In my last post talking about useful cloud- and web-app pentest resources, I mentioned Natas. Its from the same folks that brought you solid pedagogy for learning the Linux CLI. In an effort to blog more, I'm going to be posting some of my walkthroughs. As much as it's been ingrained to document hacking activities thanks to PWK/OSCP, I figured they'd be more useful as blog posts.

Natas Overview

Visit the natas website and read the introduction to get an understanding of the challenges. A main takeaway is that there's no SSH login, each website is located at http://natasX.natas.labs.overthewire.org, where X is the starting level number. Additionally, all passwords are stored in /etc/natas_webpass/ , which is presumably going to be useful for any LFI (local file inclusion) challenges. Also, each website has a Basic Authentication to access the page.

Walkthrough Overview

I'll follow the syntax of the side menu on the natas home page when describing the walkthrough - Level X --> Level X+1 with the writeups. You'll need the credentials from Level X and visit the site of the same number/level (natasX) with the username (natasX). Some levels are rather straightforward, and even a few have a common theme, which I'll include in a single post if it can be shared concisely. I'll also be sure to use a Natas-specific tags on the article for easy reference. Also, unless otherwise specified, I'm using Firefox as the primary browser, and a Linux machine as the primary OS.

Natas0 --> Natas1

Website: http://natas0.natas.labs.overthewire.org/; Access Credentials: natas0:natas0

Visit the website, and after authenticating, the website indicates You can find the password for the next level on this page. Right click on the website inside your browser and select View Source. On line 16 note the password:

<!--The password for natas1 is g9D9cREhslqBKtcA2uocGHPfMZVzeFK6 -->

Natas1-->Natas2

Website: http://natas1.natas.labs.overthewire.org/; Access Credentials: natas1:g9D9cREhslqBKtcA2uocGHPfMZVzeFK6

This page specifies that "right-clicking has been blocked", which is about half true. Either:

1. Blah Attempt to right click anywhere on the page outside of the white box, and click View Source, or
2. Open developer tools by clicking the hamburger button in the upper right hand corner of the Firefox browser, select More Tools --> Web Developer Tools (shortcut: CTRL + SHIFT + I).
3. Try force refreshing the page (CTRL+SHIFT+R) and while the page is reloading, it will turn white, quickly right click, and select View Source.
4. Bypass the Javascript and use the CLI to pull the web page via curl! Be sure to use the -u flag and pass in the credentials. curl -u 'natas1:g9D9cREhslqBKtcA2uocGHPfMZVzeFK6' http://natas1.natas.labs.overthewire.org

The source code again displays the password, this time on line 17:

<!--The password for natas2 is h4ubbcXrWqsTo7GGnnUMLppXbOogfBZ7 -->

Website Functionality

If you noticed the alert message that popped up if you attempted to right click on the page inside the white box, the source code on line 11 indicates the popup. Reading the developer documentation, you can find out that oncontextmenu most commonly is triggered by right clicking.

<body oncontextmenu="javascript:alert('right clicking has been blocked!');return false;">

Natas2 --> Natas3

Website: http://natas2.natas.labs.overthewire.org/; Access Credentials: natas2:h4ubbcXrWqsTo7GGnnUMLppXbOogfBZ7

Inspect the source code again. Within the <body> of the page source, on Line 15, it references an image, located at src="files/pixel.png". Navigate to the directory, located at http://natas2.natas.labs.overthewire.org/files/. It's a directory listing, which shows two files, one the aforementioned picture, and the second a users.txt file, which includes our natas3 user: natas3:G6ctbMJ5Nb4cbFwhpMPSvxGHhQ7I6W8Q

Natas3 --> Natas4

Website: http://natas3.natas.labs.overthewire.org/; Access Credentials: natas3:G6ctbMJ5Nb4cbFwhpMPSvxGHhQ7I6W8Q

In reviewing the source code, there is a comment mentioning Not even Google will find it this time.... This is a head nod to the robot.txt file, a common file on websites to indicate to search engine crawlers which URIs the crawler can, and more importantly cannot crawl. The website's /robots.txt file indicates a directory located at /s3cr3t/. Much like the last challenge, there is a users.txt file within this directory, with the credentials: natas4:tKOcJIbzM4lTs8hbCmzn5Zr4434fGZQm.

Summary

That wraps up the first 4 Natas challenges! We'll cover more in upcoming posts. Hopefully these got you comfortable exploring source code within web pages. If you found it too easy, then good! Things will get more tricky as we'll need to start leveraging a proxy and even write some code in future challenges. Stay tuned!

Alternative Solutions

Additionally, there are going to be more than one method to solve these challenges. I'll try to cover the alternatives. However, for the sake of brevity, I'll likely only cover one or two per challenge. Below are a few methods for the challenges completed. Keep these in mind for future challenges too!

• curl - mentioned in the Natas1 challenge already, but rather than using a browser, use the CLI to pull the source code. Applicable Challenges: Natas0, Natas1, Natas2
• Directory/File Brute Forcing - Using a tool like ffuf (personal favorite), combined with something like seclists, or a generic wordlist to help find directories or files. Directory and file scanning is a common method for enumerating a website, which we'll certainly cover in future posts. Applicable Challenges: Natas2, Natas3