Natas - Level 7

2 November 2017

Connection information

Information given

The white box is composed of three parts: 1. The first part is an input box with the label Input secret: 2. The second is a button named Submit query 3. The last is a link View sourcecode pointing to

Getting the password

Now if we just click on submit query, the page is refreshed and a message saying Wrong secret appears.

The link View sourcecode seems to display the server code (which is PHP).

    <!−− This stuff in the header has nothing to do with the level −−>
    <link rel="stylesheet" type="text/css" href="">
    <link rel="stylesheet" href="−ui.css" />
    <link rel="stylesheet" href="" />
    <script src="−1.9.1.js"></script>
    <script src="−ui.js"></script>
    <script src=−data.js></script><script src=""></script>
    <script>var wechallinfo = { "level": "natas6", "pass": "<censored>" };</script>
    <div id="content">
      <? include "includes/";
      if(array key exists("submit", $ POST)) {
        if($secret == $ POST[’secret’]) {
          print "Access granted. The password for natas7 is <censored>";
        } else {
          print "Wrong secret";
      <form method=post>
      Input secret: <input name=secret><br>
      <input type=submit name=submit>
      <div id="viewsource"><a href="index−source.html">View sourcecode</a></div>

We see that the variable $secret isn’t declared in the code. It must be declared in the include which is located in Navigating to this page only show a blank page. But if we look at the page source, here is what we see:


Now we go back to the original page, enter this secret in the input box and click on Submit Query. A message appears:

Access granted. The password for natas7 is 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9