Overthewire Natas Walkthrough Level 1 - Level 10

• Date: 2017-12-09

A walkthrough for level 1 to level 10 of Natas Overthewire challenges

Table of Contents generated with DocToc

• Introduction
• Level 0
• Level 1
• Level 2
• Level 3
• Level 4
  • Using Burp proxy to set the Referer (mini tutorial)
• Level 5
• Level 6
• Level 7
• Level 8
• Level 9
• Level 10

Introduction

The site http://overthewire.org/wargames/natas/ contains a series of little war games that teach web application security. In total, there are 33 such challenges. This is a write-up of the solutions to level 1 to 10 of these challenges.

Level 0

• The hint on the page is: You can find the password for the next level on this page..
• Looking at the HTML source code of the page reveals the password for natas1 is gtVrDuiDfck831PqWsLEZy5gyDz1clto.

<!--The password for natas1 is gtVrDuiDfck831PqWsLEZy5gyDz1clto -->

Level 1

• The hint on the page is: You can find the password for the next level on this page, but right-clicking has been blocked!.
• Right-clicking is blocked by JavaScript but the source code of the site is still accessible via other means.
• I opened the Chrome developer tools with [CTRL]+[SHIFT]+I and navigated to Sources. This reveals that the password for natas2 is ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi.

<!--The password for natas2 is ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi --

Level 2

• The hint on the page is: There is nothing on this page.
• The source code on the site says that the stuff in the header has nothing to do with the level.
• The URL: http://natas2.natas.labs.overthewire.org/robots.txt does not work and robots.txt is not present on the server.

<html>
<head>
...
<head>
<body>
<h1>natas2</h1>
<div id="content">
There is nothing on this page
<img src="files/pixel.png">
</div>
</body></html>

• The page embeds the files/pixel.png.
• Accessing the URL: http://natas2.natas.labs.overthewire.org/files/ shows a directory listing with the two files pixel.png and users.txt.

# username:password
alice:BYNdCesZqW
bob:jw2ueICLvT
charlie:G5vCxkVV3m
natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
eve:zo4mJWyNj2
mallory:9urtcpzBmH

• Looks like these are the username and password combinations for the next level.

Level 3

• The hint on the page is again There is nothing on this page.
• There is a second hint in the HTML source code of the page: No more information leaks!! Not even Google will find it this time….
• Accessing the file robots.txt reveals the Disallow directory /s3cr3t/.

User-agent: *
Disallow: /s3cr3t/

• That directory contains again a user.txt file with the credentials for the next level.

natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

Level 4

• The site shows the hint: Access disallowed. You are visiting from “” while authorized users should come only from “http://natas5.natas.labs.overthewire.org/”.
• The site probably has a whitelist for the Referer: value in the HTTP request. Because I did open the site directly there was no Referer: present in the request.
• I downloaded the Burp Proxy Community Edition. This tool intercepts your HTTP requests and lets you modify the headers before it sends the requests to the original destination.
• With Burp I was able to add the header Referer: http://natas5.natas.labs.overthewire.org/ to the request.
• The response shows the username and password for the next level.

Access granted. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

Using Burp proxy to set the Referer (mini tutorial)

1. Download and install the Burp Proxy Community Edition from: https://portswigger.net/burp.
2. Start the Burp Proxy. Go to Proxy and to Intercept.
3. Change the Proxy option in Firefox to http://127.0.0.1:8080
4. Open the site http://natas4.natas.labs.overthewire.org/ in Firefox.
5. Add the header: Referer: http://natas4.natas.labs.overthewire.org/ click on Forward.
6. Forward the response to the browser as well.

Level 5

• The site shows the hint: Access disallowed. You are not logged in.
• Inspecting the cookies with Burp revealed to cookie loggedin with a value of 0.
• Intercepting the request again and setting the value for loggedin to 1 instead of 0 works and the username and password for the next level is shown.

