About Me
Avatar
Part time CTF Player learn every day!!
🌠 I Love Hoshimachi Suisei!! 🌠
🌠 I Love Hoshimachi Suisei!! 🌠

OverTheWire Natas Level 0 → 1 tutorial!!

overthewire natas walkthrough ctf web beginner
Published on 13 Dec 2023

Login

URL: http://natas1.natas.labs.overthewire.org
Credentials: natas1:0nzCigAq7t2iALyvU9xcHlYN4MlkIwlq

homepage

💡 Tip: you can also use curl -u natas1:<password> <URL> if you prefer the terminal, but the intended solution is straight from the browser.

Task

In this level, right-click is disabled in the browser.
Your goal is still to view the HTML source — the password for natas2 is hidden in a comment.

A little bit of Theory

  • Websites can use JavaScript to intercept and block right-click, but it only affects the UI, not the actual page source.
  • Use keyboard shortcuts to open source directly:
    • Windows/Linux: Ctrl+U
    • macOS: Option+Command+U
  • As always, HTML comments (<!-- ... -->) are a common hiding spot.

Further reading:

Solution

  1. Log in with the given credentials.
  2. Ignore the right-click restriction and open the page source via shortcut.

  3. Locate the HTML comment inside the source:

    <!--The password for natas2 is TguMNxKo1DSa1tujBLuZJnDUlCcUAPlI -->

![view-source](/assets/images/natas/level-0-to-1/succes.jpg)

  1. Copy the password exactly.

  2. Proceed to Level 2 at http://natas2.natas.labs.overthewire.org using:

    • Username: natas2
    • Password: TguMNxKo1DSa1tujBLuZJnDUlCcUAPlI

Password

TguMNxKo1DSa1tujBLuZJnDUlCcUAPlI

Troubleshooting

  • Can’t open source? → Use the keyboard shortcut instead of right-click.
  • Still blocked? → Try another browser.
  • Prefer terminal? → Use curl -u natas1:<password> <URL> to fetch raw HTML.

Congrats 🎉 You just bypassed a simple JavaScript trick and revealed the hidden password for natas2!

Thanks for reading!

Until next time — Otsumachi!! 💖☄️✨

Cinema

related posts

all tags

GOT-overwrite aboutme aead ai alphanumeric-shellcode apt argc0 argon2 aslr assembly asymmetric atoi automation backbox bandit base64 bash beginner behemoth binary binary-exploitation binary-to-ascii blackarch blind blind-sqli blogging blue-team bruteforce buffer-overflow buffer-overwrite c caesar canary capabilities checksec command-injection commonmark cookie cron crypto cryptography ctf cutter cyberchef cybersecurity defenders detection dev directory-traversal dnf docs drifter ecc education elf env envp exploitation finale forensics format-string formulaone frequency frequency-analysis gcc gdb getchar gfm ghidra github-pages governance gpg guide hashing hkdf http jekyll jmpbuf kali kasiski kdf kernel keylength kramdown krypton lab ld_preload leviathan lfi lfsr linux linux-syscall llmops log-poisoning ltrace manpage markdown maze memcpy mitigations mitmproxy mlops narnia natas networking newline-injection nonce nop-sled nx object-injection obsidian openssl osint overflow overthewire package-manager pacman parrot path path-hijacking pathname php pie pkc pki pointer-trick pqc priv-esc privilege-escalation provable-security pwn pwntools pyshark python race-condition radare2 rag randomness recon red-team redirect relro requests ret2env ret2libc reverse-engineering reversing ricing roadmap rop rot13 rsa scapy security seed seo serialization session setjmp-longjmp setuid shell shellcode smoke soc sockets sprintf sql-injection srop stack-canary stack-overflow strace strcmp strcpy streamcipher strings strncpy strtoul substitution suid suisei symlink symmetric terminal test threat-intel time-based tls troubleshooting tshark type-juggling ubuntu udp utumno vigenere virtualbox virtualization vmware vortex walkthrough web windows wireshark writing wsl x86
dash theme for Jekyll by bitbrain made with