Posts Over the Wire NATAS: Rooms 0-4
Post
Cancel

Over the Wire NATAS: Rooms 0-4

Nov 25, 2020 2020-11-25T20:13:00-08:00 on overthewire, writeup

Introduction

OverTheWire Natas is a web-based series of challenges or “levels”. In this writeup, I’ll show off my solutions to the first five of them.

Level 0

Username: natas0

Password: natas0

Upon opening the web page, I’m greeted with this text:

You can find the password for the next level on this page.

Given that this is a web challenge, I decide to open the source code of the webpage. I’m using Firefox, so I can use the keyboard shortcut Ctrl+U to view the webpage’s source.

I see this HTML comment in the source code:

1
2
3

<!--The password for natas1 is gtVrDuiDfck831PqWsLEZy5gyDz1clto -->
</div>

Cool!

Level 1

Username: natas1

Password: gtVrDuiDfck831PqWsLEZy5gyDz1clto

We are greeted with the same text as we are from the first challenge. Using the same keyboard shortcut as I used in level 0, I viewed the source code: Ctrl+U

Similarly, there is a HTML comment with the password for the next level.

1

<!--The password for natas2 is ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi -->

Level 2

Username: natas2

Password: ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi

I am greeted with this text: There is nothing on this page.

Viewing the page source again, I see that there is a reference to the file pixels.png.

1

<img src="files/pixel.png">

There’s nothing in the image itself, but from experience I know that if I go to a directory in a URL, Apache will show the files that I can access within that directory. I know the web server is running apache because I tried navigating to /test/. Let’s head to /files/.

From the directory listing, I can see that users.txt exists at http://natas2.natas.labs.overthewire.org/files/users.txt. Going there gives me the password for Level 3.

1
2
3
4
5
6
7

# username:password
alice:BYNdCesZqW
bob:jw2ueICLvT
charlie:G5vCxkVV3m
natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
eve:zo4mJWyNj2
mallory:9urtcpzBmH

Level 3

Username: natas3

Password: sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14

When viewing the source code, I see this comment:

1

<!-- No more information leaks!! Not even Google will find it this time... -->

From experience, I know this is referring to robots.txt. Heading to http://natas3.natas.labs.overthewire.org/robots.txt, I see that http://natas3.natas.labs.overthewire.org/s3cr3t/ exists. Going there, I can find another users.txt file and another password.

1

natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

Level 4

Username: natas4

Password: Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

Upon opening the level, I am greeted with this message:

1

Access disallowed. You are visiting from "http://natas4.natas.labs.overthewire.org/" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/"

From experience, I know this refers to an HTTP header. I’ll open up a program called Burpsuite in order to modify my HTTP request to reflect what it wants.

Here is the request I get when I refresh the page:

1
2
3
4
5
6
7
8
9
10

GET /index.php HTTP/1.1
Host: natas4.natas.labs.overthewire.org
Authorization: Basic bmF0YXM0Olo5dGtSa1dtcHQ5UXI3WHJSNWpXUmtnT1U5MDFzd0Va
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://natas4.natas.labs.overthewire.org/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

There is a Referer header, so I’ll make the changes the challenge asks for.

1
2
3
4
5
6
7
8
9
10

GET /index.php HTTP/1.1
Host: natas4.natas.labs.overthewire.org
Authorization: Basic bmF0YXM0Olo5dGtSa1dtcHQ5UXI3WHJSNWpXUmtnT1U5MDFzd0Va
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://natas5.natas.labs.overthewire.org/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

After forwarding the request, we are given the flag for the next level.

1

Access granted. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

If you wanted to be fancyu, you can use CLI tool curl to solve it. You need to set two headers: one with the password from the previous level and the referer as part of the challenge.

1

curl http://natas4.natas.labs.overthewire.org/index.php -H 'Authorization: Basic bmF0YXM0Olo5dGtSa1dtcHQ5UXI3WHJSNWpXUmtnT1U5MDFzd0Va' --referer 'http://natas5.natas.labs.overthewire.org/'

Conclusion

OverTheWire really ramps up, in two minutes I went from viewing page source to opening up BurpSuite to solve challenges. I’m going to be solving out more of these over the weekend.

writeup web linux burpsuite
This post is licensed under CC BY 4.0

THM RootMe

Over the Wire NATAS: Levels 5-9