11/20/2023 0 Comments Grep tutorial natas![]() This time there is no information to be found on the web page in the inspect element pane, but there is a slight clue…įor some reason they are telling us that “Not even Google will find it this time…” so I went ahead and confronted Google about this problem. I append /files to the end of my URL and lo and behold there is a file named “users.txt” that contains the password for the next level. Here we see that the source of the image is located in a directory on the server named “/files/” which should not be viewable by us. The problem here is that they are exposing the names of the directories, as shown below. However, upon searching in the inspect element pane once again I discovered a little piece of information that helped me find the password. Okay so know things are not quite as obvious. The way I got around this was to log back into the first level and open up the inspect element pane, then log into this level leaving the inspect element pane open this way we never have to right click again because it is already open. This time we are prompted with a message saying “You can find the password for the next level on this page, but rightclicking has been blocked!” meaning that we cannot inspect the elements of this page. After typing “password” in the inspect element search bar the password was right where I expected it to be.įor this level things are pretty straightforward. Upon logging onto the first level, we have a hint that “You can find the password for the next level on this page.” which tells me we can find the password by simply inspecting the elements of the webpage. To get started we will view the instructions here. Both of these tools come loaded in Kali Linux, but here are the links if you want to download OWASP-ZAP or Burp Suite on a different O.S. ![]() I will be using Burp Suite and Firefox here for some of the levels since I am already very familiar with OWASP-ZAP, and I want to expand on the tools in my pentest toolbox. ![]() For the purposes of this wargame, it is best to have some sort of tool like OWASP-ZAP or Burp Suite. The Natas wargame teaches the basics of serverside web-security, and in this particular wargame we will not be making use of ssh and a terminal, but rather using our browsers to exploit the front-end and back-end of different web servers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |