iFantasticLife

> ping my.next.stop
Destination unreachable...

Natas6 - Data Exposure

19 Jan 2021 - OverTheWire - Natas

website: http://natas6.natas.labs.overthewire.org/ (password: aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1)

According to the PHP source code, it includes a secret file:

<?
    include "includes/secret.inc";

    if(array_key_exists("submit", $_POST)) {
        if($secret == $_POST['secret']) {
            print "Access granted. The password for natas7 is <censored>";
        } else {
            print "Wrong secret";
        }
    }
?>

Pasting that file path into browser, you will get the secret. Submitting the secret, we have the password for natas7.

CONCLUSION

To summarize this level, I think there are a few vulnerabilities exposed:

  1. Sensitive data exposure. The secret is saved in plaintext without any encryption or hash.
  2. Access control weakness. The file that saves the secret can be accessed without any permission restriction.

Due to the above vulnerabilities, attackers can easily retrieve the secret info.


«Prev More About Next»
unordered_set for Self-defined Class OverTheWire - Natas Natas7 - File Inclusion Vulnerability

Please leave your comments below.