Tuesday, October 30, 2012

OverTheWire Wargame "Natas" Level 5 [How-To/Web]

So we cracked Level 4 with some knowledge of HTTP headers and requests, and used a cool little app to help us out. Now we are on Level 5, and after logging it it presents us with a weird page:

Well wait, didn't we just log in? Why does it say we aren't?

Looks like the password didn't authenticate us correctly, OR there's something blocking our authentication even further.

Right away, I knew what to do. What is something in a browser that holds certain information, including login information? Cookies! But how am I going to check out the delicious cookies? Javascript!

Don't worry, the Javascript we'll be using is really easy to understand. I don't even know a lot of JS, but it's easy for me to do.

Below is the Javascript that we can use to view the cookies on the current "document" (webpage):
But how do we get this to run on the website? We put it into the navigation bar!

What this is doing is running a Javascript script denoted by the "javascript:" and it will pop up an "alert" window with the document cookie.

Looks like a bunch of gibberish... but wait, what's that at the end!
Well, as we know in binary, 0 is false, and 1 is true, so it's saying we're not logged in! How do we go about changing this? We use Javascript again to exploit a XSS (cross side scripting) attack and change the value of the cookie.

The Javascript this time is:
Which means that the return type is "void" (returns nothing), and we want to set the cookie in the current document (webpage) with the value "loggedin=0". We know that value already exists in the cookie because we saw it, so it should change it from 0 (not authenticated) to 1 (authenticated).

Now hit enter and lets see what happens.
Well, nothing should really happen that you can see, because we had the return type set as "void".

What you can do now, is either run the Javascript to view the cookie again, or just refresh to see:

So we see natas6:mfPYpp1UBKKsx7g4F0LaRjhKKenYAOqU.

On to Level 6.


  1. Very good, keep it up Marshall.
    I cracked number 6 :)

    1. Thanks :] I cracked up to like 10 before I was sidetracked, I just didn't have the time to put the rest of them up sadly :[

  2. Really loved reading your blog. Interesting subject!


  3. I have read your blog and I gathered some needful information from your blog. Keep update your blog. Awaiting for your next update.
    ionic training in chennai

  4. Amazing article. Your blog helped me to improve myself in many ways thanks for sharing this kind of wonderful informative blogs in live. I have bookmarked more article from this website. Such a nice blog you are providing ! Kindly Visit Us @ Best Travels in Madurai | Tours and Travels in Madurai | Madurai Travels

  5. I’m impressed with the post which you have shared. This is very informative to know the benefits of outsourcing web development services.
    Hire Dedicated Wordpress Developer
    Smarty Developers
    Hire Dedicated Web Developers
    Hire Dedicated Php Developer
    Hire Dedicated Opencart Developers