Natas 1,2,3 — simple web mistakes hacking
OWASP ZAP is a tool design for web app pentesting. Like Burp Suite, ZAP acts like a proxy between the browser and the server catching all incoming and outgoing traffic, allowing us to view, review and tamper with the requests. But unlike Burp Suite, ZAP is free and Open Source. In this series I’ll demonstrate how to use ZAP to obtain flags from the OverTheWire Natas wargame.
OverTheWire is a group of hackers that offers a free wargames (CTF) to learn and train in security. Their game Natas is about web site security. The objective in each level is to obtain the access key to the next level.
In these articles the focus will be the tools and not the hack, I won’t reveal the key but following the instructions you will be able obtain it.
So, first things first. If you’re using Kali, Parrot or any other security distro, ZAP comes pre-installed. If that is not case, check your distros repositories or go to ZAP homepage and download it.
Head to level 0 and let the game begin.
Natas 0 — password in comment
This one is quite easy to get. There is only one page so there isn’t much to else to do but view the source code:
Natas 1 — password in comment
Natas 1 is similar to the previous level but now there is no right-click to view source. No problem, open the browser development tools (available in web browsers such as Firefox, Chrome) and search for clues.
Natas 2 — hidden folder
Natas 2 states “There is nothing on this page”. We can take a look at the source code to make sure, but there really is nothing there. Or is it? Looking closely there is something that stands out, a picture that apparently isn’t on the page. Opening the pictures we can see that it just shows a single white pixel. Take a look at the path and see we’re in a folder.
Navigate to ‘http://natas2.natas.labs.overthewire.org/files’ and you’ll see two files. Open users and obtain the key.
Natas 3 — another hidden folder
Login with natas 3 and once again there is nothing to see in the page. In the source code there’s a clue. It’s time to start using our tools.
OWASP ZAP is a proxy tool developed to pentest web apps. Open the application and choose to not persist the session. Check for updates. Now go to your browser settings and define a proxy with url: 127.0.0.1 and port: 8080. Refresh the page and get back to ZAP. You’ll see the natas 3 address just bellow Sites. Now right-click it and select attack->spider:
Zap lists robots.txt and sitemap.xml. Robots.txt is a special file used by programmers to hide content from web search spiders. Checking its contents we find an hidden folder: ‘s3cr3t’:
There is our file with Natas 4 password.
Conclusion
Save the password in a file, you’ll need it later. In the next series will get to work in the following levels of this wargame.
