Tuesday, October 30, 2012

OverTheWire Wargame "Natas" Level 5 [How-To/Web]

So we cracked Level 4 with some knowledge of HTTP headers and requests, and used a cool little app to help us out. Now we are on Level 5, and after logging it it presents us with a weird page:


Well wait, didn't we just log in? Why does it say we aren't?

Looks like the password didn't authenticate us correctly, OR there's something blocking our authentication even further.

Right away, I knew what to do. What is something in a browser that holds certain information, including login information? Cookies! But how am I going to check out the delicious cookies? Javascript!

Don't worry, the Javascript we'll be using is really easy to understand. I don't even know a lot of JS, but it's easy for me to do.

Below is the Javascript that we can use to view the cookies on the current "document" (webpage):
alert(document.cookie);
But how do we get this to run on the website? We put it into the navigation bar!


What this is doing is running a Javascript script denoted by the "javascript:" and it will pop up an "alert" window with the document cookie.


Looks like a bunch of gibberish... but wait, what's that at the end!
loggedin=0
Well, as we know in binary, 0 is false, and 1 is true, so it's saying we're not logged in! How do we go about changing this? We use Javascript again to exploit a XSS (cross side scripting) attack and change the value of the cookie.

The Javascript this time is:
void(document.cookie="loggedin=1");
Which means that the return type is "void" (returns nothing), and we want to set the cookie in the current document (webpage) with the value "loggedin=0". We know that value already exists in the cookie because we saw it, so it should change it from 0 (not authenticated) to 1 (authenticated).

Now hit enter and lets see what happens.
Well, nothing should really happen that you can see, because we had the return type set as "void".

What you can do now, is either run the Javascript to view the cookie again, or just refresh to see:


So we see natas6:mfPYpp1UBKKsx7g4F0LaRjhKKenYAOqU.

On to Level 6.

5 comments:

  1. Very good, keep it up Marshall.
    I cracked number 6 :)

    ReplyDelete
    Replies
    1. Thanks :] I cracked up to like 10 before I was sidetracked, I just didn't have the time to put the rest of them up sadly :[

      Delete
  2. Really loved reading your blog. Interesting subject!

    ReplyDelete