Hi everyone,

I know it’s been awhile since my last blog post, but it’s been a busy few months… Not only is work quite stressful with my employer moving its focus from ASP.NET applications to more of a modern JavaScript approach (which I am responsible for..), but I’ve also been putting a big focus on learning Python and C in preparation for the OSCP. Not that it’s required to have in-depth knowledge of the languages, but rather because I know it’s going to be beneficial when I have the cert and am looking for security roles. If you want to follow my progress or if you wish to learn more about C and Python (in particular the darker side of Python), have a look at my Github Repositories. Feel free to pull whatever you want, but please do make sure to star any repo you find interesting! 🙂

So I thought I’d kick-start my return with something quite basic, with little to no focus on coding. Ever heard of sites like https://www.hackthissite.org/? It’s basically a site set up with a bunch of pages that have known and common vulnerabilities that we can exploit. You don’t really need to know how to code, but you should at least have a basic understanding of common web application’s vulnerabilities and how to exploit them. Some of the common ones might be injections (command / SQL are the most common ones) or cross-site scripting (XSS).

Since some of hackthissite’s tests require that you either have access to a certain stack or that you copy-paste webpages to exploit XSS-vulnerabilities I decided to use a different webpage for some webapps testing whilst at lunch or at home, just to keep some of my knowledge of the subject fresh. So I looked around and found OverTheWire’s Nata Wargames, a website that functions a lot like hackthissite, but with a lot less coding required.

It’s also nice that you have a scoreboard that shows you the latest person who solved one of their wargames.

My following blog posts will explain what the vulnerability is and how to exploit it to the best of my knowledge! Each blog post will cover 2-3 Natas wargames and I’ll try to write at least two posts per week.

Each of these paragraphs will follow a basic structure where the header is actually a hyperlink to the wargame I’m explaining! So in the following section you can click Natas0 to get access to the actual wargame.

To start a wargame you need to enter your credentials. These are the name of the wargame you are attempting and the flag you collected from the previous wargame.

The only exception is for Natas0 where the credentials are natas0:natas0 (username:password).


 

Natas0

 

The object of this (and all following) wargames is to find a flag that could be hidden anywhere on the page or on the server that the page is hosted on.

If you are experienced with web development and have done a few wargames previously, finding this flag will prove exceptionally easy for you! If you aren’t (don’t worry if you aren’t, one of our project managers at work had no clue how to), I’ll help walk you through it.

What you need to understand is that the page which you are on will have been loaded into the memory of the browser you are using (firefox, chrome, edge) and it’s various raw data should be available (think about it, the data must have been compiled somehow to show you what you see – so it’s only logical you should be able to see a textual representation of it!). Now, how do you get access to this data? If you right-click on the page and look for an option like ‘view page source’ (here is an exhaustive list on how to do this), you should be able to see the page’s HTML. This is basically all the markup for the webpage you are currently seeing on the webpage.

One part of the page is of particular interest to us:

<!--The password for natas1 is gtVrDuiDfck831PqWsLEZy5gyDz1clto --> 

The tags that you see surrounding the code

 <!--   --> 

tells the browser not to render the section, ie we can’t see it on the actual browser page.

Commonly these tags are called comments and are used to hide information that developers feel is important to explain or that they want to remember, but isn’t relevant for the user experience.

Armed with the password for Natas0 we can update our scoreboard (if you want to!) and proceed to the next wargame.


 

Natas1

This one is basically the same as the previous, with the difference that you can’t right-click on the page. So if you go back to the webpage that showed you how to view the page source in your browser, it should tell you how to get to the source without having to right-click.  Simply do that and you should get the password for Natas2! 🙂

Now that we are armed with the password to Natas2 we can update our scoreboard (if you want to!) and proceed to the next wargame.

 


 

Natas2

Now things should be starting to get a bit interesting! We aren’t simply served the password in the page source anymore, but we need to dig somewhat further to get access to it!

If we check the page source we should see that there is an image that lives in a folder called files/:

 <img <span class="html-attribute-name">src</span>="<a class="html-attribute-value html-resource-link" href="http://natas2.natas.labs.overthewire.org/files/pixel.png" target="_blank" rel="noopener">files/pixel.png</a>"> 

.

