Natas Writeup : 6

July 26, 2020

Natas Writeup : 6 - 10

This is the second part of the Natas series. Let's start.

Natas 5 - Natas 6

At first, the site reads access disallowed for us. Let's check the cookies out. There is a cookie called logged in which has the value set to 0. Let's try to change that to one. Voila, there is the password.

Password: aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

Natas 6 - Natas 7

The site has a textbox that says input secret on it. The code calls the secret variable and compares our input to it. When we check the source code out, we can see that there is a PHP include a file called "includes/secret.inc". Let's open that. There we can see the secret variable in all it's glory. Enter that to the textbox and there is the password.

Password: 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

Natas 7 - Natas 8

Here only two pages are visible. The home and about pages. If you look closely you can see that the page id serves as identification on which pages to show. In the previous level, we have learned that the password of Natas' levels is in /etc/natas_webpass/natas{level number}. So we try entering /etc/natas_webpass/natas8 in the page variable and we get the password.

Password: DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

Natas 8 - Natas 9

When we check the source code out, we see that the secret is encoded and compared to our input. We must decode the encoded secret in order to do that. This is the encoding function: -

function encodeSecret($secret) {
    return bin2hex(strrev(base64_encode($secret)));
}

So I wrote some PHP code to reverse the full function.

<?php
function decodeSecret($secret){
  return base64_decode(strrev(hex2bin($secret)));
  }
  
echo decodeSecret("3d3d516343746d4d6d6c315669563362");

?>

The secret we get is oubWYf2kBq. We enter that secret and we get the password.

Password: W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

Natas 9 - Natas 10

This page finds the words starting with a particular string. If we view the source code, we can see that it uses the system command of PHP to execute grep command on the dictionary.txt file. We can use command injection to cat the password to /etc/natas_webpass/natas10 here.

We can supply our own command instead of the word. We could supply ";cat /etc/natas_webpass/natas10 #" where ";" is used to start a new command, "cat" is used to print the file, and "#" is to comment the rest of the command out.

Password: nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

Search This Blog

philosophicalhacker

Natas Writeup : 6 - 10

Natas 5 - Natas 6

Natas 6 - Natas 7

Natas 7 - Natas 8

Natas 8 - Natas 9

Natas 9 - Natas 10

Comments

Post a Comment

Popular Posts

Prompt(1) Writeup - Part 1

DVWA Series - XSS (Stored)