Skip to content

No-solution Natas guide (OverTheWire)

Natas is a capture the flag (CTF) track that teaches web security on OverTheWire (OTW). You are presented with a webpage and your goal is to somehow get a password to the next level, another password-protected website. This involves some sort of exploit like SQL injection, XSS, or a vulnerability in the source code of the site. Not only is it a lot of fun, but it’s also a great way to learn about web security.

While it’s possible to ask for help if you get stuck, most of the time I ended up looking for a solution online. This felt like cheating and many times I realized I was very close to solving the challenge, I just needed a hint in the right direction.

This is what this page is about. Instead of posting full solutions to the challenges, I will post hints that will hopefully help you solve Natas challenges without spoiling too much of the fun.

If you’re part of the OTW team and would like any of these hints to be taken down or changed, let me know. Comments to improve them, by anyone, are also welcome.

Before you begin: don’t spoil the fun

It’s completely normal to struggle with the challenges. It’s during that struggle that you will learn the most, IMO. So, as much as possible, avoid using these hints. I’m posting them here only as a last resort, after attempting different approaches, and as a better option than getting the solutions directly.

These hints are also biased because they are based on my experience. They will hint you towards solving the challenge how I was able to solve it, but maybe there are other ways to solve them or you would just approach them differently. So, beware.

General advice

While the challenges are different, in most of them it will be helpful to:

  1. Study the source code. Most challenges provide it, including the PHP backend code.
  2. Read the docs.

Be sure you completely understand what the code is doing. Many times you will get exploit ideas during this process. The docs might also point out vulnerabilities or practices to avoid (which could be exploited).

Also, give it some time. Maybe, at first, you will have no idea what to do. Take a rest, do something else, save the challenge for later. New ideas will pop up during this time. That’s another reason to avoid using the hints directly.

Hints

Just click on the arrows and the “+” buttons to reveal the hints.

natas0

Hint 1

That's right. The password is written in the page.

Hint 2

Have you tried looking at the page's source code?

natas1

Hint 1

Once again, source code.

Hint 2

Is there any keyboard shortcut?

natas2

Hint 1

Better check the source code.

Hint 2

Is there any image on the site?

Hint 3

No, the password is not somehow encoded in the image file.

Hint 4

What's the URL of pixel.png?

Hint 5

Is there any folder in the URL path?

natas3

Hint 1

There's a reason they mention Google (search engine).

Hint 2

How does a search engine index a website?

Hint 3

Search engine crawlers.

Hint 4

Is there any part of the site a crawler won't access?

natas4

Hint 1

How does the site know where I'm visiting it from?

Hint 2

Look into HTTP GET requests.

Hint 3

Look into HTTP headers.

Hint 4

Referrer.

Hint 5

Make your own HTTP request.

natas5

Hint 1

Check the GET request.

Hint 2

Any cookies?

Hint 3

Any way to set cookies?

natas6

Hint 1

$_POST?

Hint 2

Where is variable $secret assigned a value?

Hint 3

Any external file included in the source code?

natas7

Hint 1

Check the URL.

Hint 2

Query parameters?

Hint 3

Can we access any path besides "home" and "about"?

natas8

Hint 1

Find x such that encodeSecret(x) = $encodedSecret.

Hint 2

If f(x) = y, then inverse_f(y) = x.

natas9

Hint 1

Is the input sanitized?

Hint 2

Executing several commands in one line.

natas10

Hint 1

grep man pages.

Hint 2

Can you grep more than one file?

natas11

Hint 1

Check the cookies.

Hint 2

You have the cookie that corresponds to $defaultdata...

Hint 3

Find the xor_encrypt $key.

Hint 4

Find a $key value such that the encryption and encoding of $defaultdata yields

Hint 5

the default cookie.

Hint 6

Reverse encoding and brute force?

natas12

Hint 1

Can you upload files other than .jpg?

Hint 2

Can you modify the extension of the uploaded file?

Hint 3

Could you upload a php script?

natas13

Hint 1

Is it possible to upload files with other extensions?

Hint 2

Could a jpg file contain executable code?

natas14

Hint 1

Is the query sanitized?

Hint 2

SQL injection.

natas15

Hint 1

See the users table includes a password column.

Hint 2

Is the query sanitized?

Hint 3

Is it possible to get information about an user's password?

Hint 4

Comparing a string against a pattern (SQL).

natas16

Hint 1

It's not base64 encoding...

Hint 2

What special characters aren't sanitized?

Hint 3

Subshells.

Hint 4

Using grep to answer yes/no questions.

Hint 5

If you grep a non-existent string in a file, you get an empty string.

natas17

Hint 1

The query isn't sanitized.

Hint 2

Is it possible to make queries take longer based on the query results?

Hint 3

Check SQL SLEEP function (or similar ones).

Hint 4

SQL blind injection.

natas18

Hint 1

PHP sessions.

Hint 2

Check the request cookies.

Hint 3

PHPSESSID.

Hint 4

Maybe the admin has a session id assigned.

natas19

Hint 1

Check the cookies.

Hint 2

Analyze the cookie after creating an user.

Hint 3

Is there any pattern in the cookies for different users?

Hint 4

Hex encoding?

Hint 5

Maybe there's a stored session id that corresponds to an admin.

natas20

Hint 1

PHP sessions.

Hint 2

There are custom session handlers on this challenge.

Hint 3

How are past sessions being encoded?

Hint 4

Is there any way to add new fields to a session?

Hint 5

Each field in previous sessions occupies one line...

natas21

Hint 1

21

Hint 2

Check the cookies on both sites.

Hint 3

Does the colocated site set cookies?

Hint 4

Are cookies shared between both sites?

natas22

Hint 1

URL parameters.

Hint 2

Is the page being redirected somehow?

Hint 3

Could we get the response contents before the redirection?

natas23

Hint 1

What could we infer about the password?

Hint 2

Are they checking for a unique password?

Hint 3

Type casting.

Hint 4

What happens when you cast a string to a number? (in PHP)

natas24

Hint 1

Passing different data types to request.

Hint 2

strcmp.

Hint 3

Is there any way to break strcmp?

natas25

Hint 1

Is directory traversal possible?

Hint 2

Check the log file.

Hint 3

Is is possible to open any of the log files?

Hint 4

Is it possible to set part the log file contents?

Hint 5

XSS.

natas26

Hint 1

Logger class.

Hint 2

Unserializing.

Hint 3

What happens when unserializing an object?

Hint 4

Could you create your own Logger class?

Hint 5

What part of the source Logger class is executed when an object is unserialized?

Hint 6

Where are the drawings saved? Could we save other type of files to that path?

Hint 7

XSS.

natas27

Hint 1

No need to install IE...

Hint 2

It's not about UTF-7...

Hint 3

It's not about the database encoding...

Hint 4

The SQL query is sanitized 🙁

Hint 5

Can't inject executable code with htmlentities 🙁

Hint 6

It's not about time attacks...

Hint 7

The username column is not defined as unique.

Hint 8

Is it possible to duplicate a user in the db?

Hint 9

What happens when you exceed the varchar limit?

Hint 10

Whitespaces.


This is as far as I got. I will update the hints as I solve more challenges.

Published inArticles
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments