Natas Web CTF
I will share my knowledge and how to think not just solve CTF you can find the challenges at this link: https://overthewire.org/wargames/natas/
When you start it will give you an overview about the CTF and first credentials
We need to understand website technology we can do it with wappalyzer plugin or whatweb command
But not show which programming languages to discover it we can add index.html to the url then replace it with index.php or index.asp to detect programming language
we can identify os from ttl in Linux 64 and in windows 128 and ios 255
for more info check this:
https://www.howtogeek.com/104337/hacker-geek-os-fingerprinting-with-ttl-and-tcp-window-sizes/
or we can use p0f tool or nmap with -o parameter
but firewall can detect the scan and edit in ttl or block attacker ip
there many ways to bypass it :
- Fragmentation :
just split packet to smaller packets Notice that instead of using -f , we can use — mtu to specify a custom offset size. It is important to know that the offset must be a multiple of
eight.
2. Decoys :
spoof many ip’s and scan with it and WAF can’t know which of them the real ip to block it but we can’t use os detection with this option
3. Timing :
To perform a timing scan with Nmap from T0 to T5
4. Source ports:
there is common misconfiguration in firewall that trust traffic coming from specific ports, such as 53 (DNS replies) or 20 (active FTP).
We can then simply change our source port
5. data-length :
firewall know nmap packet data-length
is 40 ,so we can change it to any value
for more info :
https://nmap.org/book/man-bypass-firewalls-ids.html
Most time Apache server work with php
First thing i notify it use HTTP basic authentication
We can use this module from Metasploit to brute force it :
auxiliary/scanner/http/http_login
Here a Multiple Ways To Exploiting HTTP Authentication:
But there is many ways to stop brute force :
- rate limit
We can bypass it with:
A. change user agent or ip we can use IP-Rotate Burp extension
B. add this (%00, %0d%0a, %09, %0C, %20, %0) at the end of email
C. use this headers:
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
2. captcha is a test which used to ensure the response is not generated automatically but we can bypass it
A. Submit the form without CAPTCHA
B. Try adding some String of the same length
C. Do not refresh CAPTCHA image and guess the same CAPTCHA forever
D. Enter CAPTCHA once,use it forever
3. cloudflare the request will send to it before the real server to prevent any thing malicious but we can but we can get the real ip of the server using Crimeflar or Censys and send the request directly to it
4. WAF like modsecurity we can discover which waf used with wafwoof tool and search how to bypass it or use nmap nse script example:
namp — script=http-waf-fingerprint 192.168.1.1 -p 80
5. Account lockout prevent access for a few minutes using sleep() function but the disadvantages prevent real user not hacker only
6. Generate anti CSRF token and check them for every request but we can bypass it with burp macros to get CSRF token you can find more info here :
https://portswigger.net/support/using-burp-suites-session-handling-rules-with-anti-csrf-tokens
This is bad way to protect important pages because it use base64 and we can decode it .
And if attacker in internal network he can make mitm attack and sniffing and he can see our credentials by using ssl stripe to downgrade website from https to http , they solve this problem with adding HSTS header
but attacker can bypass this header using ssl stripe v2 it edit in doamin name to bypass HSTS header you can search about it .
