Overthewire Natas Level 0 To 7

Natas - What is it?

# Natas

Natas teaches the basics of serverside web-security.

Each level of natas consists of its own website located at **http://natasX.natas.labs.overthewire.org**, where X is the level number. There is **no SSH login**. To access a level, enter the username for that level (e.g. natas0 for level 0) and its password.

Each level has access to the password of the next level. Your job is to somehow obtain that next password and level up. **All passwords are also stored in /etc/natas\_webpass/**. E.g. the password for natas5 is stored in the file /etc/natas\_webpass/natas5 and only readable by natas4 and natas5.

Start here:


Username: natas0
Password: natas0
URL:      http://natas0.natas.labs.overthewire.org

‘ll be using FireFox and probably Burpsuite for these.

Level 0

Username: natas0
Password: natas0
URL:      http://natas0.natas.labs.overthewire.org

First step, look at the source

VICTORY.

gtVrDuiDfck831PqWsLEZy5gyDz1clto 

Level 1

Username: natas1
URL:      http://natas1.natas.labs.overthewire.org

As last time, developer tools

VICTORY.

ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi 

Level 2

Username: natas2
URL:      http://natas2.natas.labs.overthewire.org

Dev tools again.

Files? Those sound good.

Users sound even better.

VICTORY

sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14

Level 3

Username: natas3
URL:      http://natas3.natas.labs.overthewire.org

Ah robots, my old enemy.

Secrets? WHAT SECRETS

EVEN MORE SECRETS

Can I haz sekret now plz?

VICTORY

	Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

Level 4

Username: natas4
URL:      http://natas4.natas.labs.overthewire.org

Lets send that to the repeater…

Lets add some referers..

VICTORY

iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

Level 5

Username: natas5
URL:      http://natas5.natas.labs.overthewire.org

Not logged in? Well, the answer is yummy. Sent the request to Burp’s repeater..

What’s this? Logged in boolean? Lets change and send.

VICTORY

aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1

Level 6

Username: natas6
URL:      http://natas6.natas.labs.overthewire.org

More secrets?!

Lets take a look

Cool, copy, paste, and submit#

VICTORY

 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

Level 7

Username: natas7
URL:      http://natas7.natas.labs.overthewire.org

Well, that’s useful. Let’s look at the links. Ooooh, url parameters.

Quick look at the source, just to make sure nothing odd is happening

Luckily, I remember how to do this.. Sooo file traversal is a thing. Just adding a lot of dot dot slahes to make sure I hit root.

VICTORY

DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe