Cyber Security: An Offensive Mindset - Natas

Link to full Summer Studio 2019

Natas

Setting a secure free throwaway email account is a great way to direct all cyber related projects. I used protonmail and I was able to set it up within a couple of minutes excluding the 10 minutes trying to think of username that wasn’t taken.

Introduction

Natas is a great way to teach me the basics of web application security.

NATAS0

Viewing the page source can reveal us how the site is generated. As a hacker we can look through code and identify any instances of human error. This may be deploying a website with credentials left in the code or using default account name and password.

By viewing the page source, I have identified the username and password by the comment left in the code.

Username: natas1 Password: gtVrDuiDfck831PqWsLEZy5gyDz1clto

NATAS1

The last method can be repeated for this level too.

Username: natas2 Password: ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi

NATAS2

It not so simple now that the credential is in plain text now. However, there is a suspicious tag ‘img’ containing a file ‘pixel.png’. The file contains literally a pixel however maybe there are other stuff in the folder ‘files’.

By redirecting the address from
https://natas2.natas.labs.overthewire.org/files/pixel.png
to
https://natas2.natas.labs.overthewire.org/files/
reveals a bunch of other files. After browsing through the list there is a suspicious file called ‘users.txt’. After clicking on the link you can find an array of credentials including the flag.

Username: natas3

NATAS3

Now its start becoming more difficult. Nothing is left behind.

I had a time to figure out what the comment defined. After googling, its apparently a joke to leave robots.txt behind since the google search engine is a robot that scans your website.

Putting the ../robots.txt in the address lets us preview a text and its secret. It leads us to a directory called ../s3cr3t/. Again we found a users.txt and the flag.

NATAS4

This part a got stuck because I had to relearn how to use burpsuite to catch the packet sent by the refresh function in NATAS4.

Theoretically, using Burpsuite we can receive the packet sent by the browser before it sent it the server. By intercepting the packet we can read all type of data in the packet and reveal anything that might help us. This might by in form of revealing credentials or maybe a hashed password. Using a hash decryptor like identify what type of encrpytion it is or using brute-force analysis like cyberchef we can find the flag.

Nifty tech tag lists fromĀ Wouter Beeftink