Level 22 Username : natas22 Password :chG9fbe1Tq2eWVMgjYYD1MsfIvN461kJ URL : http://natas22.natas.labs.overthewire.org
To solve this level, we first log into the natas22 application using the credentials provided above.
As we can see, the application does not display any particular message this time apart from a hyperlink to the source code. Upon checking the source code, we can see that the application is looking for a GET variable ” revelio “. If that variable is set, the application displays the password, however, if the SESSION variable does not contain a key “admin” and it’s value is not set to 1, the application redirects us to the index page of the application.
To retrieve the password, we can simply not follow the redirection or check the response from the application before the redirection takes place. Since I am primarily using Burp, I looked at the response from the application before the redirection happened and we can see the password for the next level.
Level 23 Username : natas23 Password : D0vlad33nQF0Hz2EP255TP5wSW9ZsRSE URL : http://natas23.natas.labs.overthewire.org