Sat. Oct 24th, 2020

Pentesting Fun Stuff

following the cyber security path…

Natas

Introduction

Natas teaches the basics of serverside web-security.
Each level of natas consists of its own website located at http://natasX.natas.labs.overthewire.org, where X is the level number. There is no SSH login. To access a level, enter the username for that level (e.g. natas0 for level 0) and its password.
Each level has access to the password of the next level. Your job is to somehow obtain that next password and level up. All passwords are also stored in /etc/natas_webpass/. E.g. the password for natas5 is stored in the file /etc/natas_webpass/natas5 and only readable by natas4 and natas5.

Start here:

Username: natas0
Password: natas0
URL: http://natas0.natas.labs.overthewire.org

Location

http://overthewire.org/wargames/natas/

Natas 0

hint: ‘You can find the password for the next level on this page.’
In the source code of the page is the password for the next level.

 Natas 1

hint: ‘You can find the password for the next level on this page, but rightclicking has been blocked!’
In the source code of the page is the password for the next level.

Natas 2

hint: ‘There is nothing on this page’
In the source code of the page a 1×1 png image can be found. When opening the file in a browser traversing to a high level is possible.
http://natas2.natas.labs.overthewire.org/files/users.txt

Natas 3

hint: ‘There is nothing on this page’
In the source code of the page is a comment which holds the answer for the next password (robots.txt).

http://natas3.natas.labs.overthewire.org/s3cr3t/users.txt

 Natas 4

hint: ‘Access disallowed. You are visiting from “” while authorized users should come only from “http://natas5.natas.labs.overthewire.org/”‘
The key here is the referer. There are some add-on’s that can capture the HTTP request and alter it. I’m using burpsuite and change the referer from ‘natas4’ to ‘natas5’ and forward the request. This give me the password for the next level.

 Natas 5

hint: ‘Access disallowed. You are not logged in’
In the cookie, there is a ‘loggedin’ which is 0 at the moment. After changing it to 1, I get the password for the next level.

Natas 6

There is a ‘secret’ value required to pass the test. To know the secret I need to view the source code.

So there is a folder with the secret in it. After browsing to that folder and checking the source code, I get the secret. After submitting the secret, I get the password for the next level.

Natas 7

In the source there is a hint.

When I look at the parameter ‘?page=’ and I replace ‘home’ with the folder from the hint, I get the password for the next level.

Natas 8

There is a ‘secret’ value to be found. On the page is a link to the source code of the secret.

It looks like the ‘secret’ string is encoded. When viewing the code it appears that the string was first encoded base64, then reverted and finally encoded hex. To view the ‘secret’ in plain text I simply need to reverse the process.

When I submit the ‘secret’ string I get the password for the next level.

Natas 9

On this page there is a search form and a link to the source code of the search form.

The user input is being passed to grep and is compared with the content of ‘dictionary.txt’ file and the output is rendered on the page. Because there is no input validation I can try to let grep show other files.
natas10
Because I know that all the passwords are stored in   /etc/natas_webpass/ I can grep the correct file and get my the password for the next level.

Natas 10

Same thing only now with a filter. When checking the source code it seems that the filter is focusing on the characters ‘;’ and ‘&’. So when I try the same command as before, with a small adjustment (11 instead of 10), I get the password for the next level.

Natas 11

A input field to adjust the background color and a link to the source code.

So the code takes ‘data’ and first JSON encodes it, then XOR encodes it and finally base64 encodes it. The outcome from this is set as the cookie data and reads from it. ‘Data’ has two values: bgcolor and showpassword. If ‘showpassword=yes’ then I get the password. So to get the key, I need to alter the cookie, which is XOR encoded.
Luckily XOR is easily decoded if you have 2 out of 3 values. In this case I got the encrypted text and the plain text.
For this I take the code from the site and alter it a little bit.

When I run it in the terminal I get the key.

Now to test if it’s really the key.

That looks like my cookie. Now to alter ‘showpassword=no’ to ‘showpassword=yes’ and run it again.

Now to change my cookie in the browser and refresh the page.
And the password is presented: EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3
To be continued….

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.