Natas Level 6 -> Level 7

Skills: Local File Inclusion

Let's login -
Creds - natas7:7z3hEENjQtflzgnT29q7wAvMNfZdh0i9
URL - http://natas7.natas.labs.overthewire.org/

Upon login and see Home and About page. Viewing source reveals the "key" file location.

Upon clicking "Home", we land to following URL - http://natas7.natas.labs.overthewire.org/index.php?page=home Looking at source code [CTRL + U], we see the natas8 password is located in /etc/natas_webpass/natas8 We can try to include this file path in URL and see if we get a respond back with a natas8 password.

Local File Inclusion (LFI) -

http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8

Visiting above link gives us the password as guessed. This is a called a Local File Inclusion (LFI) vulnerability where the attacker can access the files outside the web application home directories which are typically located in "/var/www/html/" in Linux based systems.

PreviousNatas Level 5 -> Level 6 NextNatas Level 7 -> Level 8

Last updated 3 years ago