OverTheWire Natas Level 9 Walkthrough

Today we're going to be doing a walkthrough of level 9 of the Natas CTF wargame hosted at:

http://natas9.natas.labs.overthewire.org

To access this page, we will need to authenticate into it by providing the current level of the Natas CTF game as the username (natas9), and the password obtained from the previous level as the password.

Once we have authenticated into the page, we see this:


An interesting looking web app.  Let's take a look at the sourcecode link.

http://natas9.natas.labs.overthewire.org/index-source.html


From the source, we see that the app is taking user input string and passing it to the system running the server as a grep command, comparing the string to entries in a text file (dictionary.txt).  

This kind of code allows the user to perform a Local File Inclusion attack by passing the web app a malformed string.  For example, if we pass the web app this string

; ls #

The semicolon in the string will end the previous command and the hash symbol at the end of the line will cancel the first command that comes after our ls command.  The result of sending the request to the web app is this:


This confirms that we have a Local File Inclusion vulnerability through the web app.  More specifically, if we can access local files on the web app host system, we can access the password for the next level.  In fact, we know where the passwords are on the local system because we are given this information on the overthewire.org Natas homepage.

https://overthewire.org/wargames/natas/


So from the Natas9 webpage, we will input the following string to gain access to the Natas10 password.

; cat /etc/natas_webpass/natas10 #


Summary

The Natas9 web app included a Local File Inclusion vulnerability which allowed us to gain access to the next level's password by sending the web app a malformed string.

Finish









Comments

Post a Comment

Popular posts from this blog

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - Reversing Elf - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/ reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine. Task 1 - Crackme1 Questions What is the flag? Download the Task 1 Task File Copy it to your working directory Give the file executable permissions Run the file chmod +x crackme1 ./crackme1 Task 2 - Crackme2 Questions What is the super secret password ? Give the file executable permissions Run Ltrace on the file with a test string chmod +x crackme2 ltrace ./crackme2 test ./crackme2 passwordFoundInPreviousStep Task 3 - Crackme3 Questions What is the flag? Give the file executable permissions Run strings on the file Echo the base64 string you found, pipe it into Base64 decode chmod +x crackme3 strings crackme3 echo “ base64stringFoundInPreviousStep ” | base64 -d Task 4 - Crackme4 Questions What is the password ? Give the file execu...
Read more

TryHackMe - Web Enumeration - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Web Enumeration room hosted at https://tryhackme.com/room/ webenumerationv2 . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed vulnerable Web clients as the the victim machines. Task 1 - Introduction Questions: Let's get started No answer needed Task 2 - Manual Enumeration Questions I gotcha! No answer needed Task 3 - 1. introduction to Gobuster Questions No questions No answer needed Task 4 - 1.1 Gobuster Modes Questions I get the hang of it! No answer needed Task 5 - 1.2 Useful Wordlists Questions No questions No answer needed Task 6 - 1.3 Practical: Gobuster (Deploy #1) Questions Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available? echo “10.10.164.99 webenum.thm” >> /etc/hosts gobuster dir -t 16 -u http://webenum.thm -w /usr/sha...
Read more