Lately I’ve been working on the Natas challenges again. Been a while since I have but I was surprised at how much easier the challenges were for me now compared to the last time. Here are levels 0 through 9. While these challenges are very basic the later Natas challenges have actually gotten quite intuitive. Excited to finish them all but I will be uploading them in increments of 10 when I get the chance.
Right clicking and selecting ‘inspect’ in google chrome you can find the password for the next level.
This level right clicking is blocked. By clicking on the chrome options button you can go to ‘developer options’ to reveal the password for the next level.
Looking at the html of the original webpage we see an image file at /files/pixel.png so if we go there we find nothing. However, going to /files/ we see a user.txt file which contains the following.
Going to the file /robots.txt reveals a directory ‘/s3cr3t/’ which when we go to we find a file named users.txt containing the user info for the next level
For this level you can use a couple different tools. There are plugins for chrome and likely plugins for other browsers as well. I’ll be using a linux VM for the curl command.
When we get on the website there is a message stating that we are not logged in. Heading over to the cookies page in the web developer tools we see ‘loggedin’ with a value of ‘0’ setting this to ‘1’ and refreshing the page we obtain the password for the next level.
We are prompted for a secret input in the form on the website. Clicking ‘View sourcecode’ we can see the php behind the form. Using this we can reverse engineer the code and obtain what to enter into the prompt.
We see in the php code that it is including info from a file at ‘includes/secret.inc’ reading the remainder of the code reveals that this file likely contains the variable $secret which is what we must enter into the form.
Entering this secret into the form reveals the password.
The url when going to ‘Home’ or ‘About’ reveals ‘http://natas7.natas.labs.overthewire.org/index.php?page=’ testing this out for file inclusion we can do something like ‘http://natas7.natas.labs.overthewire.org/index.php?page=/etc/passwd’ which surprisingly enough reveals the file’s text. On level 0 they explain that the level’s password is stored in ‘/etc/natas_webpass/level’ so we can simply enter this in and obtain the password for the level.
Once again we are given source code to reverse. We see that the conditional statement uses the function ‘encodeSecret($_POST[‘secret’])’ which is our input. This is then compared to the $encodedSecret string.
Bin2hex returns a string containing the hexadecimal representation of a string.
Strrev returns a string reversed
Base64_encode encodes the string using base64
Doing this in reverse we can do the following:
3d3d516343746d4d6d6c315669563362 from hex to ascii -> ==QcCtmMml1ViV3b
==QcCtmMml1ViV3b reversed -> b3ViV1lmMmtCcQ==
b3ViV1lmMmtCcQ== decoded from base64 -> oubWYf2kBq
Entering ‘oubWYf2kBq’ into the form we will obtain the next level’s credentials.
This level we are given a prompt to search a dictionary. Viewing the sourcecode and not seeing any input validation we can check for command injection. By placing a ‘;’ before a unix command we can have the form return the output of unix commands. To obtain the password for the next level we can do the following.