OverTheWire – Natas Walkthrough (0-11)

Today, we will play a war-game called Natas. It has a collection of 34 levels. OverTheWire Organization hosts this war-game. Absolute Beginners are the target audience. It teaches the basics of serverside web-security in a fun and challenging way. To play this war-game, go to the Natas website by clicking here.

Objective

Find the password to login on to the next level.

Table of Content:

  • Introduction
  • Level 0
  • Level 0 → Level 1
  • Level 1 → Level 2
  • Level 2 → Level 3
  • Level 3 → Level 4
  • Level 4 → Level 5
  • Level 5 → Level 6
  • Level 6 → Level 7
  • Level 7 → Level 8
  • Level 8 → Level 9
  • Level 9 → Level 10

Introduction

Natas have levels designed in such a way that each level has a different website. To reach each website we will enter the URL in this format.

natasX.natas.labs.overthewire.org, where X is the Level Number.

To access a level, we will use the username for that level (e.g. natas0 for level 0) and its password. The password for the next level is hidden on the current level. We will have to enumerate the password for the next level that is hidden in the current level. All the passwords are stored at /etc/natas_webpass/.

Level 0

This is a pretty simple level. We have the login credentials given on the Natas Introduction Page. Just browse the URL and enter the login credentials.

Username: natas0

Password:  natas0

Level 0 → Level 1

On successfully logging in the natas0 webpage, we will have a message in front of us. It says “You can find the password for the next level on this page” as shown in the figure given below.

Now as per convention, let’s try to find something inside the source code. To view source code, we will right click on the webpage and select ‘View Page Source’. And there we have the password commented in the source code.

Level 1 → Level 2

We use the credentials we extracted from the previous level to login into Level 1.

Username: natas1

Password:  gtVrDuiDfck831PqWsLEZy5gyDz1clto

On successfully logging in the natas1 webpage, we will have a message in front of us. It says “You can find the password for the next level on this page, but rightclicking has been blocked!” as shown in the figure given below.

Now as right-clicking is disabled to view source code, we will have to find another way to retrieve the password form the source code. As we were using Mozilla Firefox and to open source code, we use ‘Ctrl + U’ shortcut. And there we have the password commented in the source code.

Level 2 → Level 3

We use the credentials we extracted from the previous level to login into Level 2.

Username: natas2

Password:  ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi

On successfully logging in the natas2 webpage, we will have a message in front of us. It says “There is nothing on this page” as shown in the figure given below.

So, we check the Source Code of the page, here we find that we have an image file named pixel.png located in the files directory.

We opened the files directory as shown in the image given below. In this directory, we find the user.txt file.

On opening it we find the passwords for the various users present on the target machine. But we need the password for the natas3.

Level 3 → Level 4

We use the credentials we extracted from the previous level to login into Level 3.

Username: natas3

Password:  sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14

On successfully logging in the natas3 webpage, we will have a message in front of us. It says “There is nothing on this page” as shown in the figure given below.

So, we check the Source Code of the page, here we find a commented hint. It says “Not even Google will find it this time”. Search Engine spiders always leave the links that are disallowed the robots.txt file. So, we thought to check if this website has one.

We opened the robots.txt as shown in the image given below. In this file, we find that the /s3cr3t/ directory is disallowed. So, let’s open and see for ourselves what’s inside the s3cr3t directory.

In this directory, we find the user.txt file.

On opening it we find the login credentials of the user natas4.

Level 4 → Level 5

We use the credentials we extracted from the previous level to login into Level 4.

Username: natas4

Password: Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

On successfully logging in the natas4 webpage, we will have a message in front of us. It says “Access disallowed. You are visiting from “” while authorized users should come only from “//natas5.natas.labs.overthewire.org/” ”as shown in the figure given below.

We capture the request in Burp Suite, here we see that there is a parameter named Referer. It says natas4.

We change that Referer parameter value to Natas5 as shown in the image given below.

After Forwarding the Request, we get the credentials of the user natas5.

Level 5 → Level 6

We use the credentials we extracted from the previous level to login into Level 5.

Username: natas5

Password:  iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

On successfully logging in the natas5 webpage, we will have a message in front of us. It says “Access disallowed. You are not logged in” as shown in the figure given below.

We capture the request in Burp Suite, here we see that there is a parameter named loggedin. It is set to 0.

We change that loggedin parameter value to 1 as shown in the image given below.

After Forwarding the Request, we get the credentials of the user natas6.

Level 6 → Level 7

We use the credentials we extracted from the previous level to login into Level 6.

Username: natas6

Password: aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

On successfully logging in the natas6 webpage, we will have a form in front of us. It says “Input secret:” as shown in the figure given below.

We went ahead and look for some clues for that secret that we will have to enter in order to get the credentials for the next level. Here we see that a file is included called ‘secret.inc’.

So, in order to grab the secret, we will browser the included file manually. So, as we can see in the given image, we can see that we add the /include/secret.inc in the URL. This gave us a blank page in response. So, we browsed the source code to find the secret commented on the webpage.

Now we copied the secret and went back to the form which was asking the secret. After entering the secret, we get the login credentials for the next level.

Level 7 → Level 8

We use the credentials we extracted from the previous level to login into Level 7.

Username: natas7

Password:  7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

On successfully logging in the natas7 webpage, we are given two links, Home and About as shown in the figure given below.

So, we check the Source Code of the page. Here, we can see the links “index.php?page=” in the given image. We have also hinted the location of the password, that is., /etc/natas_webpass/natas8.

As we can see in the given image, the link is shown in the address bar of our browser after clicking the Home link.

So, we modify the link to read the password stored in the natas_webpass.

//natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8

And we have the password for the next level. This is called command injection.

Level 8 → Level 9

We use the credentials we extracted from the previous level to login into Level 8.

Username: natas8

Password:  DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

On successfully logging in the natas8 webpage, we will have a form in front of us. It says “Input secret:” as shown in the figure given below.

We opened the source code and found that the secret is encoded. Also, we have a function which encodes the secret.

Hence to decode the secrete we just create a function that can decode the secret. This can be done as shown in the given image.

As we now have the decoded secret, we can use it extract the credentials from the webpage of natas8 as shown in the given image.

Level 9 → Level 10

We use the credentials we extracted from the previous level to login into Level 9.

Username: natas9

Password:  W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

On successfully logging in the natas9 webpage, we will have a form in front of us. It says “Find words containing” as shown in the figure given below.

We opened the source code and found that when we enter a keyword, it is passed via a function called passthru(). It takes the value in $key and executes it directly.

So, we will use (;) to execute multiple commands. We will try to read the password at the next level.

As we can see that the password is printed on the screen as shown in the given image.

Level 10 → Level 11

We use the credentials we extracted from the previous level to login into Level 10.

Username: natas10

Password:  nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

On successfully logging in the natas10 webpage, we will have a form in front of us. It says “For security reasons, we now filter on certain characters Find words containing” as shown in the figure given below.

We opened the source code and found that when we enter a keyword, it is passed via a function called passthru(). It takes the value in $key and it filters the input of the characters (/;|&) as shown in the given image.

So, we will use (.*) to execute multiple commands. We will try to read the password at the next level.

As we can see that the password is printed on the screen as shown in the given image.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

Hack the Box Curling: Walkthrough

Today we are going to solve another CTF challenge “Curling”. It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Curling is 10.10.10.150

Penetrating Methodology

  • Network scanning (Nmap)
  • Surfing the IP address on the browser
  • Finding Secret View Page Source
  • Decoding Secret
  • Enumerating Joomla!
  • Creating Payload using msfvenom
  • Getting Meterpreter Session
  • Enumerate and Extract password files
  • Getting SSH Session
  • Grab User Flag
  • Enumerate for Root Flag
  • Getting the root flag

Walkthrough

Let’s start off with our basic Nmap command to find out the open ports and services.

The Nmap scan shows 2 open ports: 22(SSH), 80(HTTP)

As port 80 is running HTTP service, we open the IP address in the web browser.

Here, we found two usernames Floris & Super User. They might come in handy later on. Let’s view the Page source of the webpage.

Let’s open the secret.txt in the browser.  It displayed a base64 encoded string.

Time to decode this base64 encoded string. So, on decoding it we got Curling2018! This can be used as a credential.

Due to previous experience with Joomla! We already knew about its administrator login page. Not wasting our time we directly opened /administrator directory in the browser along with the credentials.

Username- Floris

Password- Curling2018!

We have successfully logged in.

We have created a PHP shell payload using msfvenom.

On the other hand, we have setup listening using Metasploit-framework.

