In today’s post, we’re going to be looking at Level 6 of the Natas wargame hosted by Over The Wire.
What’s Going On?
Upon logging in, we are presented with a text input, a button and a link entitled View sourcecode. Clicking on the view source code link we get presented with what looks like a php file. It seems to be the index code, php code included. This gives us a chance to reverse what is happening and perhaps figure out what to put in the text box.
Looking at the php file we can see an include statement on a .inc file, perhaps a file which we could read (since .inc files aren’t run through the PHP interpreter by default). Additionally we see a check for the existence of a variable called “submit” passed through POST. If submit exists, then POST’s secret variable is checked against the php page’s secret variable, I wonder where that was defined. If the secrets match, the password for the next level will be printed to the screen.
Looking at the HTML we can see the form is standard and will set these values if we simply know what we want to supply as the secret. So, let’s go and look at that include file and see if the secret variable is defined there. Pointing our browsers at the file, we get returned a php line of code which instantiates the secret variable. Let’s copy that value and submit it through the form!
The results for submitting the correct secret speak for themselves. We get an “Access Granted” message as well as the password for the next level!
So What?
I guess there are a couple things to take home from this level. When writing in PHP or any other server-side scripting language, building security around obscurity is not a good idea (well, it never is). Don’t attempt to claim your code is safe just because it’s complicated to reverse without seeing the code, but simple otherwise. Also, know how your code might be revealed, and what the consequences are. Know what file types get interpreted and which file types don’t. Know what will happen if your PHP process goes down and page requests are still made to the server.