Natas 25 shows a quote from "Bad Boy Bubby" and offers a few translations from a dropdown menu:
Since there's no form or password, it seems like we'll need to read from the /etc/natas_webpass/natasXX file again.
Here's the code:
It looks a bit longer than previous levels...
Going through it, it seems like two parts in particular stick out as vulnerable:
(1) a very unsafe way of checking for directory traversals.
(What happens if we submit the text "....//", for example?)
(2) a part of our GET request is directly written into a log file.
(What happens if we set our User-Agent string to "<? ___ ?>", for example?)
Hmm, how can we use these?
It looks like the strstr($filename, "natas_webpass") is going to effectively block us from directly accessing the natas_webpass directory, but what else can we do?
The method I went with was to grab the log file with the GET request, while setting the User-Agent string to <? readfile("/etc/natas_webpass/natas26") ?>
This should write our PHP code into the log file, and when we view that log file via the directory traversal in the lang= parameter, we should see the contents of the file dumped within the contents of the rest of the log.
In the Response, we can see our code and the contents of the file /etc/natas_webpass/natas26!