Link: https://overthewire.org/wargames/natas/
In this challenge, I used Burp Suite Community Edition for intercepting and modifying the requests.
Level 0
We just need to access the website and login:
Username: natas0
Password: natas0
URL: http://natas0.natas.labs.overthewire.org
Level 0 → Level 1
After logging in, we view the Page Source, and the password was commented:
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-03-at-21.32.40.png?w=1024)
g9D9cREhslqBKtcA2uocGHPfMZVzeFK6
Level 1 → Level 2
Again, the password is in the Page Source:
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-03-at-21.35.11.png?w=1024)
h4ubbcXrWqsTo7GGnnUMLppXbOogfBZ7
Level 2 → Level 3
There is no password this time:
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-03-at-21.40.07.png?w=1024)
But, there is a path, files/pixel.png
. Then, we access this link:
http://natas2.natas.labs.overthewire.org/files/
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-03-at-21.42.02.png?w=1010)
We found an interesting file, users.txt
. Read this file and we got the password.
http://natas2.natas.labs.overthewire.org/files/users.txt
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-03-at-21.42.30.png?w=634)
G6ctbMJ5Nb4cbFwhpMPSvxGHhQ7I6W8Q
Level 3 → Level 4
Access the link: http://natas3.natas.labs.overthewire.org/robots.txt
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-03-at-23.09.44.png?w=300)
And we found the secret:
http://natas3.natas.labs.overthewire.org/s3cr3t/
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-03-at-23.11.03.png?w=1006)
The password is inside users.txt
.
tKOcJIbzM4lTs8hbCmzn5Zr4434fGZQm
Level 4 → Level 5
We have a message:
Access disallowed. You are visiting from "http://natas4.natas.labs.overthewire.org/" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/"
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-03-at-23.15.53.png?w=1024)
In the request, we can see the Referer Header:
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-03-at-23.19.23.png?w=1024)
We need to change it to:
Referer: http://natas5.natas.labs.overthewire.org/
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-03-at-23.21.50.png?w=1024)
Z0NsrtIkJoKALBCLi5eqFfcRN82Au2oD
Level 5 → Level 6
There is a message in the webpage:
Access disallowed. You are not logged in
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-04-at-00.22.31.png?w=1024)
In the request, we can see:
Cookie: loggedin=0
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-04-at-00.24.07.png?w=1024)
So, that Cookie is used for verifying the login. Change the value into 1
, and we are granted the access.
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-04-at-00.29.22.png?w=1024)
fOIvE0MDtPTgRhqmmvvAOt2EfXR6uQgR
Level 6 → Level 7
In this level, we have a form.
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-04-at-00.27.49.png?w=1024)
View the source code:
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-04-at-00.30.16.png?w=1024)
The program will check if we send the correct secret
or not, and the secret
is from includes/secret.inc
.
We can access that file with:
http://natas6.natas.labs.overthewire.org/includes/secret.inc
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-04-at-00.32.09.png?w=518)
Then, we just need to submit the secret
.
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-04-at-00.38.43.png?w=1024)
jmxSiH3SP6Sonf8dv66ng8v1cIEdjXWr
Level 7 → Level 8
We have 2 pages here.
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-04-at-00.49.19.png?w=1024)
With the link:
http://natas7.natas.labs.overthewire.org/index.php?page=home
So, to read the password, we just need to change the parameter page
in the link into:
http://natas7.natas.labs.overthewire.org/index.php?page=../../../../etc/natas_webpass/natas8
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-04-at-00.51.10.png?w=1024)
a6bZCNYwdKqN5cGP11ZdtPg0iImQQhAB
Level 8 → Level 9
The secret
was encrypted this time, and we have to try to decrypt it.
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-04-at-09.45.50.png?w=1024)
This is a simple python script that I used to do it.
import base64
print(base64.b64decode(bytes.fromhex('3d3d516343746d4d6d6c315669563362')[::-1]).decode("utf-8"))
And we got the secret
.
oubWYf2kBq
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-04-at-09.52.23.png?w=1024)
Sda6t0vkOPkM8YeOZkAGVhFoaplvlJFd
Level 9 → Level 10
We have a different website this time.
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-04-at-09.54.27.png?w=1024)
After submitting a string, we have:
http://natas9.natas.labs.overthewire.org/?needle=a&submit=Search
View the source code:
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-04-at-09.55.10.png?w=702)
This is Command Injection Vulnerability, we will exploit it with:
& cat /etc/natas_webpass/natas10
The link became: http://natas9.natas.labs.overthewire.org/?needle=%26+cat+%2Fetc%2Fnatas_webpass%2Fnatas10&submit=Search
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-04-at-10.00.28.png?w=740)
D44EcsFkLxPIkAAKLosx8z3hxX1Z4MCE
Level 10 → Level 11
There is an input filter this time.