We start with Level 1 :
Sometime developer while they building production they add credentials in comments to share it with each other and forget to remove it after they finish build the production , so if we check page source code (Ctrl+u) we will find the credentials
Let’s check Level 2 :
I check the source code but no thing interesting
Then i am checked js files sometimes it has tokens or hardcoded credentials but no thing interesting
Then i check the image sometimes it have something secret on it but no thing interesting
But when i open image path i found some thing interesting the path of image i discover directory called files
lets check it
users file has the credentials
we can check for website directory with dirb if we not notify files directory
we can check txt file of target website with google dork :
site:exmaple.com filetype:txt
level 3 :
let’s check source code we will find something interesting about google
google use robots.txt to know which path allow to crawl to make indexing for ranking the website if the user try to search about something to show this website you can search about robots.txt in google for more info and to prevent google make index you can use :
<meta name=”robots” content=“noindex,nofollow”>
to prevent google caching the website add this headers :
Cache-control: no-store
Pragma: no-cache
lets check s3cr3t path and we will find the credentials
level 4 :
It check for referer header for authorization , we can change it with burp
sometimes from the request come from localhost (127.0.0.1) with
X-Custom-IP-Authorization: 127.0.0.1
Host: 127.0.0.1
Referer: 127.0.0.1
It will show secret data and sometimes we use HTTP Request Smugglerwith burp you can find it here : https://portswigger.net/bappstore/aaaa60ef945341e8a450217a54a11646
or python tool called Smuggler you can find it here : https://github.com/defparam/smuggler
it use get and post in same request and to prevent http smuggling there is 2 ways :
- use http v2
- make the server don’t accept resume the request
It work
Level 5 :
if we check cookie with burp
we will find it depend on login parameter ,we can change it from 0 to 1 and it work
let’s talk about cookie and session security :
- HTTP_ONLY : to access cookie from http protocol this to prevent stealing cookie with xss
- Secure Flag : to send it in https only
- life time : it will expire after this time
- Domain : to access it from specific domain or subdoamin
- timeToLive: to update it after every time
- sessionusecookies=1 : to store session on cookie (developer can store session in url or hidden input but this dangreous)
- Cipher_algo= MCRYPT_BLOWFISH : it will encrypt session file content in the server with algorithm MCRYPT_BLOWFISH i think this algorithm is very good
- session_use_stric_mode=1 : to prevent session fixation
You can learn more here :
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
level 6:
First thing come to my mind try sql injection , i am try it Manual ,but no successful , so i am searched about sql injection query to bypass authentication
then i used burp intuder and i am check for the length ,but not worked
then i am try to analyze source code and i find it include another file
then i am check for this file includes another file called secret.inc let’s check it
and it work
developer must remove tokens and credentials or any thing secret from files
Level 7:
Let’s check source code
we notify page parameter let’s change value from home to hint path
Level 8 :
let’s check source code
first it encode the input with base64 then reverse it then make it as hex
let’s reverse this operation
it work
Level 9 :
After check source code i notify no filter for input
we can try code injection with this characters [| , ; , & ] it can perform more than 1 command in same time or use commix tool to automate all this and it can detect blind code injection you can find it here :
https://github.com/commixproject/commix
let’s check for password path
To prevent code execution use escapeshellarg() or escapeshellcmd()
you can use whitelist but this can lead to false positive
Level 10 :
After we check for source code we can see [| , ; , & ] in black list
But we can use grep command we can perform search in more than 1 file
we use “u” as a part of password
Level 11:
Let’s check source code
LoadData function decode the cookie as base64 then make xor encryption then make json decode
in saveData function it encode the data as json then xor encyption then base64 encode
First we need to know: plaintext xor ciphertext = key
let’s use xor_encrypt() from source code to get the key “plaintext xor ciphertext = key” but Default data needs to be json encoded as the key
now we have the key let’s use it
we change cookie data with burp
Level 12:
There is many techniques to bypass file upload filter , sometimes filter work client side we can bypass it with burp edit image extension to php or check for image size or image magic byte ,so the best way to make filter on server side
Some web servers like apache accept files with double extensions, so we can make file like this shell.php.jpg
or use null byte shell.php%00.jpg it work only in old version of php it will read file tell shellp.php and ignore the other part
