Overthewire Natas Level 0 To 7

Natas - What is it?

# Natas

Natas teaches the basics of serverside web-security.

Each level of natas consists of its own website located at **http://natasX.natas.labs.overthewire.org**, where X is the level number. There is **no SSH login**. To access a level, enter the username for that level (e.g. natas0 for level 0) and its password.

Each level has access to the password of the next level. Your job is to somehow obtain that next password and level up. **All passwords are also stored in /etc/natas\_webpass/**. E.g. the password for natas5 is stored in the file /etc/natas\_webpass/natas5 and only readable by natas4 and natas5.

Start here:


Username: natas0
Password: natas0
URL:      http://natas0.natas.labs.overthewire.org

‘ll be using FireFox and probably Burpsuite for these.

Level 0

Username: natas0
Password: natas0
URL:      http://natas0.natas.labs.overthewire.org

First step, look at the source

VICTORY.

redacted 

Level 1

Username: natas1
URL:      http://natas1.natas.labs.overthewire.org

As last time, developer tools

VICTORY.

redacted 

Level 2

Username: natas2
URL:      http://natas2.natas.labs.overthewire.org

Dev tools again.

Files? Those sound good.

Users sound even better.

VICTORY

redacted

Level 3

Username: natas3
URL:      http://natas3.natas.labs.overthewire.org

Ah robots, my old enemy.

Secrets? WHAT SECRETS

EVEN MORE SECRETS

Can I haz sekret now plz?

VICTORY

	redacted

Level 4

Username: natas4
URL:      http://natas4.natas.labs.overthewire.org

Lets send that to the repeater…

Lets add some referers..

VICTORY

redacted

Level 5

Username: natas5
URL:      http://natas5.natas.labs.overthewire.org

Not logged in? Well, the answer is yummy. Sent the request to Burp’s repeater..

What’s this? Logged in boolean? Lets change and send.

VICTORY

redacted

Level 6

Username: natas6
URL:      http://natas6.natas.labs.overthewire.org

More secrets?!

Lets take a look

Cool, copy, paste, and submit#

VICTORY

 redacted

Level 7

Username: natas7
URL:      http://natas7.natas.labs.overthewire.org

Well, that’s useful. Let’s look at the links. Ooooh, url parameters.

Quick look at the source, just to make sure nothing odd is happening

Luckily, I remember how to do this.. Sooo file traversal is a thing. Just adding a lot of dot dot slahes to make sure I hit root.

VICTORY

redacted