{"id":613,"date":"2015-01-31T18:55:54","date_gmt":"2015-01-31T18:55:54","guid":{"rendered":"https:\/\/www.hackmethod.com\/?p=613"},"modified":"2016-10-26T15:23:42","modified_gmt":"2016-10-26T15:23:42","slug":"overthewire-natas-7","status":"publish","type":"post","link":"https:\/\/hackmethod.com\/overthewire-natas-7\/","title":{"rendered":"OvertheWire \u2013 Natas 7"},"content":{"rendered":"<div class=\"entry-content\">\n<p class=\"entry-content\"><strong>Recap of Last Lesson:<\/strong> We learned about PHP and how we can learn from the source code to be able to dissect the authentication mechanism.<\/p>\n<p class=\"entry-content\"><a href=\"http:\/\/natas7.natas.labs.overthewire.org\/\"><strong>Natas Level 7<\/strong><\/a><\/p>\n<p class=\"entry-content\"><strong>Objective<\/strong><\/p>\n<p class=\"entry-content\">Find the password to log into level 8.<\/p>\n<p class=\"entry-content\"><strong>Intel Given<\/strong><\/p>\n<div class=\"entry-content\">\n<ul>\n<li>URL: http:\/\/natas7.natas.labs.overthewire.org\/<\/li>\n<li>Multiple pages<\/li>\n<\/ul>\n<\/div>\n<p><!--more--><\/p>\n<p><strong>How to<\/strong><\/p>\n<p>For this lesson we again going to build upon what we learned previously.\u00a0 If you have not, please review <a href=\"https:\/\/www.hackmethod.com\/overthewire-natas-6\/\">Natas6<\/a> in regards to PHP and <a href=\"https:\/\/www.hackmethod.com\/overthewire-natas-2\/\">Natas2<\/a> in regards to directory paths.\u00a0 Lets take a look at the main page.\u00a0 Similar to what we are used to seeing, although we now see we can browse multiple pages.\u00a0 Click around, and pay attention to what is in the URL.\u00a0 Try to figure out what it is doing.\u00a0 When you are done with that, take a look at the <a href=\"https:\/\/www.hackmethod.com\/wp-content\/uploads\/2015\/01\/natas_7.png\"><em>source code<\/em><\/a>.<\/p>\n<\/div>\n<div class=\"entry-content\"><\/div>\n<div class=\"entry-content\">We see two things of note:<\/div>\n<ul>\n<li class=\"entry-content\">The links<\/li>\n<li class=\"entry-content\">The comment<\/li>\n<\/ul>\n<p>The links tell us a little about how <em>index.php<\/em> works.\u00a0 The comment tells up the exact path of where the password is stored.\u00a0 Before we go looking for that password, lets try to discover how this website works.\u00a0 We notice when we click on different links, index.php will serve us a different page.\u00a0 We see in the URL <em>&#8220;index.php?page=[$PAGE]&#8221; <\/em>with $PAGE being a variable I just made up representing any value.\u00a0 From this we can infer that there are pages named <em>&#8220;home&#8221;<\/em> and <em>&#8220;about&#8221; <\/em>which contain the HTML we see when we click on any of the links.\u00a0 Lets tamper with the URL by throwing a bunch of junk after the <em><a href=\"https:\/\/www.hackmethod.com\/wp-content\/uploads\/2015\/01\/Natas7_error.png\">?page=<\/a>.<\/em> This causes an error in the PHP application, because the file we tried to reference does not actually exist.<\/p>\n<p>Lets make an attempt to set the <em>page <\/em>variable to the path of our password file we found in the comments.\u00a0 Go try it.\u00a0 Did it work? It did not, and I&#8217;ll explain why.\u00a0 You will notice that when it attempts to include a file, it does so by using a <em>relative<\/em> path.\u00a0 Unfortunately for us, the password resides in a totally different area of the filesystem than where the <em>home<\/em> and <em>about<\/em> pages are.\u00a0 What we need to do is find a way to somehow navigate to a different part.\u00a0 This is where I ask you to read again.\u00a0 Before you go below and find the answer please first look at the Wikipedia entry for <a href=\"http:\/\/en.wikipedia.org\/wiki\/File_inclusion_vulnerability\">File inclusion Vulnerability<\/a> and then check out the OWASP wiki for <a href=\"https:\/\/www.owasp.org\/index.php\/Testing_for_Local_File_Inclusion\">Testing for Local File Inclusion<\/a>.\u00a0 These links will include enough information for you to complete this challenge.<\/p>\n<p>Now that we understand <a href=\"https:\/\/www.owasp.org\/index.php\/Testing_Directory_traversal\/file_include_%28OTG-AUTHZ-001%29\">Path Traversal<\/a> (another OWASP link) we can try this on our URL.\u00a0 Go ahead and precede the path to the Natas8 password by a string of &#8220;..\/&#8221;.\u00a0 You won&#8217;t always know how many you need and there is no consequence of putting in too many as long as you are trying to reach the root directory.\u00a0 Everything extra will have no effect. If you did it right you should see the <a href=\"https:\/\/www.hackmethod.com\/wp-content\/uploads\/2015\/01\/traversal.png\">password file<\/a> returned within the<em> index.php<\/em> page.<\/p>\n<div class=\"entry-content\">\n<div class=\"entry-content\"><strong>Conclusion<\/strong><\/div>\n<div class=\"entry-content\"><\/div>\n<div class=\"entry-content\">Here we learned a bit more about PHP and a common way PHP is used to include different files.\u00a0 We also learned about path traversal and local file inclusion.\u00a0 I would recommend spending some time over at the OWASP wiki as it is a great resource to learn all about web application vulnerabilities.<\/div>\n<\/div>\n<p><!--more--><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recap of Last Lesson: We learned about PHP and how we can learn from the source code to be able to dissect the authentication mechanism. Natas Level 7 Objective Find the password to log into level 8. Intel Given URL: http:\/\/natas7.natas.labs.overthewire.org\/ Multiple pages<\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":true,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[44,49],"tags":[57,45,46],"class_list":["post-613","post","type-post","status-publish","format-standard","hentry","category-overthewire","category-tutorials","tag-natas","tag-overthewire","tag-tutorials"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p5zY4D-9T","_links":{"self":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/613","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/comments?post=613"}],"version-history":[{"count":3,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/613\/revisions"}],"predecessor-version":[{"id":1890,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/613\/revisions\/1890"}],"wp:attachment":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/media?parent=613"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/categories?post=613"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/tags?post=613"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}