OvertheWire Natas Wargame Solutions 0-6

The Natas series of games presents us with some challenges you might encounter while auditing serverside web-security. For the most part, they are examples of what programmers and administrators should not do. I will break up the challenges into small groups since there are 27 of them and it would be a great deal of writing. Serverside web-security is relevant to us because it is something users encounter most often. Every time you browse the web and interact with web applications, you are conversing with these protection mechanisms. Let’s take a look at the solutions to the following Natas challenges:

Natas 0->1

This one is easy enough, the password is on the page it says. View source and we can see the password in an html comment:

<!--The password for natas1 is gtVrDuiDfck831PqWsLEZy5gyDz1clto -->

Natas 1->2

The password for this one is found via the same method, except right-clicking has been blocked. It is blocked via JavaScript, so either disabling JavaScript in your browser or if you are like me and use a browser plugin like NoScript, you will be able to right-click anyway.

<!--The password for natas2 is ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi -->

Natas 2->3

Finding the password for Natas 3 requires us to explore a little more. Viewing the source, we see a couple of things: our Natas 2 pass embedded in some JavaScript and a link to a pixel image. We are not interested in the image itself, but the directory it is in. We can append /files to the end of our url and see the directory is readable. If we navigate to the users.txt file, we will see the password for Natas 3:


Natas 3->4

Viewing the source of this problem we can see an HTML comment “No more information leaks!! Not even Google will find it this time”. We can take that to mean the robots.txt file that is meant to disallow web bots from viewing certain directories within websites, if they decide to follow the rules… Navigating to /robots.txt we can see that the directory /s3cr3t/ is disallowed. Luckily for us, it is readable when navigating to it. Within you will see the users.txt file with the password for Natas 4:


Natas 4->5

Natas 4 presents us with a referral issue. It is blocking users being referred from anything other than http://natas5.natas.labs.overthewire.org/. For this we will use a Firefox browser plugin RefControl (You are using Firefox aren’t you?). Open up the RefControl options, add new site: http://natas4.natas.labs.overthewire.org/. Add a custom option with this in it: http://natas5.natas.labs.overthewire.org/. Press okay and refresh the page. We are magically presented with an access granted message and the password for Natas 5:


Natas 5->6

Now we are presented with a nondescript message ” Access disallowed. You are not logged in”. What could this really mean? If you guessed it has something to do with cookies, you were right. For problems like this, I use the awesome Firefox extension Firebug . Firebug now comes with the extension Firecookie, which allows on-the-fly viewing and editing of cookies in your browser. Install Firebug, right-click the page, and click on the cookies tab. You will see a cookie named “loggedin” for the natas5 domain. We can see it’s value is set to “0”. Let’s edit that and set it’s value to true or “1”. Do that, refresh the page, and we can now see the message “Access granted. The password for natas6”


8 thoughts on “OvertheWire Natas Wargame Solutions 0-6

  1. As an aside, instead of using plugins, I used curl on the command line, giving a –referer ‘http://…./’ argument for 4 to 5, and –cookie loggedin=1 fro 5 to 6; besides the –user natas4:… etc argument

    • Doing it old school. I like that. It’s a good point to make that a browser plugin is not necessary for this type of task. Some years ago we were all doing most things through our shell exclusively. It is probably beneficial to not become dependent on plugins. My main browser it set up for development and it’s just so easy to mess with cookies in Firebug 🙂 Great addition.

  2. another option I’ve used is just using a proxy (i’m using burp suite). just keep intercept “on” and manipulate the headers and/or cookies as well

  3. Level 6

    OK so this just has a “Secret” input box…
    It has a link to Source Code … that has a div:



    include "includes/secret.inc";

    if(array_key_exists(“submit”, $_POST)) {
    if($secret == $_POST[‘secret’]) {
    print “Access granted. The password for natas7 is “;
    } else {
    print “Wrong secret”;

    Input secret:

    View sourcecode

    In the SOURCE CODE of this Blank Page is this:

    Secret Access granted. The password for natas7 is


  4. Yes, with things like this it takes just one character to be off to be wrong.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s