Natas - Level 7 - Braincoke

Connection information

Username: natas6
Password: aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1
URL: http://natas6.natas.labs.overthewire.org

Information given

The white box is composed of three parts: 1. The first part is an input box with the label Input secret: 2. The second is a button named Submit query 3. The last is a link View sourcecode pointing to http://natas6.natas.labs.overthewire.org/index-source.html

Getting the password

Now if we just click on submit query, the page is refreshed and a message saying Wrong secret appears.

The link View sourcecode seems to display the server code (which is PHP).

<html>
  <head>
    <!−− This stuff in the header has nothing to do with the level −−>
    <link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
    <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery−ui.css" />
    <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
    <script src="http://natas.labs.overthewire.org/js/jquery−1.9.1.js"></script>
    <script src="http://natas.labs.overthewire.org/js/jquery−ui.js"></script>
    <script src=http://natas.labs.overthewire.org/js/wechall−data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
    <script>var wechallinfo = { "level": "natas6", "pass": "<censored>" };</script>
  </head>
  <body>
    <h1>natas6</h1>
    <div id="content">
      <? include "includes/secret.inc";
      if(array key exists("submit", $ POST)) {
        if($secret == $ POST[’secret’]) {
          print "Access granted. The password for natas7 is <censored>";
        } else {
          print "Wrong secret";
        }
      }
      ?>
      <form method=post>
      Input secret: <input name=secret><br>
      <input type=submit name=submit>
      </form>
      <div id="viewsource"><a href="index−source.html">View sourcecode</a></div>
    </div>
  </body>
</html>

We see that the variable $secret isn’t declared in the code. It must be declared in the include which is located in http://natas6.natas.labs.overthewire.org/includes/secret.inc. Navigating to this page only show a blank page. But if we look at the page source, here is what we see:

/includes/secret.inc

<?
$secret = "FOEIUWGHFEEUHOFUOIU";
?>

Now we go back to the original page, enter this secret in the input box and click on Submit Query. A message appears:

Access granted. The password for natas7 is 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9