Saturday, November 22, 2014

Natas 22

Natas 22 looks pretty weird from the start-- it's just a blank page:

Looking through the source code, it seems like it's going to be a pretty simple level (although not necessarily easy):

My first thought is that it looks too easy.... the second PHP snippet looks like it's checking whether there's a "revelio" parameter in the GET request, and, if it's present, it displays the natas23 info.

When I go to submit the request with an additional "?revelio=blah" added on to the end of the URL, I get brought to the same page as before.  Hmm....

Looking again, you can see the first PHP snippet will check if your PHP session is set as an admin, and redirect you with a Location header if you aren't.

This should be breakable with BURP, though-- all we need to do is see the first response and read the password for the next level once and then it's okay if we get forwarded on to somewhere else.

There it is. We can ignore the future request that gets immediately sent out by the browser...we're done!

No comments:

Post a Comment