Introduction

This will be a series of walkthroughs for the OverTheWire Wargame Natas. This wargame aims to teach serverside web security.

(If you are new to OverThewWire Wargames and Linux, check out my Bandit Walkthrough)

Each level requires visiting a website http://natasX.natas.labs.overthewire.org and a username, and password pair as input. For example, this level’s URL is: http://natas0.natas.labs.overthewire.org, the username is natas0 and the password is also natas0.

The task is always to obtain the password to the next level, no additional information or hints are given on the information website. The levels website, however, might contain hints.

Theory

Each website is rendered by the web browser based on the code (HTML, CSS, JS) requested by server. It is possible to look at this source code. There are multiple different ways to do this:

• Using a command line tool for web requests (such as Curl or wget)
• Right-clicking and selecting ‘View Page Source’ (only HTML)
• Opening the inspector of the developer tools of your chosen browser. (Often done with F12)

The Hypertext Markup Language (HTML) is the bones of every website. It contains the content and structure of a website. The basics of HTML are easy to learn and I would recommend you, to do so for this wargame. (Check out W3Schools) for a quick Tutorial/Overview. While HTML is not a programming language, it does have a comment tag. This allows for the insides of this tag to not be rendered by the browser and will therefore not be seen by users, who do not look at the source code.

Solution

Look at the HTML source code of the page with your preferred method. In the source code look for a comment tag. It will tell you the password. Here is an example of how opening the developer tools of Firefox would look like:

https://overthewire.org/wargames/natas/natas0.html