Access granted. The password for natas6 is aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

Level 6

• The site shows a form that submits a query.
• The source code for the PHP form is:

<?

include "includes/secret.inc";

    if(array_key_exists("submit", $_POST)) {
        if($secret == $_POST['secret']) {
        print "Access granted. The password for natas7 is <censored>";
    } else {
        print "Wrong secret";
    }
    }
?>

• Accessing the URL http://natas6.natas.labs.overthewire.org/includes/secret.inc shows the secret.

<?
$secret = "FOEIUWGHFEEUHOFUOIU";
?>

• Using this secret in the form reveals the username and password for the next level.

Access granted. The password for natas7 is 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9 

Level 7

• Natas7 is a simple web page that has links to a Home and a About page.
  • The Home and About pages are included with a HTTP GET parameter such as ?page=home or page=about
• The HTML source code for the site shows the hint: password for webuser natas8 is in /etc/natas_webpass/natas8.
• This looks like a local file inclusion (LFI) vulnerability. It is probably possible to open the file /etc/natas_webpass/natas8 through the GET parameter ?page=/etc/natas_webpass/natas8.
• I tried to open http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8. It works, the password for the next level is:

DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe 

Level 8

• The site shows a form that submits a query, similar to Level 6.
• It also has a button to show the PHP source code for the site:

<?

$encodedSecret = "3d3d516343746d4d6d6c315669563362";
function encodeSecret($secret) {
    return bin2hex(strrev(base64_encode($secret)));
}
if(array_key_exists("submit", $_POST)) {
    if(encodeSecret($_POST['secret']) == $encodedSecret) {
    print "Access granted. The password for natas9 is <censored>";
    } else {
    print "Wrong secret";
    }
}
?>

• The function encodeSecret first encodes the $secret with base64 then reverses it and then converts the result from binary to hexadecimal.

• To get the cleartext version of the $encodedSecret this function needs to be reversed.

• I used the PHP interactive mode with $ php -a on my Linux VM.

• First, I tried the original function and my reverse function with the simple input string test:

php > echo bin2hex(strrev(base64_encode("test")));
3d3d41647a564764
php > echo base64_decode(strrev(hex2bin("3d3d41647a564764")));
test

• This worked. I then tried it with the $encodedSecret from the PHP source code of the site:

php > echo base64_decode(strrev(hex2bin("3d3d516343746d4d6d6c315669563362")));
oubWYf2kBq

• Using oubWYf2kBq as the input secret works and the password for the next level is shown:

Access granted. The password for natas9 is W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl 

Level 9

• The site shows a little form that lets the user search for words that contain the supplied string.
• The PHP source code for the site is:

<?
$key = "";
if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}
if($key != "") {
    passthru("grep -i $key dictionary.txt");
}
?>

• The code seems vulnerable to command injection. It seems possible to chain other commands after the grep command with ; or &&.
• The introduction site says: All passwords are also stored in /etc/natas_webpass/.
• Using the input test; ls /etc/natas_webpass/ shows that the file natas10 is available.
• Using the input test; cat /etc/natas_webpass/natas10 returns the password nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu for natas10.

Level 10

• The site shows the same form as in Level 9 but has a filter on certain characters. The site says: “For security reasons, we now filter on certain characters”.
• Using the same input as in level 9 test; cat /etc/natas_webpass/natas10 no longer works and the error message Input contains an illegal character! is shown.
• The source code of the site shows that it filters the characters ; and &.

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}
if($key != "") {
    if(preg_match('/[;|&]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i $key dictionary.txt");
    }
}

• The input string: test %3B cat /etc/natas_webpass/natas11 does not work. %3B is Unicode for ;.
• The input string: "[A-Za-z0-9_.]" /etc/natas_webpass/natas11 works. It just uses the grep command to access the file /etc/natas_webpass/natas11 and the file dictionary.txt. The regex [A-Za-z0-9_.] includes any string that contains the letters A-Z, a-z, or the numbers 0-9.
• This shows that the password for the next level is:

/etc/natas_webpass/natas11:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK