OverTheWire Natas: Levels 0–10 Walkthrough

OverTheWire’s Natas wargame is a series of web security challenges that teach server-side vulnerabilities.

Prerequisites

What you should know:

  • Basic HTML/CSS structure
  • How to use browser developer tools
  • Basic command line usage
  • Understanding of HTTP requests (helpful but not required)

Tools you’ll need:

  • A web browser (I used Chrome/Firefox)
  • Burp Suite Community Edition (for intercepting HTTP requests)
  • Python 3 (for decoding in Level 8)
  • A text editor or terminal for running quick scripts

Natas Level 0

Authentication Credentials:
Username: natas0
Password: natas0
URL: http://natas0.natas.labs.overthewire.org

Upon visiting the website, we are asked for a username & password, which we already have, so we enter them as given.

Screenshot_20260523_120931

After logging in, we see this page. There’s nothing here except a ‘Submit token’ button, which takes us outside the scope, so let’s check the source. On hitting Ctrl + U (View Source), we can see the password in line 16.

0_o7CA7kPQeXyq9rdE

Natas Level 0 → Level 1

Authentication Credentials:
Username: natas1
URL: http://natas1.natas.labs.overthewire.org

Upon visiting the website, we are asked for Username & Password. We use the provided username and the password we got from the previous level. After logging in, we see this page.

Screenshot_20260523_122135

Right-click is blocked on this page, but since we know shortcuts, we don’t need to worry. You can use any of the following:

Alternative methods to access developer tools:

  • Ctrl + Shift + I : Opens the browser’s Inspect Element panel
  • Ctrl + U : Displays the page source in a new tab

Screenshot_20260523_122635

I used Inspect Element, and on Line 17, we can see the password.

Pro tip: For complex websites with extensive code, use Ctrl + Shift + I rather than Ctrl + U. The Inspect Element panel allows you to collapse and expand code blocks, making navigation much easier.

Natas Level 1 → Level 2

Authentication Credentials:
Username: natas2
URL: http://natas2.natas.labs.overthewire.org

Upon visiting the website, we are asked for username & password. We use the provided username and the password we got from the previous level. After logging in, we see this page.

Screenshot_20260523_123504

Nothing again, so I view the source.

Screenshot_20260523_123640

On Line 15, there’s a PNG image attached, so I clicked the image, and it was just a blank image. I thought this might have to do with image steganography, so I downloaded the image and decided to check for Exif information (metadata), but found nothing until I realized this entire challenge is related to web security, not image steganography. I went a step back and decided to see the source of the image, but found nothing. Then I went back one more step, and something caught my eye.

Can you see it? Take a guess.

We have the full file path of the image. I quickly reopened the image and removed the image portion from the link.

From:
http://natas2.natas.labs.overthewire.org/files/pixel.png

To:
http://natas2.natas.labs.overthewire.org/files/

Screenshot_20260523_125444

I clicked the users.txt (http://natas2.natas.labs.overthewire.org/files/users.txt) and got the password.

Screenshot_20260523_125619

Natas Level 2 → Level 3

Authentication Credentials:
Username: natas3
URL: http://natas3.natas.labs.overthewire.org

Nothing on the page, no password or image in the source code, but there’s a hint. Line 3 says:

This stuff in the header has nothing to do with the level

I fired up Burp Suite, checked the headers, and found nothing. I was confused. I went a step back and read the source code, and read Line 15, which I had ignored previously.

No more information leaks!! Not even Google will find it this time…

“Not even Google will find it this time” Hmmm, why can’t Google find it? What could it be? What is something on a website that Google can’t find?

Thought about it for a minute, then it clicked in my mind: robots.txt. That’s something Google can’t index. I fixed the link:

From:
http://natas3.natas.labs.overthewire.org/

To:
http://natas3.natas.labs.overthewire.org/robots.txt

Screenshot_20260523_132713

We got it. The robots.txt is disallowing the /s3cr3t folder. Time to check it out, I changed the link again.

From:
http://natas3.natas.labs.overthewire.org/robots.txt

To:
http://natas3.natas.labs.overthewire.org/s3cr3t/

Screenshot_20260523_132848

I clicked the users.txt (http://natas3.natas.labs.overthewire.org/s3cr3t/users.txt) and got the password.

Screenshot_20260523_133115

Natas Level 3 → Level 4

Authentication Credentials:
Username: natas4
URL: http://natas4.natas.labs.overthewire.org

Screenshot_20260525_125516

The website says Access Disallowed and gives us a hint. I load up Burp Suite and see the request over there, but I see nothing. Then I click the Refresh Page button provided on the site, and I see it.

Screenshot_20260525_125928

This is an example of Referer-based access control. The site is checking if the request came from http://natas5.natas.labs.overthewire.org/ or not. We change the Referer part in the request.

From:
http://natas4.natas.labs.overthewire.org/

To:
http://natas5.natas.labs.overthewire.org/

Then we get the response we wanted. Check Line 24.

