Recap of Last Lesson: We learned about PHP and how we can learn from the source code to be able to dissect the authentication mechanism.

Natas Level 7


Find the password to log into level 8.

Intel Given

  • URL:
  • Multiple pages

How to

For this lesson we again going to build upon what we learned previously.  If you have not, please review Natas6 in regards to PHP and Natas2 in regards to directory paths.  Lets take a look at the main page.  Similar to what we are used to seeing, although we now see we can browse multiple pages.  Click around, and pay attention to what is in the URL.  Try to figure out what it is doing.  When you are done with that, take a look at the source code.

We see two things of note:
  • The links
  • The comment

The links tell us a little about how index.php works.  The comment tells up the exact path of where the password is stored.  Before we go looking for that password, lets try to discover how this website works.  We notice when we click on different links, index.php will serve us a different page.  We see in the URL “index.php?page=[$PAGE]” with $PAGE being a variable I just made up representing any value.  From this we can infer that there are pages named “home” and “about” which contain the HTML we see when we click on any of the links.  Lets tamper with the URL by throwing a bunch of junk after the ?page=. This causes an error in the PHP application, because the file we tried to reference does not actually exist.

Lets make an attempt to set the page variable to the path of our password file we found in the comments.  Go try it.  Did it work? It did not, and I’ll explain why.  You will notice that when it attempts to include a file, it does so by using a relative path.  Unfortunately for us, the password resides in a totally different area of the filesystem than where the home and about pages are.  What we need to do is find a way to somehow navigate to a different part.  This is where I ask you to read again.  Before you go below and find the answer please first look at the Wikipedia entry for File inclusion Vulnerability and then check out the OWASP wiki for Testing for Local File Inclusion.  These links will include enough information for you to complete this challenge.

Now that we understand Path Traversal (another OWASP link) we can try this on our URL.  Go ahead and precede the path to the Natas8 password by a string of “../”.  You won’t always know how many you need and there is no consequence of putting in too many as long as you are trying to reach the root directory.  Everything extra will have no effect. If you did it right you should see the password file returned within the index.php page.

Here we learned a bit more about PHP and a common way PHP is used to include different files.  We also learned about path traversal and local file inclusion.  I would recommend spending some time over at the OWASP wiki as it is a great resource to learn all about web application vulnerabilities.