Natas6-->Natas9

Review

We're continuing our series of the Natas challenges. The previous post covers the Natas4-->Natas6 challenges, which involved leveraging a local proxy to edit request headers. These next few challenges will focus on PHP, a popular server side scripting language.

Natas6-->Natas7

Website: http://natas6.natas.labs.overthewire.org/ ; Access Credentials: natas6:fOIvE0MDtPTgRhqmmvvAOt2EfXR6uQgR

Once authenticated, view the page and click on the "View sourcecode" hyperlink. There's some PHP code, the comments are my own, for a quick overview of the code:

<?
# imports another file, called secret.inc
include "includes/secret.inc";
    # If a POST is made using the submit element
    if(array_key_exists("submit", $_POST)) {
        # If the secret submitted equals the hardcoded value $secret
        # give the password!
        if($secret == $_POST['secret']) {
        print "Access granted. The password for natas7 is <censored>";
        # Otherwise, give an response of wrong secret 
    } else {
        print "Wrong secret";
    }
    }
?>

The value of $secret is of interest to us, since it doesn't appear within the code, we should look for it elsewhere, mainly within includes/secret.inc file. Navigate to that link, which may appear blank, but when reviewing the source code of that page, shows the secret value of $secret = "FOEIUWGHFEEUHOFUOIU". Submit the string as the secret value at the main page of the natas6 site to retrieve the password: jmxSiH3SP6Sonf8dv66ng8v1cIEdjXWr.

Natas7-->Natas8

Website: http://natas7.natas.labs.overthewire.org ; Access Credentials: natas7:jmxSiH3SP6Sonf8dv66ng8v1cIEdjXWr

Browsing to the site after authentication, open up the Developer Tools (CTRL+SHIFT+I in Firefox). Within the Inspector tab, right click on the opening <body> element, and select Expand All to review the source code. There's a hint within a comment of the source code (Line 21):

<!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 -->

Look at the rest of the website source code. Note the two links, which use a page parameter to reference two other pages, presumably local files, home and about. Click on one of the links, and it brings you to the main page. Note that the hyperlink in the browser has changed from the / URI, to /index.php?page=about. Change the value of about to a bogus value, such as zentester (more awesome, than bogus, but nonetheless) and an error appears:

Warning: include(zentester): failed to open stream: No such file or directory in /var/www/natas/natas7/index.php on line 21

Warning
: include(): Failed opening 'zentester' for inclusion (include_path='.:/usr/share/php') in /var/www/natas/natas7/index.php on line 21

The error further confirms that it is reading local files on the system. A vulnerability type is local file inclusion. The vulnerability allows an attacker to read arbitrary files on the server running the website. It can be inferred based on both the source code command and the error message, and confirmed using tools such as Wappalyzer, that the server OS is Linux (Ubuntu specifically). set the value of the page parameter to the natas8 file ( page=/etc/natas_webpass/natas8), and retrieve the password: a6bZCNYwdKqN5cGP11ZdtPg0iImQQhAB.

Natas8-->Natas9

Website: http://natas8.natas.labs.overthewire.org ; Access Credentials: natas8:a6bZCNYwdKqN5cGP11ZdtPg0iImQQhAB

The home page is similar to the Natas6 challenge, with some PHP code:

<?

$encodedSecret = "3d3d516343746d4d6d6c315669563362";

function encodeSecret($secret) {
    return bin2hex(strrev(base64_encode($secret)));
}

if(array_key_exists("submit", $_POST)) {
    if(encodeSecret($_POST['secret']) == $encodedSecret) {
    print "Access granted. The password for natas9 is <censored>";
    } else {
    print "Wrong secret";
    }
}
?>

However, instead of having a hard-coded secret on a different page, all of the code needed is within this block.

  • The function takes the $secret value, base64 encodes, reverses the string and then converts the binary representation of the string to hexadecimal.
  • The if statement checks if the value of the secret variable provided in the POST request matches the $encodedSecret, which is a hard-coded value.

This means to solve the answer, we need to create a reverse function.

PHP Reverse Function

In the spirit of using the same language that the challenge is written in, make your own PHP code, and use a PHP sandbox such as https://onlinephp.io/. See the "Alternative Solutions" section below on how to solve using the CLI.

<?php
$encodedSecret="3d3d516343746d4d6d6c315669563362";

function decodeSecret($encodedSecret) {
	return base64_decode(strrev(hex2bin($encodedSecret)));
}
	
print decodeSecret($encodedSecret)
?>

The code creates a function, which does the reverse of the encodeSecret function of the website. Mainly, it takes a value, converts the hexadecimal string to binary, reverses the string, and then base64 decodes the string. The last line of the code runs this function, using the same hard-coded $encodedSecret , which was provided in line 1 of the script. Running the script yields a value of oubWYf2kBq.

Take the string, and submit it on the main page, to receive the password: Sda6t0vkOPkM8YeOZkAGVhFoaplvlJFd.

Summary

So we gained some exposure to PHP. We rolled our sleeves up and read through some code, got a better understanding of local file inclusion, and reading server side files. Lastly, we worked with various PHP/OS string manipulation commands.

Alternative Solutions

Natas8-->Natas9

The reversing of the PHP function could also be accomplished using the Linux command line.

[~]$ echo '3d3d516343746d4d6d6c315669563362' | xxd -r -p | rev | base64 -d && echo ""
oubWYf2kBq