files/pixel.png
, navigating to /files
shows us that there is a file called users.txt
which contains the flag.robot.txt
file is involved here. checking that file shows us a directory /s3cr3t
which contains a users.txt
file that contains the flag.http://natas5.natas.labs.overthewire.org/
, so we use the following burp request and manually set the Referer
value to that endpoint.loggedin
that is set to 0 by default. We modify the request and set the value to 1 as shown below.includes/secret.inc
. when navigating to that page and viewing the source we are given the secret to submit. After submitting the secret we get the flag.index.php?page=<page>
which screams LFI on basic challenges like this. Using the following burp request we can read the file /etc/natas_webpass/natas8
.grep
via php. But it is not sanitizing input, so we can manipulate the command to read the flag file instead. The original php as well as the input needed to obtain the flag are shown below:;
from our input. This will just have grep search our file as well as the one defined in the php file.