HTB – Access
Nmap scan report for 10.10.10.98
21/tcp open ftp Microsoft ftpd
23/tcp open telnet?
80/tcp open http Microsoft IIS httpd 7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
FTP anonymous login -> 2 files: backup.mdb, Access Control.zip (password protected)
Download backup.mdb (/w binary mode in ftp, else ASCII mode corrupts the file)
.mdb is a MS Access database filetype.
We can use mdb-tools to read it.
mdb-schema backups.mdb > grep -in password
The string “password” appears 3 times. The table auth_user seems promising.
mdb-export backup.mdb auth_user
We got the password for the zip file: access4u@security
The zip contains a pst which is an Outlook file. We can extract the mails with “readpst”.
We got the password for the security account: 4Cc3ssC0ntr0ller.
We use the above creds for telnet and get the user flag.
For root flag we need to access the admin desktop but only the administrator has permission for that.
After tweaking around with runas command, we find out a useful parameter that can be used: /savecred. This makes use of cached credentials and in our example this happens to be the case.
First, I created a bat to copy the txt from the admin desktop to my directory (because I failed miserably in finding another way to executing a cmd command as another user).
echo type C:\Users\Administrator\Desktop\root.txt ^> C:\Users\Public\Music\flag.txt > dis.bat
Then we execute the bat:
runas /env /savecred /user:Administrator dis.bat
(env parameter uses current user’s environment)
And we get the root flag.
Overthewire – Natas
http://overthewire.org/wargames/natas/
Natas teaches the basics of serverside web-security.
Each level of natas consists of its own website located at http://natasX.natas.labs.overthewire.org, where X is the level number. There is no SSH login. To access a level, enter the username for that level (e.g. natas0 for level 0) and its password.
Each level has access to the password of the next level. Your job is to somehow obtain that next password and level up. All passwords are also stored in /etc/natas_webpass/. E.g. the password for natas5 is stored in the file /etc/natas_webpass/natas5 and only readable by natas4 and natas5.
Level 0
We are presented with the following message:
You can find the password for the next level on this page.
Let’s check the page source first.
<!--The password for natas1 is gtVrDuiDfck831PqWsLEZy5gyDz1clto -->
Level 1
You can find the password for the next level on this page, but rightclicking has been blocked!
Actually right clicking is strangely working for me (Firefox Quantum 62.0.2) but let’s suppose it didn’t.
The shortcut for right click (shift+F10) throws a message right clicking has been blocked!,
so no luck with that.
If we toggle the developer tools though (ctr+shift+I), we can see the source code.
Or add in front of the url “view-source:”
The quickest way is pressing the hotkey to view the source code (ctr+u).
<!--The password for natas2 is ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi -->
Level 2
There is nothing on this page
Checking the source we find this image path:
<img src="files/pixel.png">
Let’s check that directory (http://natas2.natas.labs.overthewire.org/files/).
There we find the following users.txt
# username:password alice:BYNdCesZqW bob:jw2ueICLvT charlie:G5vCxkVV3m natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14 eve:zo4mJWyNj2 mallory:9urtcpzBmH
Level 3
There is nothing on this page 
Checking the source again.
<!-- No more information leaks!! Not even Google will find it this time... -->
This is a hint for the robots.txt, that is used to tell crawlers which parts of a website to ignore.
Content of http://natas3.natas.labs.overthewire.org/robots.txt:
User-agent: * Disallow: /s3cr3t/
In the s3cr3t directory we find a users.txt containing the flag:
natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ
Level 4
Access disallowed. You are visiting from “” while authorized users should come only from http://natas5.natas.labs.overthewire.org/
After a refresh:
Access disallowed. You are visiting from http://natas4.natas.labs.overthewire.org/index.php while authorized users should come only from http://natas5.natas.labs.overthewire.org/
This smells like the referer value in the header. Let’s try a simple modify.
In the developer tools -> Network tab, we find the GET request for the html. We edit the header’s referer value to http://natas5.natas.labs.overthewire.org/ and resend the request. In the response tab of the new request:
Access granted. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq
Level 5
Access disallowed. You are not logged in
Let’s check the source first.
Nothing useful.
Let’s open the developer tools again.
In our request header and the 401 server’s response, we see this in the cookie: loggedin=0
Let’s try to change the value to 1 and resend the GET request.
The server answers with a 200 status code which is a good sign.
In the response tab of the request we find indeed the flag.
