Monday, October 29, 2012

OvertheWire - Natas Wargame Level 0 and Level 1 Writeup


The fantastic group at have created another wargame called Natas, the description of which is as follows:

 Natas teaches the basics of serverside web-security.  
 Each level of natas consists of its own website located at, where X is the level number. There is no SSH login. To access a level, enter the username for that level (e.g. natas0 for level 0) and its password.  
 Each level has access to the password of the next level. Your job is to somehow obtain that next password and level up. All passwords are also stored in /etc/natas_webpass/. E.g. the password for natas5 is stored in the file /etc/natas_webpass/natas5 and only readable by natas5.  

A big thank you goes out to this group for creating compelling and well-organized wargames for people of any skillset or experience level!

I decided to go ahead and pair the writeups for the first two levels together, since they are very similar, and both very easy.

So, without further introduction, let's get started.

Level 0

We login to the first level using the credentials 'natas0:natas0', and we are presented with the following screen:

The page says that the password for the natas1 account is located somewhere on the page. However, upon inspection we don't immediately see the password. Our next guess is to simply view the HTML source of the page (this time by right-clicking in the page, and selecting 'View Source').

We are presented with the following source:

 <head><link rel="stylesheet" type="text/css" href=""></head>  
 <div id="content">  
 You can find the password for the next level on this page.  
 <!--The password for natas1 is 9hSaVoey44Puz0fbWlHtZh5jTooLVplC -->  

We can clearly see the password for natas1 hidden using an HTML comment.

Level 1

Using the credentials obtained from the previous challenge, we can log in to the level1 challenge, where we are presented with the following screen:

As the page mentions, right-clicking has been disabled. Therefore our previous method of viewing the source won't work. However, on most (if not all) browsers, the source can be obtained by navigating to the following URL (tested on Chrome):

Once loaded, we receive the following source code:

 <head><link rel="stylesheet" type="text/css" href=""></head>  
 <body oncontextmenu="javascript:alert('right clicking has been blocked!');return false;">  
 <div id="content">  
 You can find the password for the  
 next level on this page, but rightclicking has been blocked!  
 <!--The password for natas2 is aRJMGKT6H7AOfGwllwocI2QwVyvo7dcl -->  

We can see the password for natas2 clearly listed in the source, which we can use to proceed to the next challenge.

Use the source, Luke. More writeups to come.


No comments:

Post a Comment