Recap of Last Lesson: We learned what cookies are, what functions they can provide, and how we can manipulate them.

Natas Level 6

Objective

Find the password to log into level 7.

Intel Given

  • Need password to login
  • Source code available

How to

Just like with HTML and Javascript, I’ m going to need to sidetrack you again.  From here on out you will need an understanding of how the basics of how PHP works.  Again, I will recommend Codecademy for learning PHP.  Any resource will work, but you must understand the syntax to have any success with hacking web applications build with PHP.

 

So first things first.  We see the front page with a text box to input a secret password, and a hyperlink that takes us to the source code of the PHP application.  Now if you are new to PHP you may be wondering, “Why do I need a link, can’t I just right click and go to ‘View Source’?”  The answer is no, because what you see displayed to you is only HTML.  PHP code is ran on the webserver and you only see what the application wants you to see.  Click the link, and you will see the differences from what is displayed to you and what is in the actual source code.
Take a look at the sourcecode. As you learned already (You went to Codecademy right?) PHP always starts with a <? and closes with a ?>, so lets pay attention to that portion of the code.  I’ll post it below:
 <?  
 include "includes/secret.inc";  
   if(array_key_exists("submit", $_POST)) {  
     if($secret == $_POST['secret']) {  
     print "Access granted. The password for natas7 is <censored>";  
   } else {  
     print "Wrong secret";  
   }  
   }  
 ?>
Ok.  lets talk our way through this line by line.  First, we include a file, with a relative path of “includes/secret.inc”.  Then there is a check to see if data was sent when the user clicked the submit button.  If that is true, it compares that value with the a variable called $secret.  If they match (as indicated by the ‘==’) we are informed that access is granted and given the next password.  If it does not match, we are told that the password is wrong.

 

So by now it may be obvious that we need to discover the value of $secret.  We do not see that variable set anywhere in our code…. or do we?  Notice that we included a file when we started our code.  Perhaps the variable $secret is contained within there.   Learning what we already know about relative paths,  we can try to browse to the sercret.inc file. Woo-hoo.  We did it. but there doesn’t seem to be anything there.  Lets check the source code again.  Bam.  There is our PHP variable that we were looking for.  The reason we can see it is because it is a .inc file, were it PHP we could not see the variable through View Source.  Lets take the value of it, and punch it into the password box, and reap the rewards of our effort.

 

Conclusion

 

We learned about PHP and how it can be used to perform authentication.  As I said before, I HIGHLY recommend having a good understanding of PHP, Javascript and HTML to continue on.

Hackmethod is proud to announce Mal_Wear by HM. Exploit/Vulnerability themed nerdy t-shirts! Get them while they last. Dismiss