Access granted. The password for natas6 is aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1
Level 6
In this one we have to input a secret in order to get the flag.
We are also given the option to see the sourcecode.
In the source code we see the following PHP method:
<?
include “includes/secret.inc”;
if(array_key_exists(“submit”,$_POST)){
if($secret == $_POST[‘secret’]) {
print “Access granted. The password for natas7 is <censored>”;
}else{
print “Wrong secret”;
}}
?>
The /includes/ directory has restricted access.
If we try the whole path /includes/secret.inc we are presented with a blank page.
After checking the source we find our secret.
<?
$secret = "FOEIUWGHFEEUHOFUOIU";
?>
After submitting it we get our flag.
Access granted. The password for natas7 is 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9
Pressing each of the above options yields the following message respectively:
this is the front page
this is the about page
Also the URL for each one is as follows:
Home : http://natas7.natas.labs.overthewire.org/index.php?page=home
About : http://natas7.natas.labs.overthewire.org/index.php?page=about
Let’s try to tweak the URL a bit.
At this point I managed to crash my browser. I had the brilliant idea to try this:
http://natas7.natas.labs.overthewire.org/index.php?page=index.php
And it worked! Putting the crash aside, this means we might be able to traverse to a different directory and access some other files than home and about.
Before we proceed, let’s check the error message as well with a random string.
Warning: include(asdf): failed to open stream: No such file or directory in /var/www/natas/natas7/index.php on line 21
Warning: include(): Failed opening ‘asdf’ for inclusion (include_path=’.:/usr/share/php:/usr/share/pear’) in /var/www/natas/natas7/index.php on line 21
At the start of Natas we were given the following information:
All passwords are also stored in /etc/natas_webpass
(There is also a hint in the source)
So the flag for natas8 is in /etc/natas_webpass/natas8.
http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8 DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe
Level 8
This level is a variation of Level 6.
<?
encodedSecret = “3d3d516343746d4d6d6c315669563362”;
function encodeSecret($secret) {
return bin2hex(strrev(base64_encode($secret)));
}
if(array_key_exists(“submit”, $_POST)) {
if(encodeSecret($_POST[‘secret’]) == $encodedSecret) {
print “Access granted. The password for natas9 is <censored>”;
} else {
print “Wrong secret”;
}
}?>
This function encodes the input with base64, reverses it and converts it to hex. Then compares if it is the same with encodedSecret.
Following the reverse order, we decode the encodedSecret to the following string:
b3ViV1lmMmtCcQ==
After submitting it we the flag: W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl
Level 9
In this one we got a web app that searches in a dictionary and returns words that contain the given string.
If we take a look at the given source code we see that the file it searches is called dictionary.txt. A first thought was that the flag might be contained in this file. So I decided to download the txt (accessible from http://natas9.natas.labs.overthewire.org/dictionary.txt) and play around with grep, but to no avail.
After taking a closer look at the source code, we see that the function “passthru” is used.
The passthru() function is similar to the exec() function in that it executes a
command.
if($key != “”) {
passthru(“grep -i $key dictionary.txt”);
}
Here, passthru is being used to execute the grep (-i parameter means case-insensitive) command on the dictionary.txt. If the user input is not being sanitized, we can exploit that to execute a command other than grep.
We can interfere in the command at the $key position. If we use a semicolon we can add an extra command (bash syntax) to be executed by passthru. For example: if our input is “test dictionary.txt; ls” the command becomes:
passthru(“grep -i test dictionary.txt; ls dictionary.txt”);
The above command will execute grep and display all strings in dictionary.txt containing the word ‘test’ and then execute ls but with ‘dictionary.txt’ as a parameter (which means only the particular file will be displayed). Since we do not care about the grep results, at least for now, we can omit the grep target file. Afterwards we continue with our desired command and in order to ignore the remaining ‘dictionary.txt’ we add a # at the end of our input. The character # is used for comments, so anything after it is ignored.
Summing up, our input should look like this: “; ls #”. This will execute grep but nothing will be returned and then proceed with executing ls. We successfully listed the contents of the current directory. Now we can start working our way up and head to the directory containing the passwords (/etc/natas_webpass). After a few tries we find that the /etc/ dir is 4 levels up. Since each natas user has access on the passwords for his level and the next one, we can use cat to read the file containing the flag.
; cat ../../../../etc/natas_webpass/natas10 #
nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu
Natas 10
B0g 
