Intro-to-Burp-Suite-Community-Edition-(Through-Natas-CTFs).md

+# Intro to Burp Suite Community Edition #
+
+Burp Suite Community Edition is a powerful tool that can be used to passively crawl visited sites, intercept web traffic, decode data, etc.
+
+These features will be displayed while solving some of the overthewire/natas capture the flags. These ctfs can be accessed via [https://overthewire.org/wargames/natas/](https://overthewire.org/wargames/natas/)
+
+### To download Burp Suite Community Edition visit: [https://portswigger.net/burp/communitydownload](https://portswigger.net/burp/communitydownload)
+
+***
+## Opening Burp Suite ##
+
+Begin by opening Burp Suite. Select **Temporary project** and then select **Next**. You The default configuration is fine.
+
+The first page will be the dashboard. This will list the different tasks and the events that occur on your proxy. Notice that a live passive crawl is already in effect.
+
+Navigate to the Proxy page. Select open browser. This will open a proxy browser that is linked to Burp Suite. Any action done in the Burp Suite application effects the proxy browser.
+
+## Natas 0 ##
+In your proxy browser, navigate to the natas0 lab page ([http://natas0.natas.labs.overthewire.org/](http://natas0.natas.labs.overthewire.org/)).
+
+You'll notice that the Event log in the Dashboard page has updated. Navigate to the Target page. This page will list each website visited and any information found by the passive crawler. It will also list the request and response as well as any attributes under **Inspector**. For this CTF, the password is in the HTML gained from the response. This same process can be used to get the password for Natas1.
+
+## Natas 2 ##
+Once you've accessed the natas2 page, navigate to the Target page in Burp Suite. Clicking the dropdown to the left for the natas2 url, you'll see all of the information gathered by the Crawler. You'll notice that there is a files folder. Navigating to http://natas2.natas.labs.overthewire.org/files will list the files under this directory. users.txt will have the password to the next CTF.
+
+## Natas 3 ##
+Looking in the Response HTML from natas3 will give a hint that Google can't find the information (ie a passive crawler can't find the folder). However, the file robots.txt is typically used to make Google not list a specific directory. Navigating to robots.txt lists the directory with users.txt.
+
+## Natas 4 ##
+Head to the Proxy tab and turn the intercept on. This will grab any information being sent to a website and allow changes before forwarding the data to the site. Clicking refresh page on the natas 4 page will give us a GET request in the intercept tab. This allows us to easily change the referer to natas5 tricking the website into thinking this request came from natas5 instead of natas4. Click forward once the change is made. The natas4 webpage will be updated.
+
+## Natas 5 ##
+Natas 5 is almost identical to Natas 4. All you do instead is change the cookie to 1 instead of 0 using the inspector and interceptor tool.
+
+## Natas 6 and 7 ##
+Both of these CTFs can be completed using Burp Suite without any features that have not already been introduced.
+
+## Natas 8 ##
+Start by viewing the source code and copying the encoded secret. Then, navigate to the Decoder tab in Burp Suite and paste the string into the text field. Now we need to simply reverse what was done in the source code to the $secret variable. Begin by decoding the string as ASCII Hex. Then reverse the string (this can be done in any way you please). Paste the reversed string into the second text field. Then decode that string as base64. You should then have the secret. This is the final CTF that will be covered here. I strongly recommend completing the others to further develop your web penetration testing skills.
+
+# Other Resources #
+Burp Suite Documentation - [https://portswigger.net/burp/documentation](https://portswigger.net/burp/documentation)
+
+