OverTheWire is a wargame site with several challenges. For a beginner, it contains several challenges with a nice increase in difficulty. This is the first entry of a writeup of the natas challenges, which teaches the basics of serverside web-security. I will try to walk you through the mind-process of searching for and finding vulnerabilities.
By going through all the levels of these challenges, you will learn how to break basic security (and protect against these attacks!), gain basic knowledge on various tools such as: html, server configuration, browser developer tools, basic shell commands, vulnerability checker tools, kali linux and get some basic programming experience.
Tools recommended: A browser. I use Chrome or Firefox. User/Pass: natas0/natas0 View the source, and look for the comment with the password for the next level.
Don’t leave comments with sensitive data, they are easy to find.
Spoiler natas1: gtVrDuiDfck831PqWsLEZy5gyDz1clto
Use the web developer tools (Chrome DevTools, Firefox developer tools) to show the source where you will find the password.
Blocking right-click is useless.
Spoiler natas2: ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi
Tools recommended: A shell. As the page says, there is nothing on this page. As in the previous level, I started by looking at the source, this time there was nothing hidden in the source, except a reference to an image.
I inspected the response headers to see if anything was hidden there, nada.
I downloaded the image and displayed the raw data to see if there was something hidden in the image, nada.
$ cat pixel.png
Perhaps there are other files in the same folder as the image? Lets try to open the folder in the browser: http://natas2.natas.labs.overthewire.org/files/.
Directory browsing is allowed, thus we see all the files including a file containing the password to the next level.
Make sure directory browsing is disabled.
Spoiler natas3: sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
Tools recommended: dirb/dirbuster/Kali linux. You can manage nicely at this point without using any of these tools, but everything will be easier if you install Kali linux, as it contains massive amount of tools, almost everything you need.
Another page where there is nothing on the page. The source contains a comment with a hint. Since I hate to guess, I used
dirb to enumerate all common files/directories that may be found on a server.
$ dirb http://natas3.natas.labs.overthewire.org -u natas3:<passwd>
Amongst the output you should find an interesting file:
The robots file revealed a hidden directory (still with directory browsing enabled), where a file containing the password to the next level can be found.
robots.txt should not expose sensitive information.
Spoiler natas4: Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ
Tools recommended: wget The text on the page says it all. The way the page knows where we are coming from is usually by inspecting the Referer header. This can easily be faked, and there are tons of tools that can do this for us. There is no need to bring up the big cannons yet, so we just use a “simple” tool like
wget. It seems simple enough, but there is enormous power hiding behind the four letters. I recommend to use
wget as a first “go-to-tool” when you need to do simple request manipulation, as that will let you experiment very quickly with various variables.
# The standard get of the page with no referer. # --quiet to stop wget's output, you may want to skip this to see what wget is doing. # -O - Will write the output to the standard out instead of a file. $ wget --quiet -O - http://natas4:<passwd>@natas4.natas.labs.overthewire.org/ # A get with a faked referer header. $ wget --quiet --referer=http://natas5.natas.labs.overthewire.org/ -O - http://natas4:<passwd>@natas4.natas.labs.overthewire.org/
It seems the referer header was the correct assumption, and the page delivered the password for the next level.
Do not trust the browser, everything can be faked.
Spoiler natas5: iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq