Natas 4 -> 5

user: natas4
pass: Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

Well, this is rude. Access disallowed, unless we visit from... the website we're trying to get to. The trick to this level is that HTTP, the protocol that these challenge websites are based on, can be spoofed. In this case, we can actually do it most easily from the command line.

If you want a hint without the answer, try 'man curl'.

For those of you wanting an answer to how to do this, here we go. The trick is that we need to create a new header that tells the website it was requested by natas5. Therefore, the command you're looking for is:

>>>curl 'http://natas4.natas.labs.overthewire.org/' -H 'Referer: http://natas5.natas.labs.overthewire.org/' -u natas4

And voila! The answer will appear.

Comments

Post a Comment

Popular posts from this blog

Natas 7 -> 8

user: natas7 pass: 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9 Ooh, links! But neither one seems terribly helpful. As should be your first instinct by this point, let's look at the developer tools. There's a hlepful comment in there. "hint: password for webuser natas8 is in /etc/natas_webpass/natas8" Well, that seems straightforward. However, http://natas7.natas.labs.overthewire.org/etc/natas_webpass/natas8 doesn't exist. So what are we missing? Closer examination of the links on the home page show us that there's a /index.php bit of each URL that might be important. So let's try it. http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8 should get you what you're looking for.
Read more

Natas 11 -> 12

user: natas11 pass: U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK OK, this level is a bit tricky. We start out looking at the source code, and we are faced with several functions. xor_encrypt seems to encrypt any text sent to it by xoring the input character by character with the key we want. loadData checks to see if the cookie sent with the data matches the background color, and has the 'showpassword' field in it. If the background color sent with the data and sent in the cookie match,  it stores the color and the showpassword boolean - this is probably the key to getting the key. The big trick here is that there's an XOR encryption going on. At first this might seem tricky, but on closer consideration we remember that if xor myword => cypher, then xor cypher => myword. in the function saveData, we wee that the cookie for the website is set with base64-encode, xor_encrypt, and json-encode. Therefore, we start with the cookie. We know we want to base64-decode, so let&
Read more

Natas 8 -> 9

user: natas8 pass: DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe Another secret, but this time the source code shows that the secret has been encoded. The language we're seeing here in the midst of the HTML is PHP. So, let's go to our closest friendly PHP station: the terminal. Running >>>php -a will get you into interactive mode in the terminal. Now it's just a matter of reversing the encryption on the secret. We know that the encoded one is  "3d3d516343746d4d6d6c315669563362" , and that to get it there we ran return bin2hex(strrev(base64_encode($secret))); Therefore, we try the opposite: print base64_decode( strrev(hex2 bin( $encoded))); This yields the secret we were looking for, which when inputted gives us our password.
Read more