Over The Wire – Natas

Natas teaches the basics of serverside web-security. I really enjoyed the Bandit challenges, so wanted to give this a go.  I’ve tried to complete these without giving the key or direct solution – just a few hints.

Can be found at http://overthewire.org/wargames/natas/

Level Walk Through’s

Level 0 – Comments


The first one, nice and easy. Password is in the comments.

Level 1 – Comments no right click

Similar to first level, but right click had been disabled so you can’t view source directly. Used Burp Suite.

Level 2 – Hidden directory

Found a hidden/small image in the source, located at …/files/ . I wonder what else is in there?

Level 3 – Secret Robot

What can a website use to stop google and web spiders searching in particular pages?

Level 4 – Referer

Refreshing the page with the URL link, then investigating the headers in firebug reveals the referer address. Edit and Resend. Preview.


Level 5 – Cookie

Using Burp Suite we capture the response header, alter the cookie and forward it back.

Level 6 – Include variable

This level requires a secret key to be entered to pass.

Viewing the source code, we can see that the POST secret is being compared to a variable $secret, which is not defined anywhere on the page. 

Sure enough we find the variable in the include file.

Level 7 – GET parameter

By using index.php?page=home takes you to the home page. Putting index.php?page=test gives a helpful error, i wonder what else we can put in here?

Level 8 – decode hex rev base64

The secret is there, you just need to decode it in the order of the encodeSecret function. These sites will help https://www.asciitohex.com/ and http://string-functions.com/reverse.aspx

Level 9 – bypassing grep

Typing in a word searchs the “dictionary.txt” file. With knowledge of where the keys are stored,  we can exploit the grep command or bypass it all together to get the key.

adding to the existing grep command

bypassing the grep command all together

Level 10 – adding to grep

Ops already solved this one in level 9. This time 2 useful characters ( ; and & ) are not allowed.

Does the grep command allow you to search more than one file?

Level 11 – XOR cookie

This one was tricky. Feels like from level 10 to 11 we missed a few levels as this escalated quickly : )

Looking at the source code. We can see $defaultdata is being used to create the original cookie, then its being encrypted.

We also see that the showpassowrd must be set to yes, so show the flag.

From Burp we can grab the cookie

By creating a custom php page we can manipulate the code to our favour and hopefully find the key.

base64 decode the original cookie value. Then use the defaultdata for the key and xor encrypt it.

Then run this to find the encryption key. Note the key repeats and is qw8J

Once we have the encryption key, we can use it now to encrypt our own text – specifically the defaultdata from the start, but this time set shopassword to yes.

Running this now gives us the correct cookie

Sending a previous response to Repeater, then changing the cookie value…

And now the next level key is shown!

Level 12 –



Level 13 –

Still working on the rest…