If you know a little bit about how to setup an HTML page you should quickly realize that the src actually is a reference to a file “pixel.png” that lives in a folder “files/”. It might not be completely obvious to you, but the only thing we realistically might need to do to gain access to the folder is to add /files/ after the natas2 URL, unless the website has been set up in a way that prohibits this sort of behavior.

Because we are inquisitive we can try it (no harm, no foul!). Simply write this in your browser’s URL-field: http://natas2.natas.labs.overthewire.org/files/

If this works as we want it to, you should be navigated into the files/ folder and should will see what else might be hiding in the folder.

As you can see this worked and we are greeted with a page showing us the folder’s structure with the .png-file and another file called user.txt. If you open the latter you should find a reference to natas3. Copy the text after natas3: as that’s the password part of it.

 

The following paragraph is only for people who don’t understand the concept of traversal. 

If you are uncertain of what is actually going on in this wargame, that’s perfectly fine. It’s not every day you get access to a folder online. But it’s really not that advanced of a concept. Most websites run on files that live their own inside folders to separate concerns, you usually wouldn’t find that the login files would be in the same folder as your search functionality, simply because it would become more difficult to understand the code, it’s also more difficult to test it.

Think about your computer. If you are studying something at university or similar, you most likely would divide up your documents into their appropriate courses so that it’s easier to know that “Lecture Slides 01” actually is associated with “Hacking 101” or “CanYouPwn 201”.

If you are on Windows you should be able to see the folder hierarchy of where you are when you are navigating through Explorer (the URL-like field just below the Explorer window). The idea is very similar when you are navigating the internet. You might have sub-folders of a webpage that contains resources of that page. In natas2 it simply is called /files/ and is a subfolder of http://natas2.natas.labs.overthewire.org/

 

I hope that explained it! 🙂

 


 

Natas3

This one is fairly similar to Natas2 in the idea that we will have to do some traversal again, though this time it’s going to be a bit more advanced.

We will as always start with checking the page source. As we do this we will see that there is a comment saying

 <!-- No more information leaks!! Not even Google will find it this time... --> 

This might not tell even seasoned web developers too much, so let’s start breaking this down.

Ever heard of Robots.txt? I wouldn’t be too surprised if you haven’t. It’s file that usually lives on a server that tells a web crawler (commonly referred to as a spider) what parts of your webpage you would like to have indexed by it and what parts of it you don’t want it to access. This works fine if the spider is set up in a benign way, but some malicious ones might be configured to not listen to it.

Many big search-engine companies like Google, Yahoo and DuckDuckGo use spiders to crawl the net to ensure their indexing is up to date in terms of what items to show at the top of your searches. So Robots.txt is obviously a very powerful tool for SEO developers and web developers alike.

So why does this matter? Think about the comment. “Not even Google will find it this time…”. Could it be that there is a Robots.txt file hiding somewhere? How would we find it?

As we have no indication about where robots.txt might hide let’s start by trying to see if it might not be in the same folder as the page we are in!

Using the above advice, try to finish this without me telling you you exactly what to do. Think about the previous natas(2) where we were looking in the subfolder /files/. How would we go about checking for robots.txt in our current folder?

 

 

If you have given up the correct answer is  http://natas3.natas.labs.overthewire.org/robots.txt. When you have opened the textfile you should see something like:

 User-agent: *
Disallow: /s3cr3t/ 

How does that help us? It basically tells all user agents – crawlers (* means it’s a wildcard, ie. all crawlers that listen to robots.txt) not to access the folder /s3cr3t/. What does actually mean and how can we leverage this information?

It’s quite simple really. Go back to the index of natas3 and add /s3cr3t/ to the URL. That way you should be in a new folder similar to /files/ in natas2. Open it up and you should have the credentials to natas4! 🙂

 

Armed with that you can attempt to get the flag for natas4. If you can’t do it yourself, you can either send me an email on joakim@kimput.com or wait for the next write up later on this week! 🙂

 

Take care and happy hacking!

Advertisements