Over the wire - Natas8
It goes like this:
URL=http://natas8.natas.labs.overthewire.org
curl --user natas8:$(cat natas8 ) $URL
We get a form & index-source.html. Let’s check what’s up with the index-source.html:
curl --user natas8:$(cat natas8 ) $URL"/index-source.html" > index-source.html
I opened the file in neovim and all I got was a mess with a bunch of - white spaces and < > < and > signs.
# Replace all with a space
:%s/\ / /g
# Replace all <br /> with a \r - carriage return -> newline
:%s/<br \/>;/\r/g
Exercise for a reader is to do the same for the < and > signs.
<code><span style="color: #000000">
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas8", "pass": "<censored>" };</script></head>
<body>
<h1>natas8</h1>
<div id="content">
<span style="color: #0000BB"><?
$encodedSecret </span><span style="color: #007700">= </span><span style="color: #DD0000">"3d3d516343746d4d6d6c315669563362"</span><span style="color: #007700">;
function </span><span style="color: #0000BB">encodeSecret</span><span style="color: #007700">(</span><span style="color: #0000BB">$secret</span><span style="color: #007700">) {
return </span><span style="color: #0000BB">bin2hex</span><span style="color: #007700">(</span><span style="color: #0000BB">strrev</span><span style="color: #007700">(</span><span style="color: #0000BB">base64_encode</span><span style="color: #007700">(</span><span style="color: #0000BB">$secret</span><span style="color: #007700">)));
}
if(</span><span style="color: #0000BB">array_key_exists</span><span style="color: #007700">(</span><span style="color: #DD0000">"submit"</span><span style="color: #007700">, </span><span style="color: #0000BB">$_POST</span><span style="color: #007700">)) {
if(</span><span style="color: #0000BB">encodeSecret</span><span style="color: #007700">(</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'secret'</span><span style="color: #007700">]) == </span><span style="color: #0000BB">$encodedSecret</span><span style="color: #007700">) {
print </span><span style="color: #DD0000">"Access granted. The password for natas9 is <censored>"</span><span style="color: #007700">;
} else {
print </span><span style="color: #DD0000">"Wrong secret"</span><span style="color: #007700">;
}
}
</span><span style="color: #0000BB">?>
</span>
<form method=post>
Input secret: <input name=secret><br>
<input type=submit name=submit>
</form>
<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>
</span>
</code>
This is just enough readable to see what I need to do.
There’s a secret:
$encodedSecret = "3d3d516343746d4d6d6c315669563362"
The function that encoded this secret did three things:
- bin2hex - convert binary to hex
- strrev - reverse the string
- base64 - encoded it in base64
So I do the reverse:
echo "3d3d516343746d4d6d6c315669563362" | xxd -r -p | rev | base64 -d
I pass the secret to the form (and keep the streak of not using a web browser for this challenge):
curl --user natas8:$(cat natas8 ) $URL -X POST -d "secret=oubWYf2kBq&submit=Submit+Query" | grep "natas9 is" | sed "s/.*is //" > natas9
Over the wire Natas Curl Linux Web Security
375 Words
2026-03-09 18:37 (Last updated: 2026-03-09 18:37)