{"id":318,"date":"2012-10-31T12:39:16","date_gmt":"2012-10-31T19:39:16","guid":{"rendered":"http:\/\/seanmurphree.com\/blog\/?p=318"},"modified":"2012-10-31T12:42:55","modified_gmt":"2012-10-31T19:42:55","slug":"natas-level-6-php-interpreter-and-file-types","status":"publish","type":"post","link":"https:\/\/seanmurphree.com\/blog\/?p=318","title":{"rendered":"Natas Level 6 &#8211; PHP Interpreter and File Types"},"content":{"rendered":"<p>In today&#8217;s post, we&#8217;re going to be looking at Level 6 of the Natas wargame hosted by <a title=\"Over The Wire\" href=\"http:\/\/overthewire.org\" target=\"_blank\">Over The Wire<\/a>.<\/p>\n<h2>What&#8217;s Going On?<\/h2>\n<p>Upon logging in, we are presented with a text input, a button and a link entitled View sourcecode. \u00a0Clicking on the view source code link we get presented with what looks like a php file. \u00a0It seems to be the index code, php code included. \u00a0This gives us a chance to reverse what is happening and perhaps figure out what to put in the text box.<\/p>\n<p>Looking at the php file we can see an include statement on a .inc file, perhaps a file which we could read (since .inc files aren&#8217;t run through the PHP interpreter\u00a0by default). \u00a0Additionally we see a check for the existence of a variable called &#8220;submit&#8221; passed through POST. \u00a0If submit exists, then POST&#8217;s secret variable is checked against the php page&#8217;s secret variable, I wonder where that was defined. \u00a0If the secrets match, the password for the next level will be printed to the screen.<\/p>\n<p>Looking at the HTML we can see the form is standard and will set these values if we simply know what we want to supply as the secret. \u00a0So, let&#8217;s go and look at that include file and see if the secret variable is defined there. \u00a0Pointing our browsers at the file, we get returned a php line of code which instantiates the secret variable. \u00a0Let&#8217;s copy that value and submit it through the form!<\/p>\n<p>The results for submitting the correct secret speak for themselves. \u00a0We get an &#8220;Access Granted&#8221; message as well as the password for the next level!<\/p>\n<h2>So What?<\/h2>\n<p>I guess there are a couple things to take home from this level. \u00a0When writing in PHP or any other server-side scripting language, building security around obscurity is not a good idea (well, it never is). \u00a0Don&#8217;t attempt to claim your code is safe just because it&#8217;s complicated to reverse without seeing the code, but simple otherwise. \u00a0Also, know how your code might be revealed, and what the consequences are. \u00a0Know what file types get interpreted and which file types don&#8217;t. \u00a0Know what will happen if your PHP process goes down and page requests are still made to the server.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In today&#8217;s post, we&#8217;re going to be looking at Level 6 of the Natas wargame hosted by Over The Wire. What&#8217;s Going On? Upon logging in, we are presented with a text input, a button and a link entitled View &hellip; <a href=\"https:\/\/seanmurphree.com\/blog\/?p=318\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[36,35,4],"tags":[],"_links":{"self":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/318"}],"collection":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=318"}],"version-history":[{"count":5,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/318\/revisions"}],"predecessor-version":[{"id":322,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/318\/revisions\/322"}],"wp:attachment":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=318"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=318"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=318"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}