Natas28
Website URL: http://overthewire.org/wargames/natas/natas28.html
According to the data on the OverTheWire webpage.
Username: natas28
URL: http://natas28.natas.labs.overthewire.orgLog into Natas27
Looking at the source:
Okay, so the summary is that the source code seems to be taking in username and password and checking for validity. If it doesn’t exist, the user is created. Let’s try and create one.
username: test password: test
Now, let’s login into the server using the same credentials.
So, if we manage to fool the login mechanism, while username is natas28, we might be able to get the password. The first thing that comes to mind is an SQL Injection. However, we can see in the source, that all the special characters are escaped before being passed on to the SQL query. So, it won’t work. We need to find another way.
Notice that if we provide a correct username – password combination, the function dumpData() is being called. Observe that this function prints out multiple rows instead of one. So, if we are able to provide a username similar to ‘natas28’, we just might be able to fool the script into giving us the data. Also, the username and password fields are of the type varchar and length upto 64 characters. What if we give a username more than that? It will truncate the username. Also, there is the fact that SQL doesn’t really parse spaces. So, we’ll give as username natas28 followed by plenty of spaces. In the first iteration, it will create a user. The next time, when you login:
Done!
Password for the next level : JWwR438wkgTsNKBbcJoowyysdM82YjeF