OverTheWire Natas: Levels 0–10 Walkthrough
OverTheWire Natas: Levels 0–10 Walkthrough
OverTheWire’s Natas wargame is a series of web security challenges that teach server-side vulnerabilities.
Prerequisites
What you should know:
- Basic HTML/CSS structure
- How to use browser developer tools
- Basic command line usage
- Understanding of HTTP requests (helpful but not required)
Tools you’ll need:
- A web browser (I used Chrome/Firefox)
- Burp Suite Community Edition (for intercepting HTTP requests)
- Python 3 (for decoding in Level 8)
- A text editor or terminal for running quick scripts
Natas Level 0
Authentication Credentials:
Username: natas0
Password: natas0
URL: http://natas0.natas.labs.overthewire.org
Upon visiting the website, we are asked for a username & password, which we already have, so we enter them as given.
After logging in, we see this page. There’s nothing here except a ‘Submit token’ button, which takes us outside the scope, so let’s check the source. On hitting Ctrl + U (View Source), we can see the password in line 16.
Natas Level 0 → Level 1
Authentication Credentials:
Username: natas1
URL: http://natas1.natas.labs.overthewire.org
Upon visiting the website, we are asked for Username & Password. We use the provided username and the password we got from the previous level. After logging in, we see this page.
Right-click is blocked on this page, but since we know shortcuts, we don’t need to worry. You can use any of the following:
Alternative methods to access developer tools:
- Ctrl + Shift + I : Opens the browser’s Inspect Element panel
- Ctrl + U : Displays the page source in a new tab
I used Inspect Element, and on Line 17, we can see the password.
Pro tip: For complex websites with extensive code, use Ctrl + Shift + I rather than Ctrl + U. The Inspect Element panel allows you to collapse and expand code blocks, making navigation much easier.
Natas Level 1 → Level 2
Authentication Credentials:
Username: natas2
URL: http://natas2.natas.labs.overthewire.org
Upon visiting the website, we are asked for username & password. We use the provided username and the password we got from the previous level. After logging in, we see this page.
Nothing again, so I view the source.
On Line 15, there’s a PNG image attached, so I clicked the image, and it was just a blank image. I thought this might have to do with image steganography, so I downloaded the image and decided to check for Exif information (metadata), but found nothing until I realized this entire challenge is related to web security, not image steganography. I went a step back and decided to see the source of the image, but found nothing. Then I went back one more step, and something caught my eye.
Can you see it? Take a guess.
We have the full file path of the image. I quickly reopened the image and removed the image portion from the link.
From:
http://natas2.natas.labs.overthewire.org/files/pixel.png
To:
http://natas2.natas.labs.overthewire.org/files/
I clicked the users.txt (http://natas2.natas.labs.overthewire.org/files/users.txt) and got the password.
Natas Level 2 → Level 3
Authentication Credentials:
Username: natas3
URL: http://natas3.natas.labs.overthewire.org
Nothing on the page, no password or image in the source code, but there’s a hint. Line 3 says:
This stuff in the header has nothing to do with the level
I fired up Burp Suite, checked the headers, and found nothing. I was confused. I went a step back and read the source code, and read Line 15, which I had ignored previously.
No more information leaks!! Not even Google will find it this time…
“Not even Google will find it this time” Hmmm, why can’t Google find it? What could it be? What is something on a website that Google can’t find?
Thought about it for a minute, then it clicked in my mind: robots.txt. That’s something Google can’t index. I fixed the link:
From:
http://natas3.natas.labs.overthewire.org/
To:
http://natas3.natas.labs.overthewire.org/robots.txt
We got it. The robots.txt is disallowing the /s3cr3t folder. Time to check it out, I changed the link again.
From:
http://natas3.natas.labs.overthewire.org/robots.txt
To:
http://natas3.natas.labs.overthewire.org/s3cr3t/
I clicked the users.txt (http://natas3.natas.labs.overthewire.org/s3cr3t/users.txt) and got the password.
Natas Level 3 → Level 4
Authentication Credentials:
Username: natas4
URL: http://natas4.natas.labs.overthewire.org
The website says Access Disallowed and gives us a hint. I load up Burp Suite and see the request over there, but I see nothing. Then I click the Refresh Page button provided on the site, and I see it.
This is an example of Referer-based access control. The site is checking if the request came from http://natas5.natas.labs.overthewire.org/ or not. We change the Referer part in the request.
From:
http://natas4.natas.labs.overthewire.org/
To:
http://natas5.natas.labs.overthewire.org/
Then we get the response we wanted. Check Line 24.
