Natas concluded altogether 27 levels as for the moment I am writing this write up... The level difficulty increase as you go through and it is definitely challenging enough for amateur like me... Each level of Natas located at their URL respectively and no SSH login like previous Wargame posted here...
To access to a specific level, enter the mentioned URL for that level and input the username and password... As usual, you can only access the next level after you capture the flag at current level... Please take note that the passwords are stored in /etc/natas_webpass/natasX where X is the current level number...
Let's start from the beginning, Natas0:
URL:
http://natas0.natas.labs.overthewire.orgUsername: natas0
Password: natas0
A very big hint given for the starter page... "You can find the password for the next level on THIS page"... as for my usual practice, the first thing I'm going to do is to scrap the page source...
The password for next level is given and shown obviously in the page source...
Reaching level 1, I had been warned that rightclicking has been blocked... so what should I do? Simply disable your Javascript for your browser will do...
Same trick as previous level, scrap and view the page source code... the password for next level will be very obvious to be seen...
Level2 tells me that there is nothing on this page... but that doesn't stop me from viewing the page source code again...
Noticed the directory for the pixel.png file is located at "files/pixel.png"... So this means this web server has a directory named "files"...
From the "files" directory, I can see the "pixel.png" file together with a "users.txt" text file... This seems interesting to me...
Opened up the "users.txt" text file revealed the password for the next level...
Reaching the level 3, but I'm told the same message as previous level... Well, who cares as I am going to look into the page source code anyhow...
This time I am no longer seeing any directory available in the page source and I was told that no more information, not even Google can help me on this... If Google cannot tell me, which means Google don't know, and that lead me to "robots.txt", where Google stop spider crawl the sub-directory of a domain if listed in the robots.txt...
"robots.txt" tells me that there is one sub-directory with the name "s3cr3t", which is the l33t speak of the word "secret"... Obviously, the credential can be found in this way...
Having the same name "users.txt" text file as previous level...
Checked out the file and reveal the password for the next level...
Natas4 tells me that access disallowed as the authorized users should come only from Natas5's URL... So, I fire up my BurpSuite for a better understanding the stuff running behind...
From the BurpSuite, I can see the referer is from Natas4's URL, which is probably disallowed and not authorized in this page... Hence, I change the natas4 into natas5 as the referer....
Forward the packet...
And, I am brought up with the password to the next level...
Natas5 basically tells me the same thing, which I am disallowed to access this page... so, no doubt I checking with the BurpSuite again...
Found out there is one parameters in the Cookie named "loggedin" with the value "0"... Changing the value from "0" to "1" should be log me in this time...
And, I was correct... the password for next level is given on the page...
This time, Natas6 asks me to input the secret keyword... but wait! There is a "View sourcecode" link, which might provide me some better idea...
The source code tells me that the page contained a file at "includes/secret.inc"... and I tried navigate to the link which provide me a blank page... out of curiousity, I right clicked on the page and view the page source...
Secret keyword is given... back to the first page and input the secret keyword...
As expected, the password for next level is given after we input the secret keyword...
Coming to Natas7, I only see two links "Home" and "About"... so I checked out the page source codes again...
This seems like a directory traversal vulnerability to me... The comment part in the source codes even tells me where the password located...
By navigate to the password location, the page returns me with the password to Natas8...
Natas8 is having the exact design and layout at Natas6, which confused me at some point that I thought I going to the wrong level... But thankful enough that the page clearly mentioned I am at the level 8 by contrasting the words "NATAS8" at the top left corner...
So, I went over and view on the source code again by going through the provided link...
The php code basically compare the encoded version of input secret keyword with the existing encoded secret code, the page will returns the password for natas9 if it is true... so, I wrote a php code to reverse engineer its encoding process...
Got the reversed secret code and input into the form...
As expected, the page returns with the password for next level...
Natas9 is like a keyword search engine that ask us to input "words" to be searched... since I shall not rush and I take a look into the "magic" behind instead...
So, the page perform `grep` command on the dictionary.txt with the keyword inputted... but the command seems like not sanitized, so we can just end the command with ';' and display the content of "/etc/natas_webpass/natas9" using the `cat` command... not to forget comment out the codes behind as I only care about the password for next level...
Password for the next level is `cat`-ed out and shown on the page itself...
Reached the level 10 and I am told the security has been tightened compared to level 9 and it filter on certain characters... For clearer picture, I decided to view on the source code again...
This time the input is sanitized with characters filtering... I can no longer input semi-colon, or, ampersand... but it does not filter "*" asterisk sysmbol, which is good enough for me to display the content of the password... using the same pattern as previous level and replaced with the regex ".*" to display everything instead with ";" which is to end the command beforehand...
And, this is how I found the password for next level...
No comments:
Post a Comment