Screenshot_20260525_130356

Natas Level 4 → Level 5

Authentication Credentials:
Username: natas5
URL: http://natas5.natas.labs.overthewire.org

Upon entering the username and password, we are greeted with this page. I checked the source code, and I see nothing.

Screenshot_20260525_130825

I open Burp Suite, send the Request to the repeater and take a look at it, then I see it.

Screenshot_20260525_132819

Line 12 gives away the answer:

Cookie: loggedin=0

Cookie here means the login status, and it is set to 0, which means False, so I changed it.

From:
Cookie: loggedin=0

To:
Cookie: loggedin=1

Then I sent the request and got the password in response.

Screenshot_20260525_133455

Natas Level 5 → Level 6

Authentication Credentials:
Username: natas6
URL: https://natas6.natas.labs.overthewire.org

The page asks for a secret and includes a View Source Code button.

Screenshot_20260526_144001

I click the View Source Code button, and we can see the following code.

Screenshot_20260526_144300

Here we can see the PHP code of how authentication works. The script is importing an external file called secret.inc, so I quickly copied the path of the file and pasted it in the URL.

From:
http://natas6.natas.labs.overthewire.org/index-source.html

To:
http://natas6.natas.labs.overthewire.org/includes/secret.inc

Here we can see the secret.

Screenshot_20260526_144716

Now, upon entering this secret in the input field, we will get the password.

image

Natas Level 6 → Level 7

Authentication Credentials:
Username: natas7
URL: http://natas7.natas.labs.overthewire.org

After logging in, I see this.

Screenshot_20260526_150638

I click the Home Button and see its source (Ctrl + U). Line 21 gives us a clear hint:

Screenshot_20260526_150745

– hint: password for webuser natas8 is in /etc/natas_webpass/natas8 –>

I changed the URL

From:
view-source:http://natas7.natas.labs.overthewire.org/index.php?page=home

To:
view-source:http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8

image

Now, we have the password to move further.

Natas Level 7 → Level 8

Authentication Credentials:
Username: natas9
URL: http://natas9.natas.labs.overthewire.org

We see this when logging in, I quickly press the View source code button given on the site. Screenshot_20260526_152018

The site’s source code looks like this. We can see a PHP script embedded in it. Let’s understand it.

Screenshot_20260526_151955

Code Explanation:

  • There’s a variable called encodedSecret that stores some value.
  • There’s a function called encodeSecret() which takes the value of a variable called secret (not encodedSecret, don’t confuse it with the previous step’s variable). The secret value gets encoded in Base64, then it gets reversed, and at last it gets converted to Hexadecimal. This function just exists; it’s not being executed yet.
  • The script checks if the user has clicked the submit button.
  • If not clicked, then do nothing.
  • If clicked, then take the value entered by the user, then pass it to the encodeSecret() function (STEP 2), where it gets converted.
  • Compare the final converted output to the encodedSecret variable (STEP 1). If they match, then print Access Granted.

Now that we have understood the code, let’s reverse it. To reverse it, we have to do the following:

  1. Convert the hex back to a string.
  2. Reverse the string.
  3. Decode the string from Base64 to its original value.

Instead of manually decoding all these strings online, I have written a small code for it in Python:

python3 -c 'import base64, binascii; print(base64.b64decode(binascii.unhexlify("3d3d516343746d4d6d6c315669563362")[::-1]).decode())'

This will give us the decoded secret, which is oubWYf2kBq. Now enter it as the secret and hit the submit button. You will get the password.

image

Natas Level 8 → Level 9

Authentication Credentials:
Username: natas9
URL: http://natas9.natas.labs.overthewire.org

After authenticating, we see this input field on the site. I decide to click the View source code button on the page.

Screenshot_20260526_172632

An embedded PHP script that makes a query via passthru. Interesting!

Screenshot_20260526_172759

Passthru is used to execute system commands. This script takes input from the user and directly gets it executed through passthru; there’s no input sanitisation, so let’s test if we can chain commands in it.

Screenshot_20260526_173146

Command chaining means executing multiple commands in a single line using special operators. Here I used a semicolon to chain and put pwd to check if it’s working — and it worked. The command pwd prints the working directory, so now we can see where we are at right now. Let’s exploit this vulnerability now.

In level 7, the password was stored in /etc/natas_webpass/natas8, so I decided to check if the same folder exists or not.

Screenshot_20260526_173623

Found it. Now we know where our password can be, so I tried this:

;cat /etc/natas_webpass/natas10

and got the password.

image

Natas Level 9 → Level 10

Authentication Credentials:
Username: natas10
URL: http://natas10.natas.labs.overthewire.org

Enter the username provided & password from the previous level. Screenshot_20260526_173951

Click View Source Code.

Screenshot_20260526_174042

Hmm, they seem to have added input sanitisation now, but they missed one thing — they still use passthru. We can’t chain commands, but we can manipulate grep to do the work for us. We can do this by putting:

.* /etc/natas_webpass/natas11

as input, what this does is tell grep to read everything.

image

We got the password.

That is it for this walkthrough, I will upload the walkthrough of the next levels in the next write-up. Till then. Keep Hacking