Let’s try to upload php reverse shell script which we have created using msfvenom. Let’s first navigate to /template/protostar/ on the webpage.

Finally, we have got the meterpreter.

We got the reverse shell, but it is not a proper shell. We will spawn a tty shell using python.

After enumerating through directories, we found a useful file password_backup. Let’s check its contents. The contents of this file look like hexdump.

Let’s use an xxd tool which is used to create hex dump of the given file or standard input. On decompressing the file we saw the author of the machine has recursively compressed the password_backup file. We need to recursively decompress it.

The content found in password.txt might be the password to login into SSH. Let’s find out if our intuition is true or not.

We have successfully logged into SSH using the password found in password.txt.

On exploring, we found User.txt and read its contents.

On further enumerating, we found two files input & report in the admin-area folder. Let’s read the contents of both the files.

After sometime of thinking, we thought of changing the content of the input file using echo.

It took us time to think about it. We did this because we knew our final flag is inside /root/root/txt. And also came to know the output of the input file will be saved in the report file.

Now after some time when we opened the report file. We found our Final Flag and read its contents.

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing Years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

Hack the Box Frolic: Walkthrough

Today we are going to solve another CTF challenge “Frolic”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Expert

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Frolic is 10.10.10.111

Penetrating Methodology

  • Network scanning (Nmap)
  • Surfing HTTPS service port (9999)
  • Enumerating directory using dirb
  • Enumerating web application
  • Finding Playsms management system
  • Exploiting playsms and getting a reverse shell
  • Getting user flag
  • Finding SUID bit files
  • Finding a vulnerability in the binary
  • Exploiting binary and getting a root shell
  • Getting the root flag

Walkthrough

Let’s start off with our basic Nmap command to find out the open ports and services.

The Nmap scan shows us that there are 4 ports are open: 22(SSH), 139(SMB), 445(SMB), 9999(HTTP)

As port 9999 is running HTTP service, we open the IP address in the web browser.

We don’t find anything on the web page, so we further enumerate the web service using dirb scan.

Dirb scan gave us a few interesting looking links, we open a link called /admin/ and find a login page.

We take a look at the source code and find a link called “login.js”.  

We open the “login.js” and find username and password hardcoded in the JavaScript.

We use the username and password we found earlier to login. After logging in we find “look” encoded string.

We decode the string and a link inside.

We open the link and find a page with base64 encoded string.

We copy the base64 encoded string and save it in our system and then convert it and save it in a file. We check the file type and find it is a zip file. We try to extract it and find it is password protected. We use fcrackzip to bruteforce the zip file and find the password to be “password”. We extract the files from the zip file and find a file called index.php. We take a look at the content of the file and find hex encoded string.

We decoded the string using burpsuite and find a base64 encoded string. We decode the base64 encoded string and find a brainfuck encoded string.

We decoded the brainfuck encoded string and find a string called “idkwhatispass”.

We open /playsms directory and find playsms CMS login page.

We try username “admin” and password “idkwhatispass” to login and are successfully able to login. So we use Metasploit to get a reverse shell using these credentials.

After getting a reverse shell, we spawn a TTY shell and start enumerating the system. Inside /home/aysush directory we find a file called “user.txt”. We open the file and find the first flag. Then we start looking for files with SUID bit set and find a file called “rop” inside “/home/ayush/.binary” directory.

The target machine doesn’t have “gdb”, so we download the “rop” file in our system and start looking for vulnerabilities. We create a 150 bytes long pattern with pattern_create.rb file in our system and then open the file with “gdb” and supply the pattern as an argument to our file. As soon as we run the application we get a segmentation fault. Now as we can overwrite instruction pointer that means the application is vulnerable to buffer overflow.

We copy the value of EIP and use “pattern_offset.rb” script to find the EIP offset.

As it is difficult for us to make a jump to stack because we cannot get the address of the stack we want to jump. So we use ret2libc to exploit the vulnerability and get a shell. Now in our system, we first find the address of “system” function and a return address. Now we find the address of “/bin/sh” to execute using “system” function.

We write an exploit and check if we can exploit the application to spawn a shell.

We run the exploit in our system and are successfully able to spawn a shell.

Now we cannot directly run this exploit on the target system, as we don’t have the addresses of the libc functions of the target system. We are going to change the addresses of the exploit according to the target machine. First, get the address of libc used by the binary. As we don’t have gdb in the target system, so we use readelf, strings and grep to find “system”, “exit” and “/bin/sh” for our exploit.

