MayADevBe Blog

A Blog about Computer Science

Natas Level 6 - OverTheWire Walkthrough

Previous Level: Level 5

Theory

PHP is a scripting language. It is widely used, so it is worth trying to understand the basics. For web development, it is usually associated with the back-end, meaning processed on server side. It can be used for different functions, such as dynamic content or form processing. It can be integrated into HTML, but the code will generally not be exposed to the regular user.

PHP in HTML is enclosed in the following tags: <? ?> or <?php ?>. Variables start with a $ sign and the content of forms sent with a POST request can be accessed with the special $_POST variable.

Another important part for this level is that it is possible to include code from other files into a file, by using include or require.

W3schools has a comprehensive tutorial for more details. I recommend you to check it out! You will encounter some more PHP in this wargame.

Solution

This time visiting the website we see an input field. We are prompted to input a secret. We can also to look at the source code through a link. The source code is a mix of HTML and PHP. We want to focus on the HTML form and the PHP:

1
2
3
4
<form method=post>
Input secret: <input name=secret><br>
<input type=submit name=submit>
</form>

First, the HTML form part shows what happens with our input. A POST request is used to send the input with the variable name ‘secret’. An additional ‘submit’ variable.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
<?
include "includes/secret.inc";

    if(array_key_exists("submit", $_POST)) {
        if($secret == $_POST['secret']) {
	        print "Access granted. The password for natas7 is <censored>";
	    } else {
	        print "Wrong secret";
	    }
    }
?>

The PHP part processes this information. We can see that the POST request is checked for a variable with the name ‘submit’. If the variable exists, the content or our inputted ‘secret’ variable ($_POST['secret']) is compared to a variable also called ‘secret’.

However, the code does not contain an uninitialized or initialized variable with this name. However, it does contain an ‘include’ statement. This means variables or functions are included from another file. The statement shows a relative path to the file.

Visiting the path http://natas6.natas.labs.overthewire.org/includes/secret.inc leads to a seemingly empty webpage. But since it does not show us an error, something is happening, PHP code is run, which does not include any visual output.

So we use our favourite method to look at the source code and find more PHP code:

1
2
3
<?
$secret = "XXXXXXXXXXXXXXXXXXX";
?>

We found the ‘secret’ variable and its content. Using this as input, we get the ‘Access granted’ message, with the password for the next level.


https://overthewire.org/wargames/natas/natas6.html


Share on: