Over the Wire (Natas)

Over the wire Natas

Level 0

This is a pretty simple level. We have the login credentials given on the Natas Introduction Page. Just browse the URL and enter the login credentials.

Username: natas0 Password: natas0

Level 0 → Level 1

On successfully logging in the natas0 webpage, we will have a message in front of us. It says “You can find the password for the next level on this page” as shown in the figure given below. Now as per convention, let’s try to find something inside the source code. To view source code, we will right click on the webpage and select ‘View Page Source’. And there we have the password commented in the source code.

Level 1 → Level 2

On successfully logging in the natas1 webpage, we will have a message in front of us. It says “You can find the password for the next level on this page, but rightclicking has been blocked!” as shown in the figure given below.

Now as right-clicking is disabled to view source code, we will have to find another way to retrieve the password form the source code. As we were using Mozilla Firefox and to open source code, we use ‘Ctrl + U’ shortcut. And there we have the password commented in the source code.

Level 2 → Level 3

On successfully logging in the natas2 webpage, we will have a message in front of us. It says “There is nothing on this page” as shown in the figure given below.

So, we check the Source Code of the page, here we find that we have an image file named pixel.png located in the files directory. We opened the files directory as shown in the image given below. In this directory, we find the user.txt file.

On opening it we find the passwords for the various users present on the target machine. But we need the password for the natas3.

Level 3 → Level 4

On successfully logging in the natas3 webpage, we will have a message in front of us. It says “There is nothing on this page” as shown in the figure given below.

So, we check the Source Code of the page, here we find a commented hint. It says “Not even Google will find it this time”. Search Engine spiders always leave the links that are disallowed the robots.txt file. So, we thought to check if this website has one. We opened the robots.txt as shown in the image given below. In this file, we find that the /s3cr3t/ directory is disallowed. So, let’s open and see for ourselves what’s inside the s3cr3t directory.

Level 4 → Level 5

On successfully logging in the natas4 webpage, we will have a message in front of us. It says “Access disallowed. You are visiting from “” while authorized users should come only from “//natas5.natas.labs.overthewire.org/” ”as shown in the figure given below.

We capture the request in Burp Suite, here we see that there is a parameter named Referer. It says natas4. We change that Referer parameter value to Natas5 as shown in the image given below.

Level 5 → Level 6

On successfully logging in the natas5 webpage, we will have a message in front of us. It says “Access disallowed. You are not logged in” as shown in the figure given below.

We capture the request in Burp Suite, here we see that there is a parameter named loggedin. It is set to 0. We change that loggedin parameter value to 1 as shown in the image given below.

Level 6 → Level 7

On successfully logging in the natas6 webpage, we will have a form in front of us. It says “Input secret:” as shown in the figure given below.

We went ahead and look for some clues for that secret that we will have to enter in order to get the credentials for the next level. Here we see that a file is included called ‘secret.inc’. So, in order to grab the secret, we will browser the included file manually. So, as we can see in the given image, we can see that we add the /include/secret.inc in the URL. This gave us a blank page in response. So, we browsed the source code to find the secret commented on the webpage.

Now we copied the secret and went back to the form which was asking the secret. After entering the secret, we get the login credentials for the next level.

Level 7 → Level 8

On successfully logging in the natas7 webpage, we are given two links, Home and About as shown in the figure given below.

So, we check the Source Code of the page. Here, we can see the links “index.php?page=” in the given image. We have also hinted the location of the password, that is., /etc/natas_webpass/natas8. So, we modify the link to read the password stored in the natas_webpass. //natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8 And we have the password for the next level. This is called command injection.

Level 8 → Level 9

On successfully logging in the natas8 webpage, we will have a form in front of us. It says “Input secret:” as shown in the figure given below. We opened the source code and found that the secret is encoded. Also, we have a function which encodes the secret.

Hence to decode the secrete we just create a function that can decode the secret. This can be done as shown in the given image. php -a

echo base64_decode(strrev(hex2bin('3d3d516343746d4d6d6c315669563362')));

Level 9 → Level 10

On successfully logging in the natas9 webpage, we will have a form in front of us. It says “Find words containing” as shown in the figure given below.

We opened the source code and found that when we enter a keyword, it is passed via a function called passthru(). It takes the value in $key and executes it directly.

;cat /etc/natas_webpass/natas10

As we can see that the password is printed on the screen as shown in the given image.

Level 10 → Level 11

On successfully logging in the natas10 webpage, we will have a form in front of us. It says “For security reasons, we now filter on certain characters Find words containing” as shown in the figure given below. We opened the source code and found that when we enter a keyword, it is passed via a function called passthru(). It takes the value in $key and it filters the input of the characters (/;|&) as shown in the given image.

So, we will use (.*) to execute multiple commands. We will try to read the password at the next level.