Natas (OverTheWire)

level 0

Go to http://natas0.natas.labs.overthewire.org/ and sign in with natas0:natas0. You are greeted with an empty, non-interactive homepage, but inspecting the source will show that the the password is commented out.

<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas0", "pass": "natas0" };</script></head>
<body>
<h1>natas0</h1>
<div id="content">
You can find the password for the next level on this page.

<!--The password for natas1 is [REDACTED] -->
</div>
</body>
</html>

level 1

Right clicking has been blocked on the first level so you can’t right click to view the source. A quick Google search shows that the shortcut to view source is CTRL + U. Doing that will show the password in the source again.

<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas1", "pass": "gtVrDuiDfck831PqWsLEZy5gyDz1clto" };</script></head>
<body oncontextmenu="javascript:alert('right clicking has been blocked!');return false;">
<h1>natas1</h1>
<div id="content">
You can find the password for the
next level on this page, but rightclicking has been blocked!

<!--The password for natas2 is [REDACTED] -->
</div>
</body>
</html>

level 2

Viewing the source for this level doesn’t show anything that sticks out right away. However, there is a image being link <img src="files/pixel.png">

This leads you to http://natas2.natas.labs.overthewire.org/files/pixel.png, but its just a pixel. The pixel.png file is located in the files directory. Think of a web server serving files as a directory structure. Could there be other files in this directory? Possibly. Let’s see what happens if we see what is in that directory.

Going to http://natas2.natas.labs.overthewire.org/files/, leads us to an open Apache directory with another file called users.txt. The file holds credentials of different users, one of which, is the username and password to the next level.

# username:password
alice:BYNdCesZqW
bob:jw2ueICLvT
charlie:G5vCxkVV3m
natas3:[REDACTED]
eve:zo4mJWyNj2
mallory:9urtcpzBmH

level 3

Viewing the source code doesn’t show anything except for a clue.

<!-- No more information leaks!! Not even Google will find it this time... -->

There’s no way of figuring this out unless you know that the clue alludes to a file called robots.txt. If you want hide something from Google or any search engine in general, one of the first things a search engine does is crawling. Crawling is when a search engine visits websites and indexes webpages by downloading them. The reason for this is to organize an “index” of webpages, so that the search engine knows where to refer users when they search something up.

Going to http://natas3.natas.labs.overthewire.org/robots.txt shows:

User-agent: *
Disallow: /s3cr3t/

This is saying, “Hey crawlers, don’t index the /s3cr3t directory”, which is a not so great way to hide something from the Internet. Once you go to http://natas3.natas.labs.overthewire.org/s3cr3t/, there is another users.txt that contains the credentials for level 4.

natas4:[REDACTED]

level 4

You are greeting with a message in Level 4.

Access disallowed. You are visiting from "" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/"

Time to get Burp out and make it look like you are coming from level 5! Let’s break it down. You are denied access to this level because you aren’t visiting from level 5. This level is set up to only authorize those from level 5 to see the contents of level 4. We are going to use Burp to intercept the request when the page was loaded, and modify the request to make it look like we’re coming in from level 5.

The GET request should look like this

GET / HTTP/1.1
Host: natas4.natas.labs.overthewire.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Authorization: Basic bmF0YXM0Olo5dGtSa1dtcHQ5UXI3WHJSNWpXUmtnT1U5MDFzd0Va

However, if you don’t hit the refresh page, you will be stuck in a loop that will keep making you authenticate to level 4! The GET request above goes to the home page, but the refresh button takes you to /index.php.

GET /index.php HTTP/1.1
Host: natas4.natas.labs.overthewire.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic bmF0YXM0Olo5dGtSa1dtcHQ5UXI3WHJSNWpXUmtnT1U5MDFzd0Va
Connection: close
Referer: http://natas4.natas.labs.overthewire.org/
Upgrade-Insecure-Requests: 1

Change the Referer header to make it look like you’re visiting level 4 from level 5. After modifying the request, you will see a different webpage load with the credentials to level 5.

Access granted. The password for natas5 is [REDACTED]

level 5

Level 5 greets you with:

Access disallowed. You are not logged in

Intercepting this request shows one interesting field.

GET / HTTP/1.1
Host: natas5.natas.labs.overthewire.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic bmF0YXM1OmlYNklPZm1wTjdBWU9RR1B3dG4zZlhwYmFKVkpjSGZx
Connection: close
Cookie: loggedin=0
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=

The Cookie header shows the value loggedin=0, which means you aren’t logged in. Let’s change that. Changing the cookie value loads another web page with the credentials for level 6.

Access granted. The password for natas6 is [REDACTED]

level 6

Level 6 requires you to submit a secret key and a button to view the source code. Clicking the link will lead you to http://natas6.natas.labs.overthewire.org/index-source.html, which shows:

<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas6", "pass": "<censored>" };</script></head>
<body>
<h1>natas6</h1>
<div id="content">

<?
include "includes/secret.inc";

    if(array_key_exists("submit", $_POST)) {
        if($secret == $_POST['secret']) {
        print "Access granted. The password for natas7 is <censored>";
    } else {
        print "Wrong secret";
    }
    }
?>

<form method=post>
Input secret: <input name=secret><br>
<input type=submit name=submit>
</form>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

Let’s take a closer look at the PHP code.

<?
include "includes/secret.inc";

    if(array_key_exists("submit", $_POST)) {
        if($secret == $_POST['secret']) {
        print "Access granted. The password for natas7 is <censored>";
    } else {
        print "Wrong secret";
    }
    }
?>

I noticed this is in PHP because of the code inside <? ... ?>.

• include allows you to take the contents of another PHP file and use it within the PHP file in the include statement.
• array_key_exists will check if a key is in an array (think of a list of items)

What does this all mean? This level has has a PHP script that will check if the secret you input via a POST request matches the variable, $secret. If it does, it will print the password to the next level.

How does it compare our value to a variable? The include expression. We see an include expression being called at the start of the code, and it is probably calling the $secret value from another file to use in the code here to compare it to user input.

include "includes/secret.inc";

This looks like a file in the /includes directory, and it might have the secret key in it

Visiting http://natas6.natas.labs.overthewire.org/includes/secret.inc will load a blank page, but if you view the source code, it is loading the secret variable in PHP, which is why it won’t render normally

<?
$secret = "[REDACTED]";
?>

The secret! Let’s input that back into the prompt.

Access granted. The password for natas7 is [REDACTED]

To be continued…