[Writeup] [OverTheWire] [Natas] Level 0 → Level 5

Standard

Lời nói đầu

  • Các level đầu khá đơn giản nên mình sẽ đặt chung vào một bài viết.
  • Độ khó của bạn Natas này là basic (giống như bạn ấy tự giới thiệu). Nhưng với mình thì chẳng hề… khó chút nào emo_popo_beat_brick j/k
  • Mình hiện đang song song hoạt động ở blog này và http://forum.botbie.com/forum.php (mới mở). Sau này nếu bên đó ổn định thì cũng khó nói, nên tốt nhất các bạn cứ follow cả hai trang :”>
Natas

Natas teaches the basics of serverside web-security.

Each level of natas consists of its own website located at http://natasX.natas.labs.overthewire.org, where X is the level number. There is no SSH login. To access a level, enter the username for that level (e.g. natas0 for level 0) and its password.

Each level has access to the password of the next level. Your job is to somehow obtain that next password and level up. All passwords are also stored in /etc/natas_webpass/. E.g. the password for natas5 is stored in the file /etc/natas_webpass/natas5 and only readable by natas4 and natas5.

Start here:
Username: natas0
Password: natas0
URL: http://natas0.natas.labs.overthewire.org

Level 0

You can find the password for the next level on this page.

Xem source:

<html>
<head>
	<!-- This stuff in the header has nothing to do with the level -->
	<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
	<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
	<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
	<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
	<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
	<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
	<script>var wechallinfo = { "level": "natas0", "pass": "natas0" };</script></head>
	<body>
		<h1>natas0</h1>
		<div id="content">
			You can find the password for the next level on this page.

			<!--The password for natas1 is gtVrDuiDfck831PqWsLEZy5gyDz1clto -->
		</div>
	</body>
	</html>

natas1:gtVrDuiDfck831PqWsLEZy5gyDz1clto (dễ hem emo_popo_angry)

Level 1

You can find the password for the next level on this page, but rightclicking has been blocked!

Dùng phím tắt để xem source (vd Ctrl+U trên Firefox):

<html>
<head>
	<!-- This stuff in the header has nothing to do with the level -->
	<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
	<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
	<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
	<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
	<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
	<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
	<script>var wechallinfo = { "level": "natas1", "pass": "gtVrDuiDfck831PqWsLEZy5gyDz1clto" };</script></head>
	<body oncontextmenu="javascript:alert('right clicking has been blocked!');return false;">
		<h1>natas1</h1>
		<div id="content">
			You can find the password for the
			next level on this page, but rightclicking has been blocked!

			<!--The password for natas2 is ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi -->
		</div>
	</body></html>

→  natas2:ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi

Level 2

There is nothing on this page

Xem source:

<html>
<head>
	<!-- This stuff in the header has nothing to do with the level -->
	<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
	<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
	<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
	<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
	<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
	<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
	<script>var wechallinfo = { "level": "natas2", "pass": "ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi" };</script></head>
	<body>
		<h1>natas2</h1>
		<div id="content">
			There is nothing on this page
			<img src="files/pixel.png">
		</div>
	</body></html>

Để ý thấy 1 thẻ <img> rất vô duyên:

<img src="files/pixel.png">

Truy cập:

Index of /files
[ICO] Name Last modified Size Description
[DIR] Parent Directory - 
[IMG] pixel.png 06-Jun-2013 13:57 303 
[TXT] users.txt 12-Jul-2013 13:35 145 
Apache/2.2.22 (Ubuntu) Server at natas2.natas.labs.overthewire.org Port 80

Mở file users.txt:

# username:password
alice:BYNdCesZqW
bob:jw2ueICLvT
charlie:G5vCxkVV3m
natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
eve:zo4mJWyNj2
mallory:9urtcpzBmH

natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14

Level 3

There is nothing on this page

Xem source:

<html>
<head>
	<!-- This stuff in the header has nothing to do with the level -->
	<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
	<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
	<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
	<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
	<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
	<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
	<script>var wechallinfo = { "level": "natas3", "pass": "sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14" };</script></head>
	<body>
		<h1>natas3</h1>
		<div id="content">
			There is nothing on this page
			<!-- No more information leaks!! Not even Google will find it this time... -->
		</div>
	</body></html>

Dòng nói đến Google là một gợi ý về file robots.txt. Truy cập:

User-agent: *
Disallow: /s3cr3t/

Truy cập:

Index of /s3cr3t
[ICO] Name Last modified Size Description
[DIR] Parent Directory - 
[TXT] users.txt 12-Jul-2013 13:35 40 
Apache/2.2.22 (Ubuntu) Server at natas3.natas.labs.overthewire.org Port 80

Mở file users.txt:

natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

Level 4

Access disallowed. You are visiting from "" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/"

Câu trên nghĩa là tham số referer của request header phải là http://natas5.natas.labs.overthewire.org/. Có thể sử dụng curl như sau:

curl --user natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ --referer http://natas5.natas.labs.overthewire.org/ http://natas4.natas.labs.overthewire.org/

Kết quả:

Access granted. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

natas5:iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

Level 5

Access disallowed. You are not logged in

Xem thông tin response:

HTTP/1.1 200 OK
Date: Sat, 17 Aug 2013 14:09:15 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.7
Set-Cookie: loggedin=0
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 367
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html

Đặt lại cookie loggedin = 1:

Access granted. The password for natas6 is aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

natas6:aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

2 thoughts on “[Writeup] [OverTheWire] [Natas] Level 0 → Level 5

  1. Pingback: [Writeup] [OverTheWire] [Natas] Level 6 → Level 10 | Bay thật xa... xa... xa hơn nữa ~)~

  2. Pingback: [Writeup] [OverTheWire] [Natas] Level 11 | yeuchimse

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s