Overthewire : Natas : 0 - 10

18 August, 2020

A brief writeup of solving the Overthewire War Game Natas, levels 0 through 10

0 ➜ 1

View the page source, its right there :)

1 ➜ 2

• Right clicking is disabled on the page
• However you can type view-source:http://natas1.natas.labs.overthewire.org/ in your browser to view the page source and find the password.
• Or you can also use your browser's shortcut for the same.

2 ➜ 3

• Observe the web page making requests
• You'll find a request being made to files/pixel.png
• Turns out the files directory is openly accessible
• files/users.txt contains the password for natas3

3 ➜ 4

• Fuzz the URL using any of the common wordlists
• Check the file that stands out
• That file mentions only one directory
• The one file in that one directory will give you the password for natas4

4 ➜ 5

• Well the page clearly says 'You're visiting from "" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/ "'
• There's a specific header that allows a website to know where you're coming from
• Change that to the natas5 URL and there it is..

5 ➜ 6

• Again, observe the requests being made.
• One of the requests has a very obvious cookie.
• Flip the cookie to get the password..

6 ➜ 7

• Have a look at the source and you'll find a weird path.
• Have a look at the path and you'll find something hidden under a right click.
• Use the hidden entity to find the password

7 ➜ 8

• Look at the source code again, for a fact that was presented to you before as well.
• Check the two links notice what they do to the URL
• Now combine the fact and the URL to get the password

8 ➜ 9

• Go through the source thoroughly and try to reverse engineer the password

9 ➜ 10

• Source code will show you a command running with some input
• However no one checks the input :)
• Manipulate the input and get the password
• Try to get the password for all other levels through this page :p