Natas Level 6

Natas Level 6 Message

What’s the secret?  Let’s find out!

This time they give us the source code to index.php to look at.  This is because when you right click > view source on a php page in your browser, only the html is visible, and not the php code.  The source looks like this:

Natas Level 6 Source

So we can see the the data we submit in the form is referred to as $_POST[‘secret’].  It is being compared to a variable called $secret, and if the two are equal then access is granted.  So if we know the value of $secret we know what to enter in the form to be authenticated.  But wait, what is the value of $secret?  It doesn’t appear to be set anywhere in the source code.

Well this is line looks interesting:

include "includes/secret.inc";

 

What this is saying is, include the contents of “secret.inc” into the source code of index.php, as if it were actually copy/pasted in there.  For those familiar with C this is similar to including header files.

I wonder if there are any secrets in secret.inc:

natas level 6 secret.inc

When I loaded the file in my browser it appeared to just be a blank page, but when I hit view source $secret was revealed!

And voila!

natas level 6 win