

function decodeSecret($secret) {
    return base64_decode(strrev(hex2bin($secret)));
}

$secret="3d3d516343746d4d6d6c315669563362";
$encoded=decodeSecret($secret);
echo $encoded;
echo "<br>";
echo encodeSecret($encoded);
echo "<br>";
echo "3d3d516343746d4d6d6c315669563362";
?>
  • By looking at the code in the function above there are two simple builtin functions that are used to encode and decode the script using base64 along with some basic obfuscation.
  • The secret is sent through a function that converts the hexadecimal value to a binary one, reverses the string, and then encodes it into base64.
  • By reversing the process the value convert hex to binary, reverse the string, and output the value to base64 the answer is revealed.
  • Cyber Chef is a usefull tool for code breaking and solving encoding challenges, it was open sourced by the regal offices of GCHQ many years ago.

Level 10

  • When opening this page a search bar is presented and the PHP source code is provided. The function of interest is shown below:
<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    passthru("grep -i $key dictionary.txt");
}
?>
  • Right off the bat I can see that there is a shellcode injection vulnerability caused by a lack of input sanitization in the passthu function.
  • Based off of earlier challenges the target file is /etc/natas_webpass/natas10 which will contain the username and password for the next level.
  • By supplying the following snippet the flag can be obtained.
;cat /etc/natas_webpass/natas10;#
  • the ; operator will end whatever command came before it and is treated as a newline
  • the command cat /etc/natas_webpass/natas10 will output the file to standard out
  • finally we use ; # to close the line and comment out the remaining text so that the command will execute

Conclusion

I had actually stopped completeing these challenges due to life school and sleep requirements. There are 34 levels only 14 of which I had solved. I forgot how fun these little puzzels are until I started going over my notes again.

disclaimer: The ideas and statements made in this article are the sole views of Exylum Technical.