Over The Wire

user: natas11 pass: U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK OK, this level is a bit tricky. We start out looking at the source code, and we are faced with several functions. xor_encrypt seems to encrypt any text sent to it by xoring the input character by character with the key we want. loadData checks to see if the cookie sent with the data matches the background color, and has the 'showpassword' field in it. If the background color sent with the data and sent in the cookie match,  it stores the color and the showpassword boolean - this is probably the key to getting the key. The big trick here is that there's an XOR encryption going on. At first this might seem tricky, but on closer consideration we remember that if xor myword => cypher, then xor cypher => myword. in the function saveData, we wee that the cookie for the website is set with base64-encode, xor_encrypt, and json-encode. Therefore, we start with the cookie. We know we want to base64-decode, so let...

user: natas10 pass: nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu This looks familiar - but someone got smart and decided to start sanitizing their inputs, it looks like. We can't use ;, |, or & to circumvent the grep command. Clever designers. But what other command exploits might we be able to use? Let's think back to the days when we were command-line masters instead of browser-hackers. I seem to recall that grep had some fancy functionality... like, for instance, the ability to grep over multiple files at once. So what happens if we tell it to do just that? Of course, we don't know what to tell grep to look for, so let's just use the .* operator to tell it to match any number of occurrences of anything. Remember, looking at the source, that our file will be searched over first, so we won't care too much about the massive number of dictionary words that will be spit out after. Let's try it (remember, the second file we should try looking at is the same as last ...

user: natas9 pass: W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl Hmm. Needle in a haystack, wouldn't you say? Let's take a look at the source code. Looks like the box is looking for a specific 'needle' to be entered to get the password. Well, there might just be an easier way -  let's take a closer look at how the search box is working. Looks like this php code is using 'passthru' to run grep, a shell command. what else could passthru run, however? For those familiar with shell, the ';' character is your friend for multiple commands on a single line. That's what we're going to do here. If we start our box input with ';', we can follow it with commands of our choice! What's more, I seem to remember a helpful hint suggesting that /etc/nats_webpass/natas<level number> always holds the password for the next level. Type ;cat /etc/natas_webpass/natas10 into the search box for the information you  seek.

user: natas8 pass: DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe Another secret, but this time the source code shows that the secret has been encoded. The language we're seeing here in the midst of the HTML is PHP. So, let's go to our closest friendly PHP station: the terminal. Running >>>php -a will get you into interactive mode in the terminal. Now it's just a matter of reversing the encryption on the secret. We know that the encoded one is  "3d3d516343746d4d6d6c315669563362" , and that to get it there we ran return bin2hex(strrev(base64_encode($secret))); Therefore, we try the opposite: print base64_decode( strrev(hex2 bin( $encoded))); This yields the secret we were looking for, which when inputted gives us our password.

user: natas7 pass: 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9 Ooh, links! But neither one seems terribly helpful. As should be your first instinct by this point, let's look at the developer tools. There's a hlepful comment in there. "hint: password for webuser natas8 is in /etc/natas_webpass/natas8" Well, that seems straightforward. However, http://natas7.natas.labs.overthewire.org/etc/natas_webpass/natas8 doesn't exist. So what are we missing? Closer examination of the links on the home page show us that there's a /index.php bit of each URL that might be important. So let's try it. http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8 should get you what you're looking for.

user: natas6 pass: aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1 Well, it looks like we need to input a secret of some sort. If only we knew what it was... Luckily, though, someone left a link to the website source code here. And, what's this? it very conveniently says, right there: include "includes/secret.inc"; So let's start there. That looks like a folder we could try navigating to. http://natas6.natas.labs.overthewire.org/includes/secret.inc yields the secret:  FOEIUWGHFEEUHOFUOIU. Plugging that in gives us the password!

user: natas5 pass: iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq What's this? The website says we're not logged in. And yet, I distinctly remember inputting a username and password a moment ago... Well, let's look around and see if there's anything we can do about this. If we just try to use our old friend, the developer tools, we probably won't get much of anywhere. But there are some convenient add-ons to any standard browser that will let us examine and even - gasp! - edit  our browser cookies. And it turns out that's exactly what needs doing here. Change the value of the loggedin cookie from 0 to 1 to tell the website that it should let you in.

user: natas4 pass: Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ Well, this is rude. Access disallowed, unless we visit from... the website we're trying to get to. The trick to this level is that HTTP, the protocol that these challenge websites are based on, can be spoofed. In this case, we can actually do it most easily from the command line. If you want a hint without the answer, try 'man curl'. For those of you wanting an answer to how to do this, here we go. The trick is that we need to create a new header that tells the website it was requested by natas5. Therefore, the command you're looking for is: >>>curl 'http://natas4.natas.labs.overthewire.org/' -H 'Referer: http://natas5.natas.labs.overthewire.org/' -u natas4 And voila! The answer will appear.

user: natas3 pass: sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14 This looks familiar... Let's see what we've got here. Oh, but wait - there's a comment in the HTML. It says that not even Google will find it this time. How do websites control what Google does with them? The /robots.txt page says: User-agent: * Disallow: /s3cr3t/ So, what do we do? Why, let's go to the /s3cr3t page, of course! There we find another users.txt file, and our password for the next challenge.

user: natas2 pass: ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi At first, this page just tells us there's nothing there. Well, that can't be right. We start by opening our nifty developer tools, and poking around the html does, indeed, render nothing. But wait! There are other tools. And if we look carefully at 'Sources', we see that there's a 'files' folder. I wonder how we can access that... If we navigate to http://natas2.natas.labs.overthewire.org/files, we see some interesting stuff... And if we open the users.txt file, look what I found!

We start by entering the username and password we got from the last level: user: natas1 pass: gtVrDuiDfck831PqWsLEZy5gyDz1clto This level is the same as level 1, but right clicking has been blocked! If you're lucky enough to have left developer tools open from the last level, you just need to hunt for the password in the html tags. If not, there's more than one way to ge them open. This time, navigate to the menu bar at the top-right of your screen, and  open them from there. The password is under div id='content' tag again.

First entry in a series about Over the Wire's Natas challenges! First, we navigate from http://overthewire.org/wargames/natas/natas0.html to http://natas0.natas.labs.overthewire.org/. Enter the password given to us: Natas Level 0 Username: natas0 Password: natas0 URL: http://natas0.natas.labs.overthewire.org The first thing we see is a grey screen with the text " You can find the password for the next level on this page." in a white box. We assume you're using the Chrome web browser. Other web browsers will act similarly. Right click to select "Inspect". On the right-hand side of your screen, you should see the Developers tools box open.  As shown below, if you start opening the tags in the HTML given, you'll see the password for the next level!