After check the source code we see it rename the image with random value then add jpg extension
we can add malicious code to a file jpg
then change the extension to php from console
Level 13 :
Is the same idea but use file function to check if it image or not we can bypass it with magic byte with exiftool
here 15 way to bypass file upload :
“https://www.slideshare.net/HackIT-ukraine/15-technique-to-exploit-file-upload-pages-ebrahim-hegazy”
To prevent file upload vulnerability we need to do like challenge but add
- make permission read only to uploaded file, so if attacker know the file path he can only read the file and can not execute it
- make antivirus in the server and scan the uploaded file with it ex: clamscan or get virustotal API to scan image and get the result
- check the integrity by make md5 for file upload name and content in client side and server side if the value not identical
- The file name it should to be changed to some thing random and can not guessed
level 14:
It a basic sql injection we need to complete the query to become true
Level 15:
when i try a it give me invalid user but when i am try (“or”1”=”1) it give me valid user ,so it boolean base
we can use sqlmap to automate all of this and not just bypass authentication we can System Takeover using SQLi with webshell to get RCE using :
“INTO OUTFILE” to write the shell on the server but this only work if you have permission to write and sqlmal can help us to do this
SQLmap features for system takeover:
— os-cmd
— os-shell
— os-pwn
— os-bof
— priv-esc
— msd-path=MSFPATH
sqlmap will search about writable path to write simple file upload (asp,php depen on what language in server) to upload shells then it use msf to
create shell then upload this shell to the server then make multi handler to get connection with the shell
to prevent sql injection there is 3 ways :
- Sanitize input then concat into query
- Parameterized query
- stored procedure
And this is the best way
Level 16:
After check source code it’s code injection it use filter like others Level but put ($) in blacklist ,so we can use it
African$(grep a /etc/natas_webpass/natas17)
if output empty this mean this char part of key and if show African this mean this char not from the key
Level 17:
it’s a blind sql injection time base
we can use benchmark() if sleep() in black list
Level 18:
After check the source code it depend on cookie number we can brute force it with burp intruder
Level 19:
It took a long time from but i can’t solve it and no source code to understand what happen ,so i am checked this writeup :
He is played around PHPSESSID he discovered (2d) not changed and other hex changed , so he brute force every thing before 2d
to discover which one belong to admin
Level 21 :
After check source code it check for admin value if it 1 and use Request method and apply filter on post() ,so we can
change admin value to 1 then change request from post to get with burp
to prevent this don’t use Request method because it accept GET and POST ,so attacker can bypass your filter by change request
method
if this a rest password page we can try HTTP Parameter Pollution (HPP) Attack by adding another parameter with the same name and check the server accept which one some times accept the 2 parameter and some times accept just the second parameter and if this parameter for email we can make account takeover with this for more info you can check this :
and here many ways to make account takeover :
https://medium.com/@bathinivijaysimhareddy/tale-of-account-takeovers-part-2-9abf62de4ca3
Level 22 :
It’s simple after check source code it check for revelio if exist or not
attacker can use tools like JSParser from nahamsec to check code and discover hidden endpoints you can find it here :
https://github.com/nahamsec/JSParser
so keep your endpoints hidden as you can because attacker can discover new bugs from it
Level 23 :
It’s so easy just check if string iloveyou and lenght greater then 10 ,so we can use 123iloveyou it will translate it as string
Level 24 :
After check source code it use strcmp() This is the continuation of PHP vulnerabilities you can check this link for more info :
we can send passwd link as an array and it will bypass the validation like this :
http://natas24.natas.labs.overthewire.org/?passwd[]=passwd
Level 25:
it’s vulnarble to local file Disclu ….//….//….//….//etc/hosts
you can try this payloads from paylload all thing with burp intruder
to prevent this vulnarbilty we can use scandir() then check if page included in this array or not :
$page=scandir(‘config’); //return 0=>. 1=>.. 3=>test
unset($page[0],$page[1]);
if(isset($_GET[‘page’])&& in_array($_GET[‘page’].$page)){
include(‘config’.$_GET[‘page’]);
}
another way:
$allowed= array(‘test.inc’, ‘page2.php’)
if(isset($_GET[‘page’])&& in_array($_GET[‘page’].$allowed)){
include(‘config’.$_GET[‘page’]);
}
we can use .htaccess file to prevent attacker see sensitve files it will show him Access Forbidden
some developers make
include (‘config’.$_GET[‘page’],’.php’)
if the attacker want file like /etc/passwd it will add .php at the end like /etc/passwd.php so this will not work becouse no file has this name
but hacker bypass it with null %00 .php added after null so not work ex: /etc/passwd%00.php it will be /etc/passwd but null stope after php5.4