IDEA I/O home  | about  | cheat sheets  | github

Overthewire Natas Walkthrough Level 1 - Level 10

A walkthrough for level 1 to level 10 of Natas Overthewire challenges

Table of Contents generated with DocToc

Introduction

The site http://overthewire.org/wargames/natas/ contains a series of little war games that teach web application security. In total, there are 33 such challenges. This is a write-up of the solutions to level 1 to 10 of these challenges.

Level 0

Natas 0
Natas 0
<!--The password for natas1 is gtVrDuiDfck831PqWsLEZy5gyDz1clto -->

Level 1

Natas 1
Natas 1
<!--The password for natas2 is ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi --

Level 2

Natas 2
Natas 2
<html>
<head>
...
<head>
<body>
<h1>natas2</h1>
<div id="content">
There is nothing on this page
<img src="files/pixel.png">
</div>
</body></html>
# username:password
alice:BYNdCesZqW
bob:jw2ueICLvT
charlie:G5vCxkVV3m
natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
eve:zo4mJWyNj2
mallory:9urtcpzBmH

Level 3

Natas 3
Natas 3
User-agent: *
Disallow: /s3cr3t/
natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

Level 4

Natas 4
Natas 4
Access granted. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

Using Burp proxy to set the Referer (mini tutorial)

  1. Download and install the Burp Proxy Community Edition from: https://portswigger.net/burp.
  2. Start the Burp Proxy. Go to Proxy and to Intercept.
  3. Change the Proxy option in Firefox to http://127.0.0.1:8080
  4. Open the site http://natas4.natas.labs.overthewire.org/ in Firefox.
  5. Add the header: Referer: http://natas4.natas.labs.overthewire.org/ click on Forward.
  6. Forward the response to the browser as well.
Burp Proxy Overview
Burp Proxy Overview

Level 5

Access granted. The password for natas6 is aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

Level 6

Natas 6
Natas 6
<?

include "includes/secret.inc";

    if(array_key_exists("submit", $_POST)) {
        if($secret == $_POST['secret']) {
        print "Access granted. The password for natas7 is <censored>";
    } else {
        print "Wrong secret";
    }
    }
?>
<?
$secret = "FOEIUWGHFEEUHOFUOIU";
?>
Access granted. The password for natas7 is 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9 

Level 7

Natas 7
Natas 7
DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe 

Level 8

Natas 8
Natas 8
<?

$encodedSecret = "3d3d516343746d4d6d6c315669563362";
function encodeSecret($secret) {
    return bin2hex(strrev(base64_encode($secret)));
}
if(array_key_exists("submit", $_POST)) {
    if(encodeSecret($_POST['secret']) == $encodedSecret) {
    print "Access granted. The password for natas9 is <censored>";
    } else {
    print "Wrong secret";
    }
}
?>
php > echo bin2hex(strrev(base64_encode("test")));
3d3d41647a564764
php > echo base64_decode(strrev(hex2bin("3d3d41647a564764")));
test
php > echo base64_decode(strrev(hex2bin("3d3d516343746d4d6d6c315669563362")));
oubWYf2kBq
Access granted. The password for natas9 is W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl 

Level 9

Natas 9
Natas 9
<?
$key = "";
if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}
if($key != "") {
    passthru("grep -i $key dictionary.txt");
}
?>

Level 10

Natas 10
Natas 10
<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}
if($key != "") {
    if(preg_match('/[;|&]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i $key dictionary.txt");
    }
}
/etc/natas_webpass/natas11:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK