OverTheWire natas 0-4
A walkthrough of OverTheWire natas 0-4 with tool recommendations, recommendations for further reading, recommendations for protecting your server against attackers, failures and wins. Natas level 0-4 is quite easy, giving you a very gentle introduction to this wargame.
Introduction
OverTheWire is a wargame site with several challenges. For a beginner, it contains several challenges with a nice increase in difficulty. This is the first entry of a writeup of the natas challenges, which teaches the basics of serverside web-security. I will try to walk you through the mind-process of searching for and finding vulnerabilities.
By going through all the levels of these challenges, you will learn how to break basic security (and protect against these attacks!), gain basic knowledge on various tools such as: html, server configuration, browser developer tools, basic shell commands, vulnerability checker tools, kali linux and get some basic programming experience.
Level 0
Tools recommended: A browser. I use Chrome or Firefox. User/Pass: natas0/natas0 View the source, and look for the comment with the password for the next level.
Don’t leave comments with sensitive data, they are easy to find. Spoiler
natas1: gtVrDuiDfck831PqWsLEZy5gyDz1clto
Level 1
Use the web developer tools (Chrome DevTools, Firefox developer tools) to show the source where you will find the password.
Blocking right-click is useless. Spoiler
natas2: ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi
Level 2
Tools recommended: A shell. As the page says, there is nothing on this page. As in the previous level, I started by looking at the source, this time there was nothing hidden in the source, except a reference to an image.
I inspected the response headers to see if anything was hidden there, nada.
I downloaded the image and displayed the raw data to see if there was something hidden in the image, nada.
$ cat pixel.png
Perhaps there are other files in the same folder as the image? Lets try to open the folder in the browser: http://natas2.natas.labs.overthewire.org/files/.
Directory browsing is allowed, thus we see all the files including a file containing the password to the next level.
Make sure directory browsing is disabled. Spoiler
natas3: sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
Level 3
Tools recommended: dirb/dirbuster/Kali linux. You can manage nicely at this point without using any of these tools, but everything will be easier if you install Kali linux, as it contains massive amount of tools, almost everything you need.
Another page where there is nothing on the page. The source contains a comment with a hint. Since I hate to guess, I used dirb to enumerate all common files/directories that may be found on a server.
$ dirb http://natas3.natas.labs.overthewire.org -u natas3:<passwd>
Amongst the output you should find an interesting file: robots.txt
The robots file revealed a hidden directory (still with directory browsing enabled), where a file containing the password to the next level can be found.
robots.txt should not expose sensitive information. Spoiler
natas4: Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ
Level 4
Tools recommended: wget The text on the page says it all. The way the page knows where we are coming from is usually by inspecting the Referer header. This can easily be faked, and there are tons of tools that can do this for us. There is no need to bring up the big cannons yet, so we just use a “simple” tool like wget. It seems simple enough, but there is enormous power hiding behind the four letters. I recommend to use wget as a first “go-to-tool” when you need to do simple request manipulation, as that will let you experiment very quickly with various variables.
# The standard get of the page with no referer.
# --quiet to stop wget's output, you may want to skip this to see what wget is doing.
# -O - Will write the output to the standard out instead of a file.
$ wget --quiet -O - http://natas4:<passwd>@natas4.natas.labs.overthewire.org/
# A get with a faked referer header.
$ wget --quiet --referer=http://natas5.natas.labs.overthewire.org/ -O - http://natas4:<passwd>@natas4.natas.labs.overthewire.org/
It seems the referer header was the correct assumption, and the page delivered the password for the next level.
Do not trust the browser, everything can be faked. Spoiler
natas5: iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq
