{"id":605,"date":"2015-01-31T17:54:07","date_gmt":"2015-01-31T17:54:07","guid":{"rendered":"https:\/\/www.hackmethod.com\/?p=605"},"modified":"2016-10-26T15:23:42","modified_gmt":"2016-10-26T15:23:42","slug":"overthewire-natas-6","status":"publish","type":"post","link":"https:\/\/hackmethod.com\/overthewire-natas-6\/","title":{"rendered":"OvertheWire \u2013 Natas 6"},"content":{"rendered":"<div class=\"entry-content\">\n<p class=\"entry-content\"><strong>Recap of Last Lesson:<\/strong> We learned what cookies are, what functions they can provide, and how we can manipulate them.<\/p>\n<p class=\"entry-content\"><a href=\"http:\/\/natas6.natas.labs.overthewire.org\/\"><strong>Natas Level 6<\/strong><\/a><\/p>\n<p class=\"entry-content\"><strong>Objective<\/strong><\/p>\n<p class=\"entry-content\">Find the password to log into level 7.<\/p>\n<p class=\"entry-content\"><strong>Intel Given<\/strong><\/p>\n<div class=\"entry-content\">\n<ul>\n<li>Need password to login<\/li>\n<li>Source code available<\/li>\n<\/ul>\n<\/div>\n<p><!--more--><\/p>\n<p><strong>How to<\/strong><\/p>\n<\/div>\n<div class=\"entry-content\">Just like with HTML and Javascript, I&#8217; m going to need to sidetrack you again.\u00a0 From here on out you will need an understanding of how the basics of how PHP works.\u00a0 Again, I will recommend <a href=\"http:\/\/www.codecademy.com\/en\/tracks\/php\">Codecademy<\/a> for learning PHP.\u00a0 Any resource will work, but you must understand the syntax to have any success with hacking web applications build with PHP.<\/div>\n<p>&nbsp;<\/p>\n<div class=\"entry-content\"><\/div>\n<div class=\"entry-content\">So first things first.\u00a0 We see the <a href=\"https:\/\/www.hackmethod.com\/wp-content\/uploads\/2015\/01\/natas6.png\">front page<\/a> with a text box to input a secret password, and a hyperlink that takes us to the source code of the PHP application.\u00a0 Now if you are new to PHP you may be wondering, &#8220;Why do I need a link, can&#8217;t I just right click and go to &#8216;View Source&#8217;?&#8221;\u00a0 The answer is no, because what you see displayed to you is only HTML.\u00a0 PHP code is ran on the webserver and you only see what the application wants you to see.\u00a0 Click the link, and you will see the differences from what is displayed to you and what is in the actual <a href=\"https:\/\/www.hackmethod.com\/wp-content\/uploads\/2015\/01\/6_sourceCode.png\">source code<\/a>.<\/div>\n<div class=\"entry-content\"><\/div>\n<div class=\"entry-content\">Take a look at the sourcecode. As you learned already (You went to <a href=\"http:\/\/www.codecademy.com\/en\/tracks\/php\">Codecademy<\/a> right?) PHP always starts with a <span style=\"color: #ff0000;\"><em>&lt;?<\/em> <span style=\"color: #000000;\"> and closes with a <span style=\"color: #ff0000;\"><em>?&gt;<\/em><\/span>, so lets pay attention to that portion of the code.\u00a0 I&#8217;ll post it below:<\/span><\/span><\/div>\n<div class=\"entry-content\">\n<pre><span style=\"color: #000080;\"><code> &lt;?  \n include \"includes\/secret.inc\";  \n   if(array_key_exists(\"submit\", $_POST)) {  \n     if($secret == $_POST['secret']) {  \n     print \"Access granted. The password for natas7 is &lt;censored&gt;\";  \n   } else {  \n     print \"Wrong secret\";  \n   }  \n   }  \n ?&gt;<\/code><\/span><\/pre>\n<\/div>\n<div class=\"entry-content\">\n<div class=\"entry-content\">Ok.\u00a0 lets talk our way through this line by line.\u00a0 First, we include a file, with a relative path of &#8220;includes\/secret.inc&#8221;.\u00a0 Then there is a check to see if data was sent when the user clicked the submit button.\u00a0 If that is true, it compares that value with the a variable called <strong>$secret<\/strong>.\u00a0 If they match (as indicated by the &#8216;==&#8217;) we are informed that access is granted and given the next password.\u00a0 If it does not match, we are told that the password is wrong.<\/div>\n<div class=\"entry-content\"><\/div>\n<p>&nbsp;<\/p>\n<div class=\"entry-content\"><\/div>\n<div class=\"entry-content\">So by now it may be obvious that we need to discover the value of <strong>$secret<\/strong>.\u00a0 We do not see that variable set anywhere in our code&#8230;. or do we?\u00a0 Notice that we included a file when we started our code.\u00a0 Perhaps the variable <strong>$secret<\/strong> is contained within there. \u00a0 Learning what we already know about <a href=\"https:\/\/www.hackmethod.com\/overthewire-natas-2\/\">relative paths<\/a>,\u00a0 we can try to browse to the sercret.inc file. Woo-hoo.\u00a0 We did it. but there doesn&#8217;t seem to be anything there.\u00a0 Lets check the <a href=\"https:\/\/www.hackmethod.com\/wp-content\/uploads\/2015\/01\/secret_inc.png\">source code<\/a> again.\u00a0 Bam.\u00a0 There is our PHP variable that we were looking for.\u00a0 The reason we can see it is because it is a <strong>.inc<\/strong> file, were it PHP we could not see the variable through <em>View Source<\/em>.\u00a0 Lets take the value of it, and punch it into the password box, and reap the <a href=\"https:\/\/www.hackmethod.com\/wp-content\/uploads\/2015\/01\/natas7_pass.png\">rewards<\/a> of our effort.<\/div>\n<p>&nbsp;<\/p>\n<div class=\"entry-content\"><\/div>\n<div class=\"entry-content\"><\/div>\n<div class=\"entry-content\"><strong>Conclusion<\/strong><\/div>\n<p>&nbsp;<\/p>\n<div class=\"entry-content\"><\/div>\n<div class=\"entry-content\">We learned about PHP and how it can be used to perform authentication.\u00a0 As I said before, I HIGHLY recommend having a good understanding of PHP, Javascript and HTML to continue on.<\/div>\n<\/div>\n<p><!--more--><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recap of Last Lesson: We learned what cookies are, what functions they can provide, and how we can manipulate them. Natas Level 6 Objective Find the password to log into level 7. Intel Given Need password to login Source code available<\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":true,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[44,49],"tags":[57,45,46],"class_list":["post-605","post","type-post","status-publish","format-standard","hentry","category-overthewire","category-tutorials","tag-natas","tag-overthewire","tag-tutorials"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p5zY4D-9L","_links":{"self":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/605","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/comments?post=605"}],"version-history":[{"count":9,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/605\/revisions"}],"predecessor-version":[{"id":1891,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/605\/revisions\/1891"}],"wp:attachment":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/media?parent=605"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/categories?post=605"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/tags?post=605"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}