Let’s look at Natas Level 4 in this post. To get started, point your browser over to the level 4 website, http://natas4.natas.labs.overthewire.org/, and log in with the password from the previous level.
What’s Going On?
Upon logging in we get a message that access is disallowed and that it will only be granted to people coming from http://natas5.natas.labs.overthewire.org/. Well that’s interesting, how are we supposed to come from level 5? Well, for this we’re going to look into how HTTP requests work.
First, it should be clear enough to say that HTTP requests are generated by a client and sent to an HTTP server. This server processes the request and sends a response back to the client. In browsing the web, this happens through our web-browser and we are usually unaware of it. That is, until we get messages back from the server saying things like HTTP Error 404, File Not Found.
So, how does a website know things like where a person is coming from when they are requesting a page? Well, since HTTP is a stateless protocol, it’s supplied in the clients HTTP request. This attribute of the HTTP request is called the “referer”, and is usually set by your browser when you follow a link. Thus, since it’s supplied by the user, it is something the user can fake! Let’s attempt to do that for this level.
Exploit
In this level we’re going to switch from using the browser now, to using the command line! We’re going to make simple use of the cURL program. This is standard on many Linux distributions and is also available for Windows. cURL lets us request a curl via the command line, as well as supply changes to the HTTP request based on command line arguments. Today we’ll be making use of the –user and –referer arguments. The user argument lets us specify the username and password to log in to the natas level4 web page. The referer argument lets us specify our own URL to act as the referer of our HTTP request. Putting it all together we should get:
curl –user natas4:PasswordForNatas4GoesHere –referer http://natas5.natas.labs.overthewire.org/ http://natas4.natas.labs.overthewire.org/
In response we should see a print out of the HTML from the request, and if done correctly this code includes the password for natas level 5!
So What?
This level is a reminder about the statelessness of HTTP and as such the unverified nature of HTTP request attributes. HTTP requests are under the full control of the user/crafter, and as such should be best treated as being from a malicious request creator, not an average user.