Skip to main content

Overview

FieldValue
URLhttp://natas7.natas.labs.overthewire.org
Usernamenatas7
Passwordbmg8SvU1LizuWjx3y7xkNERkHxGre0GS
The page has two navigation links: 
index.php?page=home
index.php?page=about
The page parameter controls what content is loaded. The page source contains a hint: 
<!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 -->

Hints

The ?page= parameter changes what content is rendered. In PHP, this is commonly done by passing the parameter to an include() or require() call — the value becomes part of the file path. What happens if the value you pass isn’t a page name, but an absolute path to a file on the server?
The HTML comment tells you exactly where the password file lives: /etc/natas_webpass/natas8. If the include() call doesn’t restrict input to relative paths, you can supply that absolute path directly as the page parameter.

Solution

1

Identify the vulnerability

The ?page= value is passed directly into a PHP include() without validation. This is a Local File Inclusion (LFI) vulnerability — any readable file on the server’s filesystem can be included.
2

Include the password file

Navigate to:
http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8
PHP includes /etc/natas_webpass/natas8 and renders its contents inline in the page.
Never pass user input directly to include(), require(), file_get_contents(), or any function that opens a file path. Validate against a strict allowlist of permitted page names and never allow absolute paths or traversal sequences (../).

With curl

# Pass the absolute path as the page parameter — the server includes and returns the file
curl -s -u natas7:bmg8SvU1LizuWjx3y7xkNERkHxGre0GS \
  "http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8"

Password

natas8: xcoXLmzMkoIP9D7hlgPlh9XD7OgLAe5Q