hacking, owasp, web application security

OverTheWire: Natas Level 6 – #appsec #webapp #websecurity #wargames

Another day, another challenge…

In today’s blog post we’re going t solve level 6 in the Natas wargame.

Let’s begin.

Going to the following link and entering the username of “natas6” and password of “iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq” we see the following:

Natas6_WarGame_2

Natas6_WarGame_3

Doing a right click, view source we see:

Natas6_WarGame_4

Hmm… there’s not much in here, except there’s a view sourcecode. Let’s see what this source code will yield us…

Natas6_WarGame_5

Looking at the middle of the page, we see that there’s php code (code between <?…?>), we notice that there’s an include/secret.inc. Let’s see if we can access this file and see what’s inside the file.

Changing the URL to “natas6.natas.labs.overthewire.org/includes/secret.inc” we see:

Natas6_WarGame_6

… a blank page. Let’s do a right click, view page source to see if there are nuggets hidden beneath the surface.

Doing a right click, view page source we see the following:

Natas6_WarGame_7

Hmm… looks like we find the secret.

Let’s enter this into the input box and see if this unlocks the level.

Entering the secret above into the input box we get:

Natas6_WarGame_8

Natas6_WarGame_9

We found the flag!