Natas 6:
Solution: First i navigated to see the sourcecode of that challenge. After seeing that "include "includes/secret.inc"; " in that PHP code. I tried to access the following link: "http://natas6.natas.labs.overthewire.org/includes/secret.inc" I found the secret text and typed in secret text box . And i got the credentials of next level in simple way :-) Result :: natas7 is 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9 Natas 7: Solution:After seeing hint in source page <!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 --> So i navigated to all pages in site and i found there is local file vulnerability. And i typed the following URL and got the Natas 8 credentials "http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8" Result:: natas8 password :: DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe Vulnerability: Local File Inclusion Vulnerability Local File Inclusion (also known as LFI) is the process of including files on a server through the web browser. This vulnerability occurs when a page include is not properly sanitized, and allows directory traversal characters to be injected. To Prevent these kind of attacks check the following link: http://hakipedia.com/index.php/Local_File_Inclusion
0 Comments
Natas 3
solution: After seeing the hint in source page.(<!-- No more information leaks!! Not even Google will find it this time... -->) Then started seeing robots.txt in same directory And i found the following line in that robots.txt page User-agent: * Disallow: /s3cr3t/ In that s3cr3t page i have found user.txt file.After opening that file i found next level username and password. natas4 : 8ywPLDUB2yY2ujFnwGUdWWp8MT4yZrqz Natas 4 solution: After seeing the Error message displayed in that page . I decided to to send this page request using referrer 'http://natas5.natas.labs.overthewire.org' in header . For that i used Tamper Data addon in firefox and changed the Referrer field in that header . After doing these steps i got credentials of next level. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq Natas 5 Solution: Error message throws saying that you have to log in to access this page. So i checked all the details of the page .And i noticed the cookie "loggedin" set as 0 And i changed that value into 1 and using Firefox Addon "Cookies Manager+ " And i refreshed that page and got credentials of next level. Natas 6 : aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1 Vulnerability: Cookie Poisoning : Cookie Poisoning attacks involve the modification of the contents of a cookie (personal information stored in a Web user's computer) in order to bypass security mechanisms. Using cookie poisoning attacks, attackers can gain unauthorized information about another user and steal their identity. To prevent Cookie Poisoning follow this link: http://stackoverflow.com/questions/1633062/how-to-prevent-cookie-poisoning Amrita University & Amrita Centre for Cyber Security proudly present InCTF ’13 National Level “Capture the Flag” style ethical hacking contest Not a day passes when several machines are compromised and infections spread rampantly in the world today. The cyber world has witnessed several dangerous attacks including the Stuxnet virus and it’s successor Duqu. Other recent attacks include the Flame malware, which managed to disguise itself as a legitimate Windows software. It exploited a bug in Windows to obtain a certificate which allowed itself to authenticate itself as genuine Windows software. Other notable examples include rise of botnets such as the highly resilient Zeus banking trojan and the Conficker worm. There have also been instances of espionage by government agencies on one another such as the recent incident where Georgia CERT discovered a Russian hacker spying on them. Indian websites offer little or no resistance to such security incidents. The Computer Emergency Response Team, India(Cert-In) has been tracking defacements of Indian websites amongst other security incidents. Their monthly and annual bulletins detail the various vulnerabilities and malware infections in various Indian websites. It’s really sad that with so much talent and skill, Indian websites are compromised frequently and nothing can be done to stand this wave of attacks on them. InCTF is a Capture the Flag style ethical hacking contest, a strategic war-game designed to mimic the real world security challenges. Software developers in India have little exposure to secure coding practices and the effects of not adopting such practices-one of the main reasons why systems are compromised quite easily these. Following such simple practices can help prevent such incidents. InCTF ‘13 is from December 2012 to April 2013 and is focused exclusively on the student community. You can participate from your own university and no travel is required. No prior exposure or experience in cyber security needed to participate. What you need to do? 1. Form a team (minimum three and maximum five members from your college) 2. Approach a faculty/mentor and request him/her to mentor your team 3. Register online at http://portal.inctf.in Great Rewards
Note
● Teams are awarded prizes based on their performance ● Deserving teams are well awarded. Exciting prizes to be won. So, what are you waiting for? It’s simple: Register, Learn, Hack! Keep up with us Website|Email|Facebook|Twitter|Mailing list|IRC *Cash prizes are subject to their performance and participation in the CTF round. Only teams who connect to the VPN server and successfully gain points in the CTF round are eligible for prizes. In addition, cash prize winners of previous editions of InCTF and sCTF are not eligible for prizes this time. Prizes will be awarded only if all members of the team are not in final year of their education. The decision of Team InCTF is final. |
Details
Categories
All
Archives
June 2017
Vivek N
An idea can change your life :) |