OverTheWire Natas Level 23 Walkthrough

This post is a walkthrough for level 23 of Natas, which gets us into some more PHP functions. This post shows how to evaluate the code and get the solution.

What is Natas?

Natas is an online hacking game meant to help you learn and practice security concepts.

OverTheWire is a website with a number of “war games”, which are online hacking games that allow you to practice security concepts. If you are looking for a beginner introduction to web security (albeit an older tech stack), then Natas is a great place to start.

Natas is hosted on different subdomains following the pattern of http://natas<level#>.natas.labs.overthewire.org. As you progress through the levels, you’ll need to increment the level number in the URL in order to view the correct level.

Each level requires the levels below it to be solved, so you will need the level 23 flag found in level 22 to begin this walkthrough. As before, make sure you keep notes and write down the passwords as you find them!

Level 23 ➔ 24

If we visit the homepage for level 23 (with username natas and password D0vlad33nQF0Hz2EP255TP5wSW9ZsRSE from the previous level), we see this:

We’re asked to provide a password. Let’s look at the source code for more information:

The webpage will show us the password if two conditions are met. First, the request needs to include a passwd key. That’s easy enough.

if(array_key_exists("passwd",$_REQUEST)){

Second, this comparison needs to evaluate to true.

if(strstr($_REQUEST["passwd"],"iloveyou") && ($_REQUEST["passwd"] > 10 )){

The PHP function strstr finds the first occurrence of a string and returns the part of the string starting from and including the first occurrence of the “needle” value (in our case, iloveyou).

If you aren’t familiar with PHP, we can test this out in a repl shell. Open up your terminal of choice and type php -a. You can also use an online sandbox such as this one.

First, let’s check the strstr() comparison:

As you can see, anything that includes “iloveyou” in the first argument (which is our input) evaluates a non-zero output.

Next, we can test out the other part of the conditional. I originally thought this was a string length comparison but there’s more to it than that. Any value that starts with a number higher than 10 will result in a true output.

Natas Level 23 Solution

Given what we’ve just learned, we know that our password needs to 1) start with a value higher than 10 and 2) include “iloveyou”.

I chose the password 100iloveyou:

And there’s our flag!

Takeaway: if you aren’t sure how a particular function works, read the documentation and test it out. The more you know about programming in a language, the more successful you will be in security regarding that language.