Natas · OverTheWire

Natas Level 22 → Level 23

Level 22

Username : natas22
Password :chG9fbe1Tq2eWVMgjYYD1MsfIvN461kJ
URL : http://natas22.natas.labs.overthewire.org

Solution

To solve this level, we first log into the natas22 application using the credentials provided above.

 

As we can see, the application does not display any particular message this time apart from a hyperlink to the source code. Upon checking the source code, we can see that the application is looking for a GET variable ” revelio “. If that variable is set, the application displays the password, however, if the SESSION variable does not contain a key “admin” and it’s value is not set to 1, the application redirects us to the index page of the application.

To retrieve the password, we can simply not follow the redirection or check the response from the application before the redirection takes place. Since I am primarily using Burp, I looked at the response from the application before the redirection happened and we can see the password for the next level.

 

Level 23

Username : natas23
Password : D0vlad33nQF0Hz2EP255TP5wSW9ZsRSE
URL : http://natas23.natas.labs.overthewire.org

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s