OverTheWire: Natas Writeup
Natas teaches the basics of serverside web-security.
Each level of natas consists of its own website located at http://natasX.natas.labs.overthewire.org, where X is the level number. There is no SSH login. To access a level, enter the username for that level (e.g. natas0 for level 0) and its password.
Each level has access to the password of the next level. Your job is to somehow obtain that next password and level up. All passwords are also stored in /etc/natas_webpass/. E.g. the password for natas5 is stored in the file /etc/natas_webpass/natas5 and only readable by natas4 and natas5.
It is recommended to solve Bandit wargame before solving this .
Here is link to the complete writeup of Bandit Wargame.Feel free to contact @dollarboysushil on Twitter (X) , Instagram for any query.
My social medial handle
Instagram dollarboysushil
Twitter (X) dollarboysushil
Youtube dollarboysushil
Lets Start
Level 0
Username: natas0
Password: natas0
URL: http://natas0.natas.labs.overthewire.org
After login with given username and password. We land on above page.
Looking at the hint, the password must be some where here.
Looking at the page source i can see the password.
Level 0 →Level 1
Username: natas1
URL: http://natas1.natas.labs.overthewire.orgLogin with username natas1 and the password we found .
After logging in we can see following page
Righclicking functionality is blocked.
No problem we can use shortcut ctrl +shift +I or click on three dot > more tools > developer option.
Level 1→Level 2
Username: natas2
URL: http://natas2.natas.labs.overthewire.orgAfter login we see following page
No password in view page source. But we can see image file linked./files/pixel.png . Lets look at he files directory
when i go to http://natas2.natas.labs.overthewire.org/files/ i can see users.txt file. This looks interesting.
Opening users.txt reveals the password.
Level 2→Level 3
Username: natas3
URL: http://natas3.natas.labs.overthewire.org
After loging in we are shown same message. Similar to previous level I tried looking the page source.
This time no directory location. But if you look closely we can see a clear hint. Not even Google will find it this time.. ok. What google cant find.
The
robots.txtfile is a text file placed in the root directory of your website that instructs web crawlers which parts of your site should not be indexed
Lets look at robots.txt to find what are the things hidden from google.
http://natas3.natas.labs.overthewire.org/robots.txt
So robots.txt is hiding /s3cr3t/ from web crawlers. Lets check it out
And we got the users.txt file
And here is the password inside users.txt
Level 3→Level 4
Username: natas4
URL: http://natas4.natas.labs.overthewire.org
After login we see above page.
There is something happening behind the scene
Lets launch BURPSUITE to intercept the request and see what’s happening.
Note: You need to setup burp proxy and only you can intercept request.
You can find videos on youtube on how to do .
When i click on refresh page and intercept the request we can see the above result.
The key thing to note here is Referer. . The referer is natas4…… so access is disallowed. Lets change the referer tohttp://natas4.natas.labs.overthewire.org/ and forward the traffic.
And we got the access
Level 4→Level 5
Username: natas5
URL: http://natas5.natas.labs.overthewire.orgAfter login we can see the following page:
Lets intercept the request again
We can see the field loggedin=0 lets change this field to 1 and forwartd the request . Lets watch the response
And we got the password
Level 5→Level 6
Username: natas6
URL: http://natas6.natas.labs.overthewire.orgAfter login:
Looking at source code: PHP code includes file “include/secret.inc”.
Lets go to “includes/secret.inc”
There is nothing. It is blank.
WELL YOU ARE WRONG
Lets inspect the page
We found the secret text. Lets use this text
And we got the password
Level 6→Level 7
Username: natas7
URL: http://natas7.natas.labs.overthewire.orgAfter Login:
when we inspect element. We get hint.Lets use the hint.
http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8
AND we got the password.
Level 7 →Level 8
Username: natas8
URL: http://natas8.natas.labs.overthewire.orgAfter login:
Lets check source code:
And this is all we need. This code is multiple encoding the secret we provided and comparing it with the encoded secret 3d3d516343746d4d6d6c315669563362 . Basically if we decode this code then we are good to go. since it will be later encode and the if condition will be true.
bin2hex(strrev(base64_encode($secret)))
this is the key part. word is first base64 encoded with is then reversed and again converted to bin2hex.
Lets decode the secret.
- convert hex2bin
2. strrev
3. base64_decode
which is the required code.
other levels updating soon……
Feel free to contact @dollarboysushil on Twitter (X) , Instagram for any query.
My social medial handle
Instagram dollarboysushil
Twitter (X) dollarboysushil
Youtube dollarboysushil
