Natas Level 6 -> Level 7

Skills: Local File Inclusion

Let's login -
Creds - natas7:7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

Upon login and see Home and About page. Viewing source reveals the "key" file location.

Upon clicking "Home", we land to following URL - Looking at source code [CTRL + U], we see the natas8 password is located in /etc/natas_webpass/natas8 We can try to include this file path in URL and see if we get a respond back with a natas8 password.

Local File Inclusion (LFI) -

Visiting above link gives us the password as guessed. This is a called a Local File Inclusion (LFI) vulnerability where the attacker can access the files outside the web application home directories which are typically located in "/var/www/html/" in Linux based systems.

Last updated