OverTheWire Natas 0-9

Lately I’ve been working on the Natas challenges again. Been a while since I have but I was surprised at how much easier the challenges were for me now compared to the last time. Here are levels 0 through 9. While these challenges are very basic the later Natas challenges have actually gotten quite intuitive. Excited to finish them all but I will be uploading them in increments of 10 when I get the chance.

Level 0

http://natas0.natas.labs.overthewire.org

User: natas0

Pass: natas0

Right clicking and selecting ‘inspect’ in google chrome you can find the password for the next level.

Level 1

User: natas1

Pass: gtVrDuiDfck831PqWsLEZy5gyDz1clto

This level right clicking is blocked. By clicking on the chrome options button you can go to ‘developer options’ to reveal the password for the next level.

Level 2

User: natas2

Pass: ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi

Looking at the html of the original webpage we see an image file at /files/pixel.png so if we go there we find nothing. However, going to /files/ we see a user.txt file which contains the following.

Level 3

User: natas3

Pass: sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14

Going to the file /robots.txt reveals a directory ‘/s3cr3t/’ which when we go to we find a file named users.txt containing the user info for the next level

Level 4

User: natas4

Pass: Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

For this level you can use a couple different tools. There are plugins for chrome and likely plugins for other browsers as well. I’ll be using a linux VM for the curl command.

‘curl –user natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ http://natas4.natas.labs.overthewire.org/ -e http://natas5.natas.labs.overthewire.org/

Level 5

User: natas5

Pass: iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

When we get on the website there is a message stating that we are not logged in. Heading over to the cookies page in the web developer tools we see ‘loggedin’ with a value of ‘0’ setting this to ‘1’ and refreshing the page we obtain the password for the next level.

Level 6

User: natas6

Pass: aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

We are prompted for a secret input in the form on the website. Clicking ‘View sourcecode’ we can see the php behind the form. Using this we can reverse engineer the code and obtain what to enter into the prompt.

We see in the php code that it is including info from a file at ‘includes/secret.inc’ reading the remainder of the code reveals that this file likely contains the variable $secret which is what we must enter into the form.

Entering this secret into the form reveals the password.

Level 7

User: natas7

Pass: 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

The url when going to ‘Home’ or ‘About’ reveals ‘http://natas7.natas.labs.overthewire.org/index.php?page=’ testing this out for file inclusion we can do something like ‘http://natas7.natas.labs.overthewire.org/index.php?page=/etc/passwd’ which surprisingly enough reveals the file’s text. On level 0 they explain that the level’s password is stored in ‘/etc/natas_webpass/level’ so we can simply enter this in and obtain the password for the level.

‘http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8’

Level 8

User: natas8

Pass: DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

Once again we are given source code to reverse. We see that the conditional statement uses the function ‘encodeSecret($_POST[‘secret’])’ which is our input. This is then compared to the $encodedSecret string.

Bin2hex returns a string containing the hexadecimal representation of a string.

Strrev returns a string reversed

Base64_encode encodes the string using base64

Doing this in reverse we can do the following:

3d3d516343746d4d6d6c315669563362 from hex to ascii -> ==QcCtmMml1ViV3b

==QcCtmMml1ViV3b reversed -> b3ViV1lmMmtCcQ==

b3ViV1lmMmtCcQ== decoded from base64 -> oubWYf2kBq

Entering ‘oubWYf2kBq’ into the form we will obtain the next level’s credentials.

Level 9

User: natas9

Pass: W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

This level we are given a prompt to search a dictionary. Viewing the sourcecode and not seeing any input validation we can check for command injection. By placing a ‘;’ before a unix command we can have the form return the output of unix commands. To obtain the password for the next level we can do the following.

‘;cat /etc/natas_webpass/natas10’

One thought on “OverTheWire Natas 0-9

Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: