Tag: web application

Another day, another challenge…

In today’s blog post we’re going t solve level 6 in the Natas wargame.

Let’s begin.

Going to the following link and entering the username of “natas6” and password of “iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq” we see the following:

Doing a right click, view source we see:

Hmm… there’s not much in here, except there’s a view sourcecode. Let’s see what this source code will yield us…

Looking at the middle of the page, we see that there’s php code (code between <?…?>), we notice that there’s an include/secret.inc. Let’s see if we can access this file and see what’s inside the file.

Changing the URL to “natas6.natas.labs.overthewire.org/includes/secret.inc” we see:

… a blank page. Let’s do a right click, view page source to see if there are nuggets hidden beneath the surface.

Doing a right click, view page source we see the following:

Hmm… looks like we find the secret.

Let’s enter this into the input box and see if this unlocks the level.

Entering the secret above into the input box we get:

We found the flag!

Another day, another challenge…

Today’s blog post we’re going to solve level 4 from the Natas wargame.

Let’s begin.

Going to the following link we see:

After entering the username of “natas4” and password of “Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ” we get the following:

Hmm… we’re not allowed access because we’re coming from an invalid URL. Let’s see if we can change that.

In a previous blog, I explained how to user Tamper Data. Tamper Data allows you to modify HTTP requests and responses to see if the web page will behave differently.

We’re going to use Tamper Data for this challenge.

Starting Tamper Data, and going to the level 4 we see:

We see that the referrer shows natas4, what happens when we change it to natas5?

Changing the referrer to natas5, and clicking OK we see:

We found the flag!