Let's start by viewing the source:
<html>
<head><link rel="stylesheet" type="text/css" href="http://www.overthewire.org/wargames/natas/level.css"></head>
<body>
<h1>natas7</h1>
<div id="content">
<a href="index.php?page=home">Home</a>
<a href="index.php?page=about">About</a>
<br>
<br>
<!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 -->
</div>
</body>
</html>
We can see a hint hidden in an HTML comment, which tells us the location of the natas8 password. However, we aren't able to simply browse there since it is outside of the web root. Let's keep pressing on to see what we can find. By browsing to the 'About' page, we are presented with the following URL:
Seeing the 'page=about' parameter in the URL reminds us of a previous writeup, in which we were able to leverage an LFI/RFI vulnerability to our advantage. Let's see if this is the case here with a bogus filename:
It looks like this challenge is indeed meant to be solved using an LFI vulnerability. Let's use this to traverse back to the file containing the natas8 password:
As expected, browsing to this URL displays the following:
We can then use this password to log in to the next challenge. Piece of cake so far, right? More writeups to come.
-Jordan
This comment has been removed by the author.
ReplyDeleteSince /etc is inside the top most folder in regular *nix installations, you can simply the site with:
ReplyDeletehttp://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8