Natas - Natas0 through Natas4
In my last post talking about useful cloud- and web-app pentest resources, I mentioned Natas. Its from the same folks that brought you solid pedagogy for learning the Linux CLI. In an effort to blog more, I'm going to be posting some of my walkthroughs. As much as it's been ingrained to document hacking activities thanks to PWK/OSCP, I figured they'd be more useful as blog posts.
Natas Overview
Visit the natas website and read the introduction to get an understanding of the challenges. A main takeaway is that there's no SSH login, each website is located at http://natasX.natas.labs.overthewire.org
, where X
is the starting level number. Additionally, all passwords are stored in /etc/natas_webpass/
, which is presumably going to be useful for any LFI (local file inclusion) challenges. Also, each website has a Basic Authentication to access the page.
Walkthrough Overview
I'll follow the syntax of the side menu on the natas home page when describing the walkthrough - Level X --> Level X+1
with the writeups. You'll need the credentials from Level X
and visit the site of the same number/level (natasX
) with the username (natasX
). Some levels are rather straightforward, and even a few have a common theme, which I'll include in a single post if it can be shared concisely. I'll also be sure to use a Natas-specific tags on the article for easy reference. Also, unless otherwise specified, I'm using Firefox as the primary browser, and a Linux machine as the primary OS.
Natas0 --> Natas1
Website: http://natas0.natas.labs.overthewire.org/; Access Credentials: natas0:natas0
Visit the website, and after authenticating, the website indicates You can find the password for the next level on this page. Right click on the website inside your browser and select View Source. On line 16 note the password:
<!--The password for natas1 is g9D9cREhslqBKtcA2uocGHPfMZVzeFK6 -->
Natas1-->Natas2
Website: http://natas1.natas.labs.overthewire.org/; Access Credentials: natas1:g9D9cREhslqBKtcA2uocGHPfMZVzeFK6
This page specifies that "right-clicking has been blocked", which is about half true. Either:
- Blah Attempt to right click anywhere on the page outside of the white box, and click View Source, or
- Open developer tools by clicking the hamburger button in the upper right hand corner of the Firefox browser, select More Tools --> Web Developer Tools (shortcut:
CTRL + SHIFT + I
). - Try force refreshing the page (
CTRL+SHIFT+R
) and while the page is reloading, it will turn white, quickly right click, and select View Source. - Bypass the Javascript and use the CLI to pull the web page via
curl
! Be sure to use the-u
flag and pass in the credentials.curl -u 'natas1:g9D9cREhslqBKtcA2uocGHPfMZVzeFK6'
http://natas1.natas.labs.overthewire.org
The source code again displays the password, this time on line 17:
<!--The password for natas2 is h4ubbcXrWqsTo7GGnnUMLppXbOogfBZ7 -->
Website Functionality
If you noticed the alert message that popped up if you attempted to right click on the page inside the white box, the source code on line 11 indicates the popup. Reading the developer documentation, you can find out that oncontextmenu
most commonly is triggered by right clicking.
<body oncontextmenu="javascript:alert('right clicking has been blocked!');return false;">
Natas2 --> Natas3
Website: http://natas2.natas.labs.overthewire.org/; Access Credentials: natas2:h4ubbcXrWqsTo7GGnnUMLppXbOogfBZ7
Inspect the source code again. Within the <body>
of the page source, on Line 15, it references an image, located at src="files/pixel.png"
. Navigate to the directory, located at http://natas2.natas.labs.overthewire.org/files/. It's a directory listing, which shows two files, one the aforementioned picture, and the second a users.txt
file, which includes our natas3
user: natas3:G6ctbMJ5Nb4cbFwhpMPSvxGHhQ7I6W8Q
Natas3 --> Natas4
Website: http://natas3.natas.labs.overthewire.org/; Access Credentials: natas3:G6ctbMJ5Nb4cbFwhpMPSvxGHhQ7I6W8Q
In reviewing the source code, there is a comment mentioning Not even Google will find it this time...
. This is a head nod to the robot.txt
file, a common file on websites to indicate to search engine crawlers which URIs the crawler can, and more importantly cannot crawl. The website's /robots.txt
file indicates a directory located at /s3cr3t/
. Much like the last challenge, there is a users.txt
file within this directory, with the credentials: natas4:tKOcJIbzM4lTs8hbCmzn5Zr4434fGZQm
.
Summary
That wraps up the first 4 Natas challenges! We'll cover more in upcoming posts. Hopefully these got you comfortable exploring source code within web pages. If you found it too easy, then good! Things will get more tricky as we'll need to start leveraging a proxy and even write some code in future challenges. Stay tuned!
Alternative Solutions
Additionally, there are going to be more than one method to solve these challenges. I'll try to cover the alternatives. However, for the sake of brevity, I'll likely only cover one or two per challenge. Below are a few methods for the challenges completed. Keep these in mind for future challenges too!
curl
- mentioned in the Natas1 challenge already, but rather than using a browser, use the CLI to pull the source code. Applicable Challenges: Natas0, Natas1, Natas2- Directory/File Brute Forcing - Using a tool like
ffuf
(personal favorite), combined with something like seclists, or a generic wordlist to help find directories or files. Directory and file scanning is a common method for enumerating a website, which we'll certainly cover in future posts. Applicable Challenges: Natas2, Natas3