OverTheWire — Natas
Natas is OverTheWire’s second Wargame, and is a basic introduction to serverside web-security. Navigate to each level via the URL and locate the password to progress.
Follow the tutorial below where I also attempt explain the solutions.
Connection
URL:
http://natasX.natas.labs.overthewire.org
Navigate to each level in a browser, and authenticate using the password obtained from the previous level.
All passwords are either somewhere on the page or also stored in /etc/natas_webpass/
Level 0
Connect to natas0 to complete the level.
Username: natas0
Password: natas0
When navigating to natas0, we are informed that the password is somewhere on the page.
It’s not immediately obvious, however inspecting page source ctrl+u
shows the HTML of the page, where we see the password for natas1 as a comment.
The password for Natas1 is gtVrDuiDfck831PqWsLEZy5gyDz1clto
Natas Level 0 → Level 1
When navigating to natas1, we are informed that the password is somewhere on the page, however right clicking is blocked.
Again, inspecting page source ctrl+u
shows the HTML of the page, where we see the password for natas2 as a comment. Potentially solving the previous level, we were supposed have done so with right-click…
The password for natas2 is ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi
Natas Level 1 → Level 2
When navigating to natas2, we are informed that there is nothing on this page.
Using the same trick as the previous two, inspecting the page source doesn’t show us a password in the HTML, but does indicate that there is a file, /file/pixel.png
Navigating to, and exploring http://natas2.natas.labs.overthewire.org/files/pixel.png
doesn’t yield any results, but the fact that it is within a /files/
directory might be useful.
within /files/
we see two files, one is the pixel.png
found earlier, but the other users.txt
appears to whole a set of usernames and passwords — one of which is for natas3!
The password for natas3 is sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
Natas Level 2 → Level 3
When navigating to natas3, we are again informed that there is nothing on this page.
Once again checking out the page source, we see a comment <!-- No more information leaks!! Not even Google will find it this time... -->
This suggests that there is a page which google doesn’t locate.
A robots.txt
file tells search engine crawlers (like Google) which pages or files the crawler can or can’t request from a site, so checking this might give us some information.
Sure enough, there is a page which is disallowed from showing up on Google — /s3cr3t/
. Navigating here shows us a /users.txt
file, which has the password.
The password for natas4 is Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