Category: CTF
Posted at: Aug 25, 2024
3 Minutes Read
In this post, I will briefly explain how I solved the challenges from levels 0 to 10.
Simply, view the page source
<!--The password for natas1 is ********************************-->
Right click is blocked, so just press F12 or use the options menu to open the developer tools and you will find the password in the HTML code.
When viewing the page source, you will notice an image in a directory named "files". Inside this directory a text file named user.txt and it has users credentials including the next level password.
While examining the robots.txt file, I discovered a hidden directory containing a text file similar to the previous one, which holds the password for the next level.
After seeing this message:
Access disallowed. You are visiting from "http://natas4.natas.labs.overthewire.org/" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/"
I considered leveraging the "Referer" HTTP header, which allows a server to identify referring pages that people are visiting from or where requested resources are being used (MDN Web Docs). So I added this to the request using burpsuite and it worked:
Referer: http://natas5.natas.labs.overthewire.org/
“Access disallowed". I spotted a cookie named loggedin with a value of 0. I changed it to 1. A simple refresh after that and voila! Access granted.
When I looked at the source code, I saw that the secret comes from a file /includes/secret.inc. You will find the secret inside it. Submit the secret and you will unlock the next level password
The HTML page had a hint: <!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 -->, which showed me where to find the password. While looking around, I saw a parameter called "page" (index.php?page=[$PAGE]) that showed the content of HTML pages based on their names. After many attempts with different exploit methods, I decided to try entering the password file path /etc/natas_webpass/natas8, and it worked!
The secret was in the page source, encoded in base64, then reversed, and converted to hex. Reversing these steps, converting from hex, reversing, decoding from base64 revealed the secret.
I managed to achieve Remote Code Execution (RCE) using the double pipes test || ls ||, but the current directory didn't reveal much. After a detailed search, I stumbled upon a directory named /etc/natas_webpass. It contained passwords for various levels. While I couldn't access all of them, I managed to access the password required for the next level.
Good luck :)