Introduction
OverTheWire Natas is a web-based series of challenges or “levels”. In this writeup, I’ll show off my solutions to the first five of them.
Level 0
Username: natas0
Password: natas0
Upon opening the web page, I’m greeted with this text:
You can find the password for the next level on this page.
Given that this is a web challenge, I decide to open the source code of the webpage. I’m using Firefox, so I can use the keyboard shortcut Ctrl+U
to view the webpage’s source.
I see this HTML comment in the source code:
1
2
3
<!--The password for natas1 is gtVrDuiDfck831PqWsLEZy5gyDz1clto -->
</div>
Cool!
Level 1
Username: natas1
Password: gtVrDuiDfck831PqWsLEZy5gyDz1clto
We are greeted with the same text as we are from the first challenge. Using the same keyboard shortcut as I used in level 0, I viewed the source code: Ctrl+U
Similarly, there is a HTML comment with the password for the next level.
1
<!--The password for natas2 is ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi -->
Level 2
Username: natas2
Password: ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi
I am greeted with this text: There is nothing on this page
.
Viewing the page source again, I see that there is a reference to the file pixels.png
.
1
<img src="files/pixel.png">
There’s nothing in the image itself, but from experience I know that if I go to a directory in a URL, Apache will show the files that I can access within that directory. I know the web server is running apache because I tried navigating to /test/
. Let’s head to /files/
.
From the directory listing, I can see that users.txt
exists at http://natas2.natas.labs.overthewire.org/files/users.txt
. Going there gives me the password for Level 3.
1
2
3
4
5
6
7
# username:password
alice:BYNdCesZqW
bob:jw2ueICLvT
charlie:G5vCxkVV3m
natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
eve:zo4mJWyNj2
mallory:9urtcpzBmH
Level 3
Username: natas3
Password: sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
When viewing the source code, I see this comment:
1
<!-- No more information leaks!! Not even Google will find it this time... -->
From experience, I know this is referring to robots.txt
. Heading to http://natas3.natas.labs.overthewire.org/robots.txt
, I see that http://natas3.natas.labs.overthewire.org/s3cr3t/
exists. Going there, I can find another users.txt
file and another password.
1
natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ
Level 4
Username: natas4
Password: Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ
Upon opening the level, I am greeted with this message:
1
Access disallowed. You are visiting from "http://natas4.natas.labs.overthewire.org/" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/"
From experience, I know this refers to an HTTP header. I’ll open up a program called Burpsuite in order to modify my HTTP request to reflect what it wants.
Here is the request I get when I refresh the page:
1
2
3
4
5
6
7
8
9
10
GET /index.php HTTP/1.1
Host: natas4.natas.labs.overthewire.org
Authorization: Basic bmF0YXM0Olo5dGtSa1dtcHQ5UXI3WHJSNWpXUmtnT1U5MDFzd0Va
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://natas4.natas.labs.overthewire.org/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
There is a Referer
header, so I’ll make the changes the challenge asks for.
1
2
3
4
5
6
7
8
9
10
GET /index.php HTTP/1.1
Host: natas4.natas.labs.overthewire.org
Authorization: Basic bmF0YXM0Olo5dGtSa1dtcHQ5UXI3WHJSNWpXUmtnT1U5MDFzd0Va
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://natas5.natas.labs.overthewire.org/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
After forwarding the request, we are given the flag for the next level.
1
Access granted. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq
If you wanted to be fancyu, you can use CLI tool curl to solve it. You need to set two headers: one with the password from the previous level and the referer as part of the challenge.
1
curl http://natas4.natas.labs.overthewire.org/index.php -H 'Authorization: Basic bmF0YXM0Olo5dGtSa1dtcHQ5UXI3WHJSNWpXUmtnT1U5MDFzd0Va' --referer 'http://natas5.natas.labs.overthewire.org/'
Conclusion
OverTheWire really ramps up, in two minutes I went from viewing page source to opening up BurpSuite to solve challenges. I’m going to be solving out more of these over the weekend.