hacking, owasp, web application security

OverTheWire: Natas Level 5 – #appsec #webapp #websecurity #wargames

Another day, another challenge…

In today’s blog post, we’re going to solve level 5 from the Natas wargame challenge.

Let’s begin.

Going to the following link and entering username of “natas5” and password of “iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq” we see the following:

Natas5_WarGame_1

After pressing “OK” we see:

Natas5_WarGame_5

Hmm… we see that we’re not logged in and access is disallowed.

Using Tamper Data, let’s see if the request headers show us a way to bypass the login feature.

Opening the Tamper Data application and refreshing the website we see:

Natas5_WarGame_2

Hmm… we see inside the Cookie that there is a loggedin that is currently set to zero. What if we change it to 1?

Changing the loggedin feature to 1 and pressing Enter we see:

Natas5_WarGame_4

Natas5_WarGame_3

We received the flag!