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-04-at-10.02.53.png?w=1024)
View the source code:
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-04-at-10.03.41.png?w=842)
To bypass the filter, we use:
a %0a cat /etc/natas_webpass/natas11
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-19.12.16.png?w=948)
1KFqoJXi6hRaPluAmk8ESDW4fSysRoIg
Level 11 → Level 12
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-19.17.31.png?w=1024)
View the source code:
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-19.18.23.png?w=1024)
From the code, we can see that the original Cookie is:
{"showpassword":"no","bgcolor":"#ffffff"}
Then, it was encrypted with XOR using a key, encoded with Base64, and we have the Cookie (note that %3D
is =
):
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-20.41.59.png?w=926)
MGw7JCQ5OC04PT8jOSpqdmkgJ25nbCorKCEkIzlscm5oKC4qLSgpbjY=
To find the XOR key, we need to decode the Cookie, and XOR with the original Cookie (JSON format).
We can use CyberChef to solve this challenge.
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-20.35.57.png?w=1024)
We found the key, which is KNHL
.
After that, we need a Cookie, which contains "showpassword":"yes"
, so that the website will display the password.
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-20.38.52.png?w=874)
Use CyberChef again to create a new Cookie.
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-20.39.52.png?w=1024)
Send this Cookie to the server:
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-20.42.41.png?w=994)
We now have the password.
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-20.43.25.png?w=1024)
YWqo0pjpcXzSIl5NMAVxg12QxeC1w9QG
Level 12 → Level 13
We have an upload function in this level.
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-20.47.00.png?w=1024)
View the source code:
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-20.47.52.png?w=1024)
This website uses PHP, so we think about uploading a web shell. The web shell that I used is easy-simple-php-webshell.php.
Upload the file to the server, we got:
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-21.18.59.png?w=1024)
The extension has been changed. This is due to there is a hidden input to keep the extension .jpg
.
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-21.20.34.png?w=1024)
Hence, we will modify the request to keep the extension .php
.
The original request:
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-21.22.38.png?w=918)
After being modified:
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-21.23.24.png?w=988)
And we have:
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-21.24.21.png?w=712)
Access the web shell at:
http://natas12.natas.labs.overthewire.org/upload/8xftm7ehcj.php
Then run the command:
cat /etc/natas_webpass/natas13
We found the password.
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-21.25.41.png?w=1024)
lW3jYRI02ZKDBb8VtQBU1f6eDRo6WEj9
Level 13 → Level 14
Another upload function:
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-21.29.42.png?w=1024)
View the source code, the file will be checked this time to ensure it is a JPG file.
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-21.36.37.png?w=1024)
This function will only check the Signature of the file, we can find the signature of JPG in JPG Signature Format. It is: FF D8 FF E0
We use the same web shell as in the previous level, but we will use HexEd.it to edit the first 4 bytes of the web shell.
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-21.40.14.png?w=1024)
Download the new file, and upload it to the server. Remember to modify the request to keep the extension .php
like we did.
Then, we do the same as in level 12.
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-21.42.03.png?w=1024)
qPazSJBmrmU7UQJv17MHk1PGC4DxZMEP
Level 14 → Level 15
We have a login form this time.
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-21.44.43.png?w=1024)
View the source code:
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-21.45.32.png?w=1024)
This is just a simple SQL injection vulnerability. We use the payload (note that there is a space after --
):
natas15"--
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-21.47.38.png?w=1024)
TTkaI7AWG4iDERztBcEyKV7kRXH1EZRB
Level 15 → Level 16
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-21.50.05.png?w=1024)
View the source code:
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-21.50.27.png?w=1024)
If we enter “natas16
“, we get:
This user exists.
For a random string, we get:
This user doesn't exist.
The code just returns if the user exists or not, so this is a blind SQL injection vulnerability.
We will use sqlmap for this level.
First, save the request to a text file.
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-22.55.25.png?w=926)
And use sqlmap:
python sqlmap.py -r request.txt --prefix='natas16" '
The SQL injection vulnerability is confirmed.
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-22.57.00.png?w=1024)
We can dump all the data in table ‘users
‘ with:
python sqlmap.py -r request.txt --prefix='natas16" ' --dbms=mysql --batch --dump -T users
![](https://niekdang.wordpress.com/wp-content/uploads/2022/11/screenshot-2022-11-20-at-23.13.46.png?w=674)
TRD7iZrd5gATjj9PkPEuaOlfEjHqj32V