OverTheWire - Natas Level 0 -> 10

OverTheWire - Natas Level 0 -> 10 cover image

Category: CTF

Posted at: Aug 25, 2024

3 Minutes Read

In this post, I will briefly explain how I solved the challenges from levels 0 to 10.

Natas 0 -> 1

Simply, view the page source

<!--The password for natas1 is ********************************-->

Natas 1 -> 2

Right click is blocked, so just press F12 or use the options menu to open the developer tools and you will find the password in the HTML code.

Natas 2 -> 3

When viewing the page source, you will notice an image in a directory named "files". Inside this directory a text file named user.txt and it has users credentials including the next level password.

Natas 3 -> 4

While examining the robots.txt file, I discovered a hidden directory containing a text file similar to the previous one, which holds the password for the next level.

Natas 4 -> 5

After seeing this message:


Access disallowed. You are visiting from "http://natas4.natas.labs.overthewire.org/" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/"


I considered leveraging the "Referer" HTTP header, which allows a server to identify referring pages that people are visiting from or where requested resources are being used (MDN Web Docs). So I added this to the request using burpsuite and it worked:

Referer: http://natas5.natas.labs.overthewire.org/

Natas 5 -> 6

“Access disallowed". I spotted a cookie named loggedin with a value of 0. I changed it to 1. A simple refresh after that and voila! Access granted.

Natas 6 -> 7

When I looked at the source code, I saw that the secret comes from a file /includes/secret.inc. You will find the secret inside it. Submit the secret and you will unlock the next level password

Natas 7 -> 8

The HTML page had a hint: <!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 -->, which showed me where to find the password. While looking around, I saw a parameter called "page" (index.php?page=[$PAGE]) that showed the content of HTML pages based on their names. After many attempts with different exploit methods, I decided to try entering the password file path /etc/natas_webpass/natas8, and it worked!

Natas 8 -> 9

The secret was in the page source, encoded in base64, then reversed, and converted to hex. Reversing these steps, converting from hex, reversing, decoding from base64 revealed the secret.

Natas 9 -> 10

I managed to achieve Remote Code Execution (RCE) using the double pipes test || ls ||, but the current directory didn't reveal much. After a detailed search, I stumbled upon a directory named /etc/natas_webpass. It contained passwords for various levels. While I couldn't access all of them, I managed to access the password required for the next level.


Good luck :)