The level is really simple, the prompt say that you can find the password on this page. If you right click to view the page source you can find the password there. This can also be achieved through pressing Ctrl+U, handy shortcut.
One can also go full hackerman and do inspect elment to view the source in order to retrive the password.
This level is similar to natas level 0, in this the makes have disabled the right click fucntionality. ### Intended Solution 1. The intended solution is to use shortcut Ctrl+U or use developer’s tools with shortcut Ctrl+Shift+i to view the source. 1. You could also use the python script similar to one used in first challange.
But Due to poor of the implementation the disable right click feature only works if you right click inside the white box. One can Right-Click anywhere outside the white box to view the page source.
The prompt on the page says
There is nothing on this page
On viewing the source of the page you see there is a image inlcuded in the source as files/pixel.png
lets examine the files folder in the source. To open the folder we append the url as:-
http://natas2.natas.labs.overthewire.org/files/
Nice! we see the user.txt, opening which gives us the password for the level 3
Inside the page source you will find a comment that will say:
<!-- No more information leaks!! Not even Google will find it this time... -->
Since it hinted towards not even google finding it, so i thought about robots.txt file that is used to keep search engines out.
Thus going to http://natas3.natas.labs.overthewire.org/robots.txt shows us a disallowed entry.
User-agent: *
Disallow: /s3cr3t/Going to that directory gives us our password for the next challenge.
The prompt here says *Access disallowed. You are visiting from
while authorized users should come only from
"http://natas5.natas.labs.overthewire.org/"*This means all we have to do in order to gain access is add a header to the request. It can be achieved by capturing the request with burpe and editing the header or we can use the python script.
So capture the request in BurpSuite and edit the Referer header in the proxy tab and send the request.
I have written a python script for it. You can take a look it here
We get a prompt that says Access disallowed. You are not logged in, to further investigate we could either user burpe to intercept the request and analyze it but we are using python for all the solutions so we inspect element to see the sent out requests and then a write suitable python requests. 1. Press Ctrl+Shift+i to open developer tools and click on Networking tab and then click on ALL (exactly below the network tab) to see all the requests. 1. Click on the request to select the GET request and then on right side click on headers tab. 1. On analyzing the headers we see a weird set-cookie loggedin=0, the set-cookie is the header in the response tag saying to set the cookie to this so the server could identify us as not logged in. 1. But we are hackerman :P we will do somewhat opposite of that, we will add that cookie but set it value to 1 or any other number other than zero
I have written a python script for it .
The Page has a Input secret field, we see the source code for the form enumerations,
<?
include "includes/secret.inc";
if(array_key_exists("submit", $_POST)) {
if($secret == $_POST['secret']) {
print "Access granted. The password for natas7 is <censored>";
} else {
print "Wrong secret";
}
}
?>It takes the value of variable secret via a POST request i.e *$_POST[‘secret’])* and prints the password for the next level if it matches the variale $secret.
So we go to include/secret.inc to see what is the value of variable $secret. When we open the http://natas6.natas.labs.overthewire.org/includes/secret.inc page we see blank page, so we press Ctrl+U to view the page source and we see the value of $secret i.e FOEIUWGHFEEUHOFUOIU.
So we enter the value and get the password for the next level.
When you see the webpage there nothinh on the page except Home and About, on click them them nothing happens, but if you see it carefully you observe that the url changes a bit. ### URL A Uniform Resource Locator, colloquially termed a web address, is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it.*
.
Arguments can be passed to the webpage with the help of ? parameter. Here in the challenge we see that the url http://natas7.natas.labs.overthewire.org/index.php?page=home is showing whatever the is being passed as t argument to the page parameter to the url. If not implemented properly this is know as LFI (Local File Inclucsion) vulnerability.
So we give it a go and try to print the contents of /etc/passwd to confirm the vlun. we edit the url to be, http://natas7.natas.labs.overthewire.org/index.php?page=/etc/passwd.
we get the contents of the /etc/passwd, it is vlunerable LFI. On examining the source we see that the password is stored in the path /etc/natas_webpass/nata8, thus we append the url and get our passwd,
http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8In this level similar to previous level we get to enter a password which will be checked by the server and on the basis of which it will permit the entry. When we view the source code we get:
<?
$encodedSecret = "3d3d516343746d4d6d6c315669563362";
function encodeSecret($secret) {
return bin2hex(strrev(base64_encode($secret)));
}
if(array_key_exists("submit", $_POST)) {
if(encodeSecret($_POST['secret']) == $encodedSecret) {
print "Access granted. The password for natas9 is <censored>";
} else {
print "Wrong secret";
}
}
?>The php code takes the user submitted string encode it, and if it matches the *$enocdedSecret* , we will get the password for next level. So lets decode the **\$enocdedSecret**, we will do exactly the reverse of ``` bin2hex(strrev(base64_encode($secret)))
I'll will use php to decode it in order to solve this. we will be doing exact reverse of the mentioned function in php
## Natas 9
The natas9 level starts with a prompt saying *Find words containing:* on examing the source code:<? $key = "";
if(array_key_exists(“needle”, $_REQUEST)) { $key = $_REQUEST[“needle”]; }
if($key != "“) { passthru(”grep -i $key dictionary.txt"); } ?>
we see that its basically doing a grep command in bash to get all the words from a file called *dictionary.txt*.
All we have to do is make it print contents of */etc/natas_webpass/natas10* to get to next level. we can use some regular expressions to solve it. I used the following command to solve it:“^” /etc/natas_webpass/natas10 #
Here we are injecting user controlled variable and essentially making the resulting command to be:grep -i “^” /etc/natas_webpass/natas10 #dictionary.txt
1. \# -> this in bash in is comment
1. ^ -> this is regex and meaning any word or string that starts, essentially meaning all the words or strings.
I have written a python script to do the essentially the same. You can find it [here](https://github.com/not-duckie/natas_solutions/blob/master/natas9/natas9.py)
## Natas10
Natas level 10 starts similar to the previous level, it prompts us with **Find words containing:** but we notice a new statement here **For security reasons, we now filter on certain characters**, lets view the source code:<? $key = "";
if(array_key_exists(“needle”, $_REQUEST)) { $key = $_REQUEST[“needle”]; }
if($key != "") { if(preg_match('/[;|&]/',$key)) { print “Input contains an illegal character!”; } else { passthru(“grep -i $key dictionary.txt”); } } ?>
Now a new filter has been added, but the character we used in previous challenges are not being filter, so lets us try the same injection.
“^” /etc/natas_webpass/natas10 # ```
we get the password, i guess there was a simpler solution of the previous challenge that we did’nt see.