Natas teaches the basics of serverside web-security. I really enjoyed the Bandit challenges, so wanted to give this a go. I’ve tried to complete these without giving the key or direct solution – just a few hints.
Can be found at http://overthewire.org/wargames/natas/
Level Walk Through’s
Level 0 – Comments
The first one, nice and easy. Password is in the comments.
Level 1 – Comments no right click
Similar to first level, but right click had been disabled so you can’t view source directly. Used Burp Suite.
Level 2 – Hidden directory
Found a hidden/small image in the source, located at …/files/ . I wonder what else is in there?
Level 3 – Secret Robot
What can a website use to stop google and web spiders searching in particular pages?
Level 4 – Referer
Refreshing the page with the URL link, then investigating the headers in firebug reveals the referer address. Edit and Resend. Preview.
Level 5 – Cookie
Using Burp Suite we capture the response header, alter the cookie and forward it back.
Level 6 – Include variable
This level requires a secret key to be entered to pass.
Viewing the source code, we can see that the POST secret is being compared to a variable $secret, which is not defined anywhere on the page.
Sure enough we find the variable in the include file.
Level 7 – GET parameter
By using index.php?page=home takes you to the home page. Putting index.php?page=test gives a helpful error, i wonder what else we can put in here?
Level 8 – decode hex rev base64
Level 9 – bypassing grep
Typing in a word searchs the “dictionary.txt” file. With knowledge of where the keys are stored, we can exploit the grep command or bypass it all together to get the key.
adding to the existing grep command
bypassing the grep command all together
Level 10 – adding to grep
Ops already solved this one in level 9. This time 2 useful characters ( ; and & ) are not allowed.
Does the grep command allow you to search more than one file?
Level 11 – XOR cookie
This one was tricky. Feels like from level 10 to 11 we missed a few levels as this escalated quickly : )
Looking at the source code. We can see $defaultdata is being used to create the original cookie, then its being encrypted.
We also see that the showpassowrd must be set to yes, so show the flag.
From Burp we can grab the cookie
By creating a custom php page we can manipulate the code to our favour and hopefully find the key.
base64 decode the original cookie value. Then use the defaultdata for the key and xor encrypt it.
Then run this to find the encryption key. Note the key repeats and is qw8J
Once we have the encryption key, we can use it now to encrypt our own text – specifically the defaultdata from the start, but this time set shopassword to yes.
Running this now gives us the correct cookie
Sending a previous response to Repeater, then changing the cookie value…
And now the next level key is shown!
Level 12 –
Level 13 –
Still working on the rest…