Natas Level 4 → Level 5
Authentication Credentials:
Username: natas5
URL: http://natas5.natas.labs.overthewire.org
Upon entering the username and password, we are greeted with this page. I checked the source code, and I see nothing.
I open Burp Suite, send the Request to the repeater and take a look at it, then I see it.
Line 12 gives away the answer:
Cookie: loggedin=0
Cookie here means the login status, and it is set to 0, which means False, so I changed it.
From:
Cookie: loggedin=0
To:
Cookie: loggedin=1
Then I sent the request and got the password in response.
Natas Level 5 → Level 6
Authentication Credentials:
Username: natas6
URL: https://natas6.natas.labs.overthewire.org
The page asks for a secret and includes a View Source Code button.
I click the View Source Code button, and we can see the following code.
Here we can see the PHP code of how authentication works. The script is importing an external file called secret.inc, so I quickly copied the path of the file and pasted it in the URL.
From:
http://natas6.natas.labs.overthewire.org/index-source.html
To:
http://natas6.natas.labs.overthewire.org/includes/secret.inc
Here we can see the secret.
Now, upon entering this secret in the input field, we will get the password.
Natas Level 6 → Level 7
Authentication Credentials:
Username: natas7
URL: http://natas7.natas.labs.overthewire.org
After logging in, I see this.
I click the Home Button and see its source (Ctrl + U). Line 21 gives us a clear hint:
– hint: password for webuser natas8 is in /etc/natas_webpass/natas8 –>
I changed the URL
From:
view-source:http://natas7.natas.labs.overthewire.org/index.php?page=home
To:
view-source:http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8
Now, we have the password to move further.
Natas Level 7 → Level 8
Authentication Credentials:
Username: natas9
URL: http://natas9.natas.labs.overthewire.org
We see this when logging in, I quickly press the View source code button given on the site.
The site’s source code looks like this. We can see a PHP script embedded in it. Let’s understand it.
Code Explanation:
- There’s a variable called encodedSecret that stores some value.
- There’s a function called encodeSecret() which takes the value of a variable called secret (not encodedSecret, don’t confuse it with the previous step’s variable). The secret value gets encoded in Base64, then it gets reversed, and at last it gets converted to Hexadecimal. This function just exists; it’s not being executed yet.
- The script checks if the user has clicked the submit button.
- If not clicked, then do nothing.
- If clicked, then take the value entered by the user, then pass it to the encodeSecret() function (STEP 2), where it gets converted.
- Compare the final converted output to the encodedSecret variable (STEP 1). If they match, then print Access Granted.
Now that we have understood the code, let’s reverse it. To reverse it, we have to do the following:
- Convert the hex back to a string.
- Reverse the string.
- Decode the string from Base64 to its original value.
Instead of manually decoding all these strings online, I have written a small code for it in Python:
python3 -c 'import base64, binascii; print(base64.b64decode(binascii.unhexlify("3d3d516343746d4d6d6c315669563362")[::-1]).decode())'
This will give us the decoded secret, which is oubWYf2kBq. Now enter it as the secret and hit the submit button. You will get the password.
Natas Level 8 → Level 9
Authentication Credentials:
Username: natas9
URL: http://natas9.natas.labs.overthewire.org
After authenticating, we see this input field on the site. I decide to click the View source code button on the page.
An embedded PHP script that makes a query via passthru. Interesting!
Passthru is used to execute system commands. This script takes input from the user and directly gets it executed through passthru; there’s no input sanitisation, so let’s test if we can chain commands in it.
Command chaining means executing multiple commands in a single line using special operators. Here I used a semicolon to chain and put pwd to check if it’s working — and it worked. The command pwd prints the working directory, so now we can see where we are at right now. Let’s exploit this vulnerability now.
In level 7, the password was stored in /etc/natas_webpass/natas8, so I decided to check if the same folder exists or not.
Found it. Now we know where our password can be, so I tried this:
;cat /etc/natas_webpass/natas10
and got the password.
Natas Level 9 → Level 10
Authentication Credentials:
Username: natas10
URL: http://natas10.natas.labs.overthewire.org
Enter the username provided & password from the previous level.
Click View Source Code.
Hmm, they seem to have added input sanitisation now, but they missed one thing — they still use passthru. We can’t chain commands, but we can manipulate grep to do the work for us. We can do this by putting:
.* /etc/natas_webpass/natas11
as input, what this does is tell grep to read everything.
We got the password.
That is it for this walkthrough, I will upload the walkthrough of the next levels in the next write-up. Till then. Keep Hacking