Today we’re going to start looking at a new wargame. This game is hosted on OverTheWire.org and is called Natas. It is a web-based game and will be different than the shell based games we’ve looked at so far. So, without further adieu, let’s get started.
Level 0
To start, let’s follow the instructions on the Natas webpage, and point our browser to the level0 URL, http://natas0.natas.labs.overthewire.org, and login with the username/password natas0/natas0. Upon logging in we get a message saying the password for the next level is on this page! Well, since we know that the web browser formats what the web server sent us, let’s simply view source so we can see most of what was sent, without formatting. Upon viewing the source we see an HTML comment with the password of the next level in it. Tada!
Level 1
Let’s login to the level1 page, http://natas1.natas.labs.overthewire.org/, with the password we got from level0. Once there we see a message saying the password is on the page, but we can’t right click! That doesn’t make the source safe! There are many options to view the source without right clicking. In Chrome you can go to Menu -> Tools -> View Source (shortcut Ctrl+u), Firefox is similar. One could also make a telnet/netcat connection to the server and request the HTML files themselves, and skip the browser! Any approach works, and once we are viewing the source, we again see the password to the next level.
So What?
These levels are a reminder that anything in an HTML file will be sent to the user that requested the file from the server. Thus, don’t put anything secretive within an HTML file, even if it’s a comment! HTML is formatted by the user’s browser, not the webserver, so all comments will also be sent to users.