We have to add the value of “system”, “exit” and “/bin/sh” to the address of libc to get the address of “system”, “exit” and “/bin/sh”.Now we make the following changes to the exploit. You can download the exploit from here.

We transfer the exploit to the target machine and run the exploit. As soon as we run the exploit we are able to spawn a shell as the root user.

After getting a reverse shell, we switch to /root directory and get a file called “root.txt”. We take a look at the content of the file and get the final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiastContact Here

Hack the Box Carrier: Walkthrough

Today we are going to solve another CTF challenge “Carrier”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Expert

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Carrier is 10.10.10.105

Penetrating Methodology

  • Network scanning (Nmap)
  • Enumerating SNMP service port (161)
  • Surfing HTTPS service port (80)
  • Logging in through the Web portal
  • Finding command injection in web application
  • Getting reverse shell
  • Finding the first flag.
  • Finding Border Gateway Protocol
  • Border Gateway Protocol (BGP) Hijacking
  • Capturing FTP credentials
  • Logging in through SSH
  • Finding final flag

Walkthrough

Let’s start off with our basic Nmap command to find out the open ports and services.

The Nmap scan shows us that there are 3 TCP ports are open: 21(FTP), 22(SSH), 80(HTTP) and 1 UDP port is open: 161(SNMP)

As port 161 is open we use snmpwalk to enumerate SNMP port and find a string called “SN#NET_45JDX23”.

As port 80 is open, we open the web services in the browser and we find a login page.

We try username “admin” and the string we find earlier as the password. But were unable to login but by using the password “NET_45JDX23”, we were able to login.

By checking the different options in the web application, in the diagnostic tab, we find something interesting. When we click on the “Verify status” button, we find that the server might be running “ps” command.

So further enumerate the web application, we use BurpSuite to capture the request and find inside the “check” parameter a base64 encoded string. When we decode the base64 encoded string we find the string to be called “quagga”. Now if check the web application, it is showing all the process that contains the string “quagga”. So that means the web application is running “ps” with “grep quagga” command.

Now to verify our theory, we change the check parameter to “root” and then encode it to base64 and then encode it to URL encode.

When we send the new request we find that the web application is displaying all the process that contains the string “root”.

Now we check if the web application is vulnerable to command injection or not. We try to run id command on the server.

By changing the parameter to “hack;id” and then encoding it with base64 encode and URL encode we forward the request to the server.

When we check the web application, we find that we are successfully able to run the “id” command that means the web application is vulnerable to command injection.

Now we replace the id command with nc reverse shell one-liner.

We encode the string with base64 encode and URL encode. We setup our listener and then forward the request.

As soon as we forward the request we get a reverse shell, we spawn a TTY shell and check for files in the current directory. Inside we find a file called “user.txt”, we open the file and find the first flag.

After getting a root shell we enumerated the machine, we do not find anything interesting. Going back to the tickets section on the web page, we find a hint that we need to check another subnet.

We use the ping command to find all the available machines on the subnet “10.120.15.0/24”.

Now we according to the ticket we know there is ftp server running on subnet “10.120.15.0/24”. So we scan both the IP addresses and find port 21 is open on 10.120.15.10. Further enumerating the system in cronjob we find that there is a bash script inside /opt/ directory called “restore.sh”. We take a look at the content of the file and find that the machine is working with Border Gateway Protocol (BGP) with Quagga. Now we can use a technique called BGP hijacking to take over the IP address. The bash script restores the BGP configuration every 10 minutes, so we remove executable permissions from the script so that we can make changes to the configuration of BGP

Now we connect to the vty shell and check the current configuration.

Now switch to configure mode, and to intercept the traffic we want 10.120.15.0/25 to use our machine as the gateway.

If we check our BGP routes we find that our machines will be used as a gateway.

Now we will start collecting packets on port 21 using tcpdump, we will be using the interface eth2.

We wait for some time then interrupt the capture and check if the pcap file has been created. Now we transfer the file to our system and analyze it with Wireshark and find the password for FTP.

Password: BGPtelc0routing

We use this password to login through SSH on the target system and are successfully able to login. After logging in, we find a file called root.txt, we take a look at the content of the file and find the final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiastContact Here