To start off we follow the instructions found here and log into the first challenge at http://natas0.natas.labs.overthewire.org
This challenge is quite simple and the source code contains the password (CTRL+U in firefox).
gtVrDuiDfck831PqWsLEZy5gyDz1clto
Level 1
This challenge works exactly the same, but right clicking is blocked. This isn't a problem though since we're using a keyboard shortcut.
ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi
Level 2
When looking at the source code we see a file being references at files/pixel.png, navigating to /files shows us that there is a file called users.txt which contains the flag.
sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
Level 3
There is a comment in the source code with the reference "Not even Google will find this" which implies a robot.txt file is involved here. checking that file shows us a directory /s3cr3t which contains a users.txt file that contains the flag.
Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ
Level 4
This page tells us that valid users only come from http://natas5.natas.labs.overthewire.org/, so we use the following burp request and manually set the Referer value to that endpoint.
This challenge simply tells us that we aren't logged in. Running the request through burp we see that there is a cookie called loggedin that is set to 0 by default. We modify the request and set the value to 1 as shown below.
This challenge presents us with a form to submit a secret with, and also provides a link to view the source code of the function. In the source code we see it is including a includes/secret.inc. when navigating to that page and viewing the source we are given the secret to submit. After submitting the secret we get the flag.
FOEIUWGHFEEUHOFUOIU
7z3hEENjQtflzgnT29q7wAvMNfZdh0i9
Level 7
On this challenge we see two href's using index.php?page=<page> which screams LFI on basic challenges like this. Using the following burp request we can read the file /etc/natas_webpass/natas8.
GET /index.php?page=../../../../../etc/natas_webpass/natas8 HTTP/1.1
Host: natas7.natas.labs.overthewire.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://natas7.natas.labs.overthewire.org/
Authorization: Basic bmF0YXM3Ojd6M2hFRU5qUXRmbHpnblQyOXE3d0F2TU5mWmRoMGk5
Connection: close
Upgrade-Insecure-Requests: 1
DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe
Level 8
We are given another secret submission form as well as the source code. This time they are using a custom encoding function and checking it against a pre-encoded string. The secret validation code is shown below, as well as my decoding script. Running this gives us the secret.
<?
$encodedSecret = "3d3d516343746d4d6d6c315669563362";
function encodeSecret($secret) {
return bin2hex(strrev(base64_encode($secret)));
}
if(array_key_exists("submit", $_POST)) {
if(encodeSecret($_POST['secret']) == $encodedSecret) {
print "Access granted. The password for natas9 is <censored>";
} else {
print "Wrong secret";
}
}
?>
import base64
def natasDecode(secret):
# first we convert from hex -> string
secret = bytearray.fromhex(secret).decode()
# then we reverse the string
secret = secret[::-1]
# then we base64 decode the string
secret = base64.b64decode(secret)
# then we convert from bytearray to str for printing
return secret.decode("utf-8")
plaintext = natasDecode('3d3d516343746d4d6d6c315669563362')
print(plaintext)
oubWYf2kBq
W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl
Level 9
In this challenge we are given a form that is then used to run grep via php. But it is not sanitizing input, so we can manipulate the command to read the flag file instead. The original php as well as the input needed to obtain the flag are shown below:
This challenge runs the same grep command with php, but it filters the user's input first. Our solution will still work though by removing the ; from our input. This will just have grep search our file as well as the